File name:

Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.7z

Full analysis: https://app.any.run/tasks/803e203f-c9a2-4a03-8829-92811ec600fa
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 02, 2025, 21:20:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arch-exec
locky
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4CE1E44332F6DA5FC404C85690F97707

SHA1:

F3D18E745C657DD8301A66636A087280F253867A

SHA256:

BECDAA609F9BF8A6A6FD615C73108793ADF40F8D7AFA439023F551EE290E5C40

SSDEEP:

6144:lhj5ZpApvFlQw9heidmv0WVAgTytzzMXn1PYaxq+arqRy:lx5oFCGgidmcwAptcFgiOqk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 2060)

    • LOCKY mutex has been found

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)
      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 3748)

    • Connects to the CnC server

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)

    • LOCKY has been detected (SURICATA)

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)
      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 3748)

    • Reads the Internet Settings

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)
      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 3748)

    • Contacting a server suspected of hosting an CnC

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)

    • Connects to the server without a host name

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)

    • Application launched itself

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2060)

    • Manual execution by a user

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)

    • Checks supported languages

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)
      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 3748)

    • Reads the computer name

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)
      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 3748)

    • Checks proxy server information

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)
      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 3748)

    • Reads the machine GUID from the registry

      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 1400)
      • Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe (PID: 3748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2017:08:27 09:30:50+00:00
ArchivedFileName: Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #LOCKY trojan-ransom.win32.locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe #LOCKY trojan-ransom.win32.locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe

Process information

PID
CMD
Path
Indicators
Parent process
1400"C:\Users\admin\Desktop\Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\trojan-ransom.win32.locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\shell32.dll
2060"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3748C:\Users\admin\Desktop\Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exeC:\Users\admin\Desktop\Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\trojan-ransom.win32.locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\shell32.dll
Total events
3 534
Read events
3 493
Write events
33
Delete events
8

Modification events

(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2060) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.7z
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2060.16505\Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exeexecutable
MD5:FBE9106026AF42CD24AB970ED718A579
SHA256:003765D31EFF774E7D22654FBC3A52E7DC362B50706D7D773BC6F9518DF77D5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
2
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
POST
404
192.162.103.213:80
http://192.162.103.213/imageload.cgi
unknown
malicious
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
POST
404
192.162.103.213:80
http://192.162.103.213/imageload.cgi
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
109.237.111.179:80
Adman LLC
RU
unknown
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
185.17.120.130:80
Leaseweb Deutschland GmbH
DE
unknown
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
185.75.46.220:80
QuickSoft LLC
RU
unknown
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
78.108.93.185:80
Hosting Ltd
RU
unknown
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
192.162.103.213:80
NTX Technologies s.r.o.
RU
malicious
3748
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
185.75.46.220:80
QuickSoft LLC
RU
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

PID
Process
Class
Message
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC Checkin HTTP Pattern
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC checkin Nov 21
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC checkin Nov 21 M2
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC Checkin HTTP Pattern
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC checkin Nov 21
1400
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC checkin Nov 21 M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan-Ransom.Win32.Locky.dmq-003765d31eff774e7d22654fbc3a52e7dc362b50706d7d773bc6f9518df77d5f.7z