File name:

Rensomware v.1.0 By Fransesco Ctraik 2018.rar

Full analysis: https://app.any.run/tasks/2745d8be-1ada-4d04-a87b-c3484a57d5d5
Verdict: Malicious activity
Analysis date: October 23, 2023, 14:45:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

9A865EDBA930714314228BC46CC54B4B

SHA1:

C7514BE873AA4EFE13B5B07E0F9AF5326DE0C9EC

SHA256:

BF5553A1414376D8EE70582350E2A4FFBB20C208B895F1B9009A6D3183B7565F

SSDEEP:

6144:YdivdSBDt8rrBJxszUdb7n/ty/UPysYKDpeqVE2uuytikxKIr/A18zyrPMRNhEAF:Y+SBh8rrBJxWI7Vy/VBwuuiiaZDwTMR7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2288)
      • helo.exe (PID: 4088)
      • Stubs.exe (PID: 2332)
      • Stub.exe (PID: 1016)
      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2148)
      • hello.exe (PID: 2040)

    • Drops the executable file immediately after the start

      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2288)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2288)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2752)

    • Checks supported languages

      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2288)
      • helo.exe (PID: 4088)
      • Stubs.exe (PID: 2332)
      • Stub.exe (PID: 1016)
      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2148)
      • hello.exe (PID: 2040)

    • Reads the computer name

      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2288)
      • helo.exe (PID: 4088)
      • hello.exe (PID: 2040)
      • Stubs.exe (PID: 2332)
      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2148)
      • Stub.exe (PID: 1016)

    • Reads the machine GUID from the registry

      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2288)
      • helo.exe (PID: 4088)
      • hello.exe (PID: 2040)
      • Stubs.exe (PID: 2332)
      • Stub.exe (PID: 1016)
      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2148)

    • Manual execution by a user

      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2288)
      • helo.exe (PID: 4088)
      • Stubs.exe (PID: 2332)
      • Stub.exe (PID: 1016)
      • Rensomware v.1.0 By Fransesco Ctraik 2018.exe (PID: 2148)
      • hello.exe (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Rensomware v.1.0 By Fransesco Ctraik 2018\Rensomware v.1.0 By Fransesco Ctraik 2018.exe
PackingMethod: Normal
ModifyDate: 2018:06:15 04:52:48
OperatingSystem: Win32
UncompressedSize: 291840
CompressedSize: 244109
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs rensomware v.1.0 by fransesco ctraik 2018.exe no specs helo.exe rensomware v.1.0 by fransesco ctraik 2018.exe no specs hello.exe stubs.exe stub.exe

Process information

PID
CMD
Path
Indicators
Parent process
1016"C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stub.exe" C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stub.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\rensomware v.1.0 by fransesco ctraik 2018\stub\stub.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2040"C:\Users\admin\Desktop\hello.exe" C:\Users\admin\Desktop\hello.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\hello.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2148"C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Rensomware v.1.0 By Fransesco Ctraik 2018.exe" C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Rensomware v.1.0 By Fransesco Ctraik 2018.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
WindowsApplication1
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\users\admin\desktop\rensomware v.1.0 by fransesco ctraik 2018\rensomware v.1.0 by fransesco ctraik 2018.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2288"C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Rensomware v.1.0 By Fransesco Ctraik 2018.exe" C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Rensomware v.1.0 By Fransesco Ctraik 2018.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
WindowsApplication1
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rensomware v.1.0 by fransesco ctraik 2018\rensomware v.1.0 by fransesco ctraik 2018.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2332"C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stubs.exe" C:\Users\admin\Desktop\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stubs.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Stubs
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\rensomware v.1.0 by fransesco ctraik 2018\stub\stubs.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rensomware v.1.0 By Fransesco Ctraik 2018.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
4088"C:\Users\admin\Desktop\helo.exe" C:\Users\admin\Desktop\helo.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\helo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
6 123
Read events
6 041
Write events
74
Delete events
8

Modification events

(PID) Process:(2752) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2288) Rensomware v.1.0 By Fransesco Ctraik 2018.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
Executable files
6
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2752.32158\Rensomware v.1.0 By Fransesco Ctraik 2018\Rensomware v.1.0 By Fransesco Ctraik 2018.exeexecutable
MD5:9945964D8ABE3EA8F234C80E0CCD0F1C
SHA256:7260A02381BD6C2F72EEE6BF9B339262C00B99F868D6706407FBED9AA98AF888
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2752.32158\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stub.exeexecutable
MD5:DF027453FE84A302ACAB58BF7420A7AE
SHA256:DE75279BF377515E33AFED8451B47A47BE95E33A7BD9A4160129ED6ED0B3310D
2288Rensomware v.1.0 By Fransesco Ctraik 2018.exeC:\Users\admin\Desktop\helo.exeexecutable
MD5:8366E640D95C0BC040CBBC582112E721
SHA256:919421AB698AA55E1EE6C7F8CB03818EC6D0F643CDC3EBC1F5A2BBE1E39A6A02
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2752.32158\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stubs.exeexecutable
MD5:EC57B5C01CAFDFE3FF788EA3FF92D9BF
SHA256:7C97C6127A4B809BF2A208CE3B836E00C363628BA56745AB7FC1902F1CB975A2
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2752.31746\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stub.exeimage
MD5:6C5D129928D736F1B66B72DC24491AD4
SHA256:D120F4D3371C181627A50DC24F4F3A528B72D4EF7E69E7D37B8DDC119BAADACF
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2752.31746\Rensomware v.1.0 By Fransesco Ctraik 2018\Stub\Stubs.exeimage
MD5:403B9D03E6ADEDEB5AE98639553E3F43
SHA256:F6E85E4159AF1811651369026617EB9ED7F6F34ECD4A50F95181925EBA5D8C03
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2752.31746\Rensomware v.1.0 By Fransesco Ctraik 2018\Rensomware v.1.0 By Fransesco Ctraik 2018.exeexecutable
MD5:9945964D8ABE3EA8F234C80E0CCD0F1C
SHA256:7260A02381BD6C2F72EEE6BF9B339262C00B99F868D6706407FBED9AA98AF888
2288Rensomware v.1.0 By Fransesco Ctraik 2018.exeC:\Users\admin\Desktop\hello.exeexecutable
MD5:9C98E7C1F5700E65C5814C5D7BAEC084
SHA256:6C17F2182BF210BAEE1B691DDCC36F3AD68109459311529B439169F2A72A2259
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
2656
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Rensomware v.1.0 By Fransesco Ctraik 2018.rar