analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6561056999243776.zip

Full analysis: https://app.any.run/tasks/7df4ccd0-10cd-4495-baa3-988d1e812f22
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 16:22:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
stop
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B6EEEDB52C8B64799C50CDBD39C79C2F

SHA1:

C21F6A1A65375D27B74415B286D2F88F63411FC2

SHA256:

C0217DB96F90E98F6A9522FB5CE578C3B6EBD0EB6B2C80A3B89CFD3AC2B37051

SSDEEP:

12288:tGg6VhQO0sag3UIKEsZbwBomYoVbgM/sDc5TZmlxC+bsKX4RobFbkX3UQImngVv:8Thx0sag3knKO+zU6TUG8XJJ0kbmgVv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ran.exe (PID: 2288)
      • ran.exe (PID: 1096)
      • ran.exe (PID: 3912)
      • ran.exe (PID: 1852)

    • Changes settings of System certificates

      • ran.exe (PID: 1096)

    • Changes the autorun value in the registry

      • ran.exe (PID: 1096)

    • Loads the Task Scheduler COM API

      • ran.exe (PID: 1096)
      • ran.exe (PID: 1852)

    • STOP was detected

      • ran.exe (PID: 1852)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 1988)
      • ran.exe (PID: 1096)
      • ran.exe (PID: 1852)

    • Checks supported languages

      • WinRAR.exe (PID: 1988)
      • ran.exe (PID: 2288)
      • ran.exe (PID: 1096)
      • ran.exe (PID: 3912)
      • ran.exe (PID: 1852)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 1988)
      • ran.exe (PID: 1096)

    • Application launched itself

      • ran.exe (PID: 2288)
      • ran.exe (PID: 1096)
      • ran.exe (PID: 3912)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1988)
      • ran.exe (PID: 1096)

    • Adds / modifies Windows certificates

      • ran.exe (PID: 1096)

    • Uses ICACLS.EXE to modify access control list

      • ran.exe (PID: 1096)

  • INFO

    • Manual execution by user

      • ran.exe (PID: 2288)

    • Checks Windows Trust Settings

      • ran.exe (PID: 1096)

    • Reads settings of System Certificates

      • ran.exe (PID: 1096)

    • Checks supported languages

      • icacls.exe (PID: 3212)

    • Reads the computer name

      • icacls.exe (PID: 3212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: e002f29096d44762347df2b8875eb6683747f3604210e0c3c89bc6f50ed21ba6
ZipUncompressedSize: 861696
ZipCompressedSize: 695831
ZipCRC: 0x20bdac55
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe ran.exe no specs ran.exe icacls.exe no specs ran.exe #STOP ran.exe

Process information

PID
CMD
Path
Indicators
Parent process
1988"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6561056999243776.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2288"C:\Users\admin\Desktop\ran.exe" C:\Users\admin\Desktop\ran.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1096"C:\Users\admin\Desktop\ran.exe" C:\Users\admin\Desktop\ran.exe
ran.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3212icacls "C:\Users\admin\AppData\Local\7b14bc40-9046-4ecd-9d3b-cd04b381a2b7" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exeran.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3912"C:\Users\admin\Desktop\ran.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\Desktop\ran.exe
ran.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1852"C:\Users\admin\Desktop\ran.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\Desktop\ran.exe
ran.exe
User:
admin
Integrity Level:
HIGH
Total events
6 053
Read events
5 930
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
7
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1096ran.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4F471471612AC4B0943E9BFD82CDD6A3
SHA256:D8083D8EB328969275DB5866B43AADAF033DFA6887FDAC8BEAE05DEAACBA84C6
1096ran.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:D2010C7615640D000639EFD9509D7292
SHA256:17BCA84DBE5DA4B6269091CB8C69AC694B488B5281D8054DDCFB3B8D58E128AC
1852ran.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\get[1].htmbinary
MD5:856F86FA2DBB84B24F7DC5CE447859FB
SHA256:4D8FF1AB7F22F5D740C6FC63021358E207DE1E918983DAAA773AA3EB6F40BA96
1988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1988.3531\e002f29096d44762347df2b8875eb6683747f3604210e0c3c89bc6f50ed21ba6executable
MD5:58C134EF33BE6BAFAD0C44CDD2364B42
SHA256:E002F29096D44762347DF2B8875EB6683747F3604210E0C3C89BC6F50ED21BA6
1096ran.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:49639B4124119DFEB7616D8DD50F9BB7
SHA256:7F935C9D0A9BD17558459D5A6387B61452011BEA4589AD94A6F2435540A373B5
1096ran.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:3764883055DA6FFC81E4A929CA5072C1
SHA256:7FF45E2195491FA6A2F3CECEE4B52D9E964CB6719448431B1C7B702E98076920
1096ran.exeC:\Users\admin\AppData\Local\7b14bc40-9046-4ecd-9d3b-cd04b381a2b7\ran.exeexecutable
MD5:58C134EF33BE6BAFAD0C44CDD2364B42
SHA256:E002F29096D44762347DF2B8875EB6683747F3604210E0C3C89BC6F50ED21BA6
1096ran.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:2F9A630ED1B6B462F0D5CDB20B35D094
SHA256:E9D2A16CE1C8370D9E3FECEDEC18F2BD65D34F2895A74F5542E84AB0E6A2229A
1096ran.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].jsonbinary
MD5:AF526F0567C46243BF78621DE7EDC7C1
SHA256:9FDB27F5C9ABDA307446A907A7806EE37BFB7D351D6ECAB0B6409EA0F9F6F2A9
1852ran.exeC:\Users\admin\AppData\Local\bowsakkdestx.txtbinary
MD5:856F86FA2DBB84B24F7DC5CE447859FB
SHA256:4D8FF1AB7F22F5D740C6FC63021358E207DE1E918983DAAA773AA3EB6F40BA96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
14
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1852
ran.exe
GET
210.182.29.70:80
http://tzgl.org/fhsgtsspen6/get.php?pid=6E3AAB7CB29BC9495DFDE01272C66F39&first=true
KR
malicious
1852
ran.exe
GET
404
222.232.238.243:80
http://tzgl.org/files/1/build3.exe
KR
html
216 b
malicious
1096
ran.exe
GET
200
104.18.30.182:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
1852
ran.exe
GET
210.182.29.70:80
http://tzgl.org/fhsgtsspen6/get.php?pid=6E3AAB7CB29BC9495DFDE01272C66F39&first=true
KR
malicious
1096
ran.exe
GET
200
104.18.31.182:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
1096
ran.exe
GET
200
2.16.106.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?215c1ccff34b1929
unknown
compressed
4.70 Kb
whitelisted
1852
ran.exe
GET
200
210.182.29.70:80
http://tzgl.org/fhsgtsspen6/get.php?pid=6E3AAB7CB29BC9495DFDE01272C66F39&first=true
KR
binary
559 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1096
ran.exe
77.123.139.190:443
api.2ip.ua
Volia
UA
suspicious
1852
ran.exe
77.123.139.190:443
api.2ip.ua
Volia
UA
suspicious
1096
ran.exe
104.18.31.182:80
ocsp.comodoca.com
Cloudflare Inc
US
unknown
1096
ran.exe
104.18.30.182:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
1852
ran.exe
222.232.238.243:80
tzgl.org
SK Broadband Co Ltd
KR
malicious
1096
ran.exe
2.16.106.178:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
222.232.238.243:80
tzgl.org
SK Broadband Co Ltd
KR
malicious
1852
ran.exe
210.182.29.70:80
tzgl.org
LG DACOM Corporation
KR
malicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 77.123.139.190
shared
ctldl.windowsupdate.com
  • 2.16.106.178
  • 2.16.106.233
  • 2.16.106.163
whitelisted
ocsp.comodoca.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted
ocsp.usertrust.com
  • 104.18.31.182
  • 104.18.30.182
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
kotob.top
malicious
tzgl.org
  • 222.232.238.243
  • 210.182.29.70
  • 110.14.121.125
  • 14.51.96.70
  • 37.34.176.37
  • 211.168.197.211
  • 211.171.233.126
  • 58.124.228.242
  • 109.98.58.98
  • 61.255.185.201
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
1096
ran.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1852
ran.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
1852
ran.exe
A Network Trojan was detected
ET TROJAN Potential Dridex.Maldoc Minimal Executable Request
1852
ran.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6561056999243776.zip