analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

encoder.vexe

Full analysis: https://app.any.run/tasks/ba6d8b2b-b16a-4a4e-b6e1-1e7399bac245
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: June 27, 2022, 08:53:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

71A5D92FE8B73CBFDFCF96CCA16B8BD7

SHA1:

A57F061E87FA0CCE016A2DA2B6D78353DBDF1102

SHA256:

C0C9C12FFCDAAB8C3916F8430BFE47C6E065C3C8F0E69C89F2483EF70F038248

SSDEEP:

6144:UWU1yCKKAkLm15ML5ewDHjsyC+i1JmJdWaR9LhcDFSHBrB:UWcdKKAkiqEwDDsyCFbgrHBr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Deletes shadow copies

      • encoder.vexe.exe (PID: 3160)
      • encoder.vexe.exe (PID: 3408)
    • Changes the autorun value in the registry

      • encoder.vexe.exe (PID: 3408)
    • Starts NET.EXE for service management

      • encoder.vexe.exe (PID: 3408)
    • Starts BCDEDIT.EXE to disable recovery

      • encoder.vexe.exe (PID: 3408)
    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 1432)
    • Drops executable file immediately after starts

      • encoder.vexe.exe (PID: 3408)
    • Renames files like Ransomware

      • encoder.vexe.exe (PID: 3408)
  • SUSPICIOUS

    • Checks supported languages

      • encoder.vexe.exe (PID: 3160)
      • encoder.vexe.exe (PID: 3408)
      • wmic.exe (PID: 3424)
      • powershell.exe (PID: 1296)
    • Reads the computer name

      • encoder.vexe.exe (PID: 3160)
      • encoder.vexe.exe (PID: 3408)
      • wmic.exe (PID: 3424)
      • powershell.exe (PID: 1296)
    • Application launched itself

      • encoder.vexe.exe (PID: 3160)
    • Executed as Windows Service

      • vssvc.exe (PID: 2764)
      • wbengine.exe (PID: 1432)
      • vds.exe (PID: 2208)
    • Starts SC.EXE for service management

      • encoder.vexe.exe (PID: 3408)
    • Creates files in the Windows directory

      • wbadmin.exe (PID: 2908)
      • wbadmin.exe (PID: 2948)
    • Executed via COM

      • vdsldr.exe (PID: 2916)
    • Uses ICACLS.EXE to modify access control list

      • encoder.vexe.exe (PID: 3408)
    • Executes PowerShell scripts

      • encoder.vexe.exe (PID: 3408)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • encoder.vexe.exe (PID: 3408)
    • Drops a file with a compile date too recent

      • encoder.vexe.exe (PID: 3408)
    • Creates files like Ransomware instruction

      • encoder.vexe.exe (PID: 3408)
    • Executable content was dropped or overwritten

      • encoder.vexe.exe (PID: 3408)
    • Creates files in the program directory

      • encoder.vexe.exe (PID: 3408)
  • INFO

    • Checks supported languages

      • vssadmin.exe (PID: 3332)
      • net.exe (PID: 1328)
      • vssadmin.exe (PID: 2540)
      • net1.exe (PID: 1844)
      • vssvc.exe (PID: 2764)
      • vssadmin.exe (PID: 3448)
      • vssadmin.exe (PID: 2524)
      • sc.exe (PID: 3104)
      • vssadmin.exe (PID: 3236)
      • vssadmin.exe (PID: 2688)
      • vssadmin.exe (PID: 1672)
      • vssadmin.exe (PID: 3524)
      • vssadmin.exe (PID: 2552)
      • vssadmin.exe (PID: 2116)
      • vssadmin.exe (PID: 2480)
      • vssadmin.exe (PID: 336)
      • vssadmin.exe (PID: 3716)
      • vssadmin.exe (PID: 3004)
      • bcdedit.exe (PID: 2876)
      • vssadmin.exe (PID: 2988)
      • wbadmin.exe (PID: 2908)
      • bcdedit.exe (PID: 3372)
      • wbengine.exe (PID: 1432)
      • vds.exe (PID: 2208)
      • vdsldr.exe (PID: 2916)
      • icacls.exe (PID: 2672)
      • wbadmin.exe (PID: 2180)
      • wbadmin.exe (PID: 2948)
      • NOTEPAD.EXE (PID: 2228)
    • Reads the computer name

      • vssadmin.exe (PID: 3332)
      • vssadmin.exe (PID: 2540)
      • vssvc.exe (PID: 2764)
      • sc.exe (PID: 3104)
      • vssadmin.exe (PID: 3448)
      • vssadmin.exe (PID: 2524)
      • vssadmin.exe (PID: 1672)
      • vssadmin.exe (PID: 2688)
      • vssadmin.exe (PID: 3524)
      • vssadmin.exe (PID: 3236)
      • vssadmin.exe (PID: 2552)
      • vssadmin.exe (PID: 3716)
      • vssadmin.exe (PID: 336)
      • vssadmin.exe (PID: 2480)
      • vssadmin.exe (PID: 2116)
      • vssadmin.exe (PID: 3004)
      • vssadmin.exe (PID: 2988)
      • wbadmin.exe (PID: 2908)
      • vdsldr.exe (PID: 2916)
      • wbengine.exe (PID: 1432)
      • vds.exe (PID: 2208)
      • icacls.exe (PID: 2672)
      • wbadmin.exe (PID: 2948)
      • wbadmin.exe (PID: 2180)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 1296)
    • Dropped object may contain Bitcoin addresses

      • encoder.vexe.exe (PID: 3408)
    • Manual execution by user

      • NOTEPAD.EXE (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0xaa001
UninitializedDataSize: -
InitializedDataSize: 192000
CodeSize: 498176
LinkerVersion: 14.28
PEType: PE32
TimeStamp: 2022:06:03 22:12:04+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Jun-2022 20:12:04

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 03-Jun-2022 20:12:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0007A000
0x00036200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99871
.rdata
0x0007B000
0x0001C000
0x0000AA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99014
.data
0x00097000
0x0000D000
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.88828
.reloc
0x000A4000
0x00006000
0x00003E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9729
.aspack
0x000AA000
0x00002000
0x00001400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.72175
.adata
0x000AC000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Imports

advapi32.dll
kernel32.dll
mpr.dll
ole32.dll
oleaut32.dll
rstrtmgr.dll
shell32.dll
shlwapi.dll
wininet.dll
ws2_32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
96
Monitored processes
33
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start encoder.vexe.exe no specs vssadmin.exe no specs encoder.vexe.exe vssadmin.exe no specs net.exe no specs net1.exe no specs vssvc.exe no specs sc.exe no specs wmic.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs icacls.exe no specs wbadmin.exe no specs wbadmin.exe no specs powershell.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3160"C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe" C:\Users\admin\AppData\Local\Temp\encoder.vexe.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
3332vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3408"C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe" C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe
encoder.vexe.exe
User:
admin
Integrity Level:
HIGH
2540vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1328net stop VSS & sc config VSS start= disabledC:\Windows\system32\net.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1844C:\Windows\system32\net1 stop VSS & sc config VSS start= disabledC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2764C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3104sc config VSS start= Demand & net start VSSC:\Windows\system32\sc.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1639
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3424wmic.exe SHADOWCOPY delete /nointeractiveC:\Windows\System32\Wbem\wmic.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749890
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3448vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
18 944
Read events
18 930
Write events
14
Delete events
0

Modification events

(PID) Process:(3160) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3160) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3160) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3160) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3408) encoder.vexe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(3408) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSFEEditor
Value:
"C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe" e
(PID) Process:(2876) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009
Operation:writeName:Element
Value:
00
(PID) Process:(3372) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\250000e0
Operation:writeName:Element
Value:
0100000000000000
(PID) Process:(3408) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:MaxCapacity
Value:
9
(PID) Process:(3408) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:NukeOnDelete
Value:
0
Executable files
2
Suspicious files
2 402
Text files
11
Unknown types
88

Dropped files

PID
Process
Filename
Type
2948wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.1.etletl
MD5:41E6D2795E3181F5A81327FD58FA7265
SHA256:B94E57F4097985B22C083124CBABC6E0CF12CD477AC740CE0A420DCBA31DD208
2948wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.0.etletl
MD5:41E6D2795E3181F5A81327FD58FA7265
SHA256:B94E57F4097985B22C083124CBABC6E0CF12CD477AC740CE0A420DCBA31DD208
3408encoder.vexe.exeC:\autoexec.bat.[b028f62193].[BillyHerrington].Gachimuchibinary
MD5:3FD1A435C19849440FEE07B7D903EF05
SHA256:5E4F8AB2BA24415D3B8AD09F63725D73A46888E62986233C68B9D4DDC346367A
2180wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.0.etletl
MD5:229BB64F8A4AD57C3C17DBFE26A69D7C
SHA256:C156F38E30ACCA629D8362F22D7B79E185D5BB3CD4D0BD9F54CE9C664026C9FA
3408encoder.vexe.exe\\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\$RECYCLE.BIN\#HOW_TO_DECRYPT#.txtbinary
MD5:4D70EA8FB0BDB6CBFA99E4B8010D8CCB
SHA256:018B2991F423E81C3A0D8627CA0C659CDA779D7BC8FF8C75870D3F674ECD4528
2948wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.2.etletl
MD5:C862313D66A5187922AB1C0795102F9D
SHA256:B51F5E9EF98E7AB36346FC8CD76E2279658441609511B32A3F1502C5C1FD21E6
3408encoder.vexe.exe\\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\Boot\BCD.LOG1text
MD5:656C39C3CCD92942D0F46E63D27220E6
SHA256:715D9B48FDF9426516D4E8DBE1A10C78A2C638AF7D6871683D9D67BAED5D9EF3
3408encoder.vexe.exe\\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\Boot\cs-CZ\#HOW_TO_DECRYPT#.txtbinary
MD5:4D70EA8FB0BDB6CBFA99E4B8010D8CCB
SHA256:018B2991F423E81C3A0D8627CA0C659CDA779D7BC8FF8C75870D3F674ECD4528
3408encoder.vexe.exeC:\Users\admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txtbinary
MD5:4D70EA8FB0BDB6CBFA99E4B8010D8CCB
SHA256:018B2991F423E81C3A0D8627CA0C659CDA779D7BC8FF8C75870D3F674ECD4528
3408encoder.vexe.exe\\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\Boot\BCD.LOG2text
MD5:C9D29CEB8169EB03E384C008687E792A
SHA256:849E58490E8969459893B9EB9B1BC5A2FAA52C3E66567A1063AFD21B764FBDEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info