analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

encoder.vexe

Full analysis: https://app.any.run/tasks/d9824742-a190-4522-838f-a51d8780e635
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 07:14:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

71A5D92FE8B73CBFDFCF96CCA16B8BD7

SHA1:

A57F061E87FA0CCE016A2DA2B6D78353DBDF1102

SHA256:

C0C9C12FFCDAAB8C3916F8430BFE47C6E065C3C8F0E69C89F2483EF70F038248

SSDEEP:

6144:UWU1yCKKAkLm15ML5ewDHjsyC+i1JmJdWaR9LhcDFSHBrB:UWcdKKAkiqEwDDsyCFbgrHBr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • encoder.vexe.exe (PID: 2012)

    • Changes the autorun value in the registry

      • encoder.vexe.exe (PID: 2012)

    • Deletes shadow copies

      • encoder.vexe.exe (PID: 2992)
      • encoder.vexe.exe (PID: 2012)

    • Starts BCDEDIT.EXE to disable recovery

      • encoder.vexe.exe (PID: 2012)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 3752)

    • Drops executable file immediately after starts

      • encoder.vexe.exe (PID: 2012)

    • Renames files like Ransomware

      • encoder.vexe.exe (PID: 2012)

  • SUSPICIOUS

    • Checks supported languages

      • encoder.vexe.exe (PID: 2012)
      • encoder.vexe.exe (PID: 2992)
      • wmic.exe (PID: 976)
      • powershell.exe (PID: 2952)
      • cmd.exe (PID: 3336)

    • Reads the computer name

      • encoder.vexe.exe (PID: 2012)
      • encoder.vexe.exe (PID: 2992)
      • wmic.exe (PID: 976)
      • powershell.exe (PID: 2952)

    • Application launched itself

      • encoder.vexe.exe (PID: 2992)

    • Executed as Windows Service

      • vssvc.exe (PID: 3940)
      • wbengine.exe (PID: 3752)
      • vds.exe (PID: 3880)

    • Starts SC.EXE for service management

      • encoder.vexe.exe (PID: 2012)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 3468)
      • wbadmin.exe (PID: 2848)

    • Executed via COM

      • vdsldr.exe (PID: 848)

    • Uses ICACLS.EXE to modify access control list

      • encoder.vexe.exe (PID: 2012)

    • Executes PowerShell scripts

      • encoder.vexe.exe (PID: 2012)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • encoder.vexe.exe (PID: 2012)

    • Drops a file with a compile date too recent

      • encoder.vexe.exe (PID: 2012)

    • Starts CMD.EXE for commands execution

      • encoder.vexe.exe (PID: 2012)

    • Starts CMD.EXE for self-deleting

      • encoder.vexe.exe (PID: 2012)

    • Creates files like Ransomware instruction

      • encoder.vexe.exe (PID: 2012)

    • Creates files in the program directory

      • encoder.vexe.exe (PID: 2012)

  • INFO

    • Checks supported languages

      • vssadmin.exe (PID: 3524)
      • vssadmin.exe (PID: 1236)
      • net1.exe (PID: 1156)
      • sc.exe (PID: 3036)
      • net.exe (PID: 2384)
      • vssvc.exe (PID: 3940)
      • vssadmin.exe (PID: 3016)
      • vssadmin.exe (PID: 124)
      • vssadmin.exe (PID: 3624)
      • vssadmin.exe (PID: 2676)
      • vssadmin.exe (PID: 3872)
      • vssadmin.exe (PID: 4036)
      • vssadmin.exe (PID: 2960)
      • vssadmin.exe (PID: 2068)
      • vssadmin.exe (PID: 576)
      • vssadmin.exe (PID: 2536)
      • vssadmin.exe (PID: 1592)
      • vssadmin.exe (PID: 2516)
      • vssadmin.exe (PID: 2780)
      • vdsldr.exe (PID: 848)
      • bcdedit.exe (PID: 2976)
      • bcdedit.exe (PID: 3024)
      • wbadmin.exe (PID: 3468)
      • wbengine.exe (PID: 3752)
      • vds.exe (PID: 3880)
      • wbadmin.exe (PID: 2848)
      • wbadmin.exe (PID: 764)
      • icacls.exe (PID: 1192)
      • timeout.exe (PID: 3700)

    • Reads the computer name

      • vssadmin.exe (PID: 3524)
      • vssvc.exe (PID: 3940)
      • vssadmin.exe (PID: 1236)
      • sc.exe (PID: 3036)
      • vssadmin.exe (PID: 124)
      • vssadmin.exe (PID: 4036)
      • vssadmin.exe (PID: 3624)
      • vssadmin.exe (PID: 2676)
      • vssadmin.exe (PID: 3016)
      • vssadmin.exe (PID: 2960)
      • vssadmin.exe (PID: 2068)
      • vssadmin.exe (PID: 3872)
      • vssadmin.exe (PID: 576)
      • vssadmin.exe (PID: 1592)
      • vssadmin.exe (PID: 2780)
      • vssadmin.exe (PID: 2516)
      • vssadmin.exe (PID: 2536)
      • wbengine.exe (PID: 3752)
      • wbadmin.exe (PID: 3468)
      • vds.exe (PID: 3880)
      • vdsldr.exe (PID: 848)
      • wbadmin.exe (PID: 764)
      • wbadmin.exe (PID: 2848)
      • icacls.exe (PID: 1192)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 2952)

    • Dropped object may contain Bitcoin addresses

      • encoder.vexe.exe (PID: 2012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:06:03 22:12:04+02:00
PEType: PE32
LinkerVersion: 14.28
CodeSize: 498176
InitializedDataSize: 192000
UninitializedDataSize: -
EntryPoint: 0xaa001
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Jun-2022 20:12:04

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 03-Jun-2022 20:12:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0007A000
0x00036200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99871
.rdata
0x0007B000
0x0001C000
0x0000AA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99014
.data
0x00097000
0x0000D000
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.88828
.reloc
0x000A4000
0x00006000
0x00003E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9729
.aspack
0x000AA000
0x00002000
0x00001400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.72175
.adata
0x000AC000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Imports

advapi32.dll
kernel32.dll
mpr.dll
ole32.dll
oleaut32.dll
rstrtmgr.dll
shell32.dll
shlwapi.dll
wininet.dll
ws2_32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
99
Monitored processes
34
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start encoder.vexe.exe no specs vssadmin.exe no specs encoder.vexe.exe vssadmin.exe no specs net.exe no specs net1.exe no specs vssvc.exe no specs sc.exe no specs wmic.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs icacls.exe no specs wbadmin.exe no specs wbadmin.exe no specs powershell.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2992"C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe" C:\Users\admin\AppData\Local\Temp\encoder.vexe.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3524vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2012"C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe" C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe
encoder.vexe.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1236vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2384net stop VSS & sc config VSS start= disabledC:\Windows\system32\net.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1156C:\Windows\system32\net1 stop VSS & sc config VSS start= disabledC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3940C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3036sc config VSS start= Demand & net start VSSC:\Windows\system32\sc.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1639
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
976wmic.exe SHADOWCOPY delete /nointeractiveC:\Windows\System32\Wbem\wmic.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749890
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
124vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeencoder.vexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
20 152
Read events
20 130
Write events
22
Delete events
0

Modification events

(PID) Process:(2992) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2992) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2992) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2992) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2012) encoder.vexe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(2012) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSFEEditor
Value:
"C:\Users\admin\AppData\Local\Temp\encoder.vexe.exe" e
(PID) Process:(2976) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009
Operation:writeName:Element
Value:
00
(PID) Process:(3024) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\250000e0
Operation:writeName:Element
Value:
0100000000000000
(PID) Process:(2012) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:MaxCapacity
Value:
9
(PID) Process:(2012) encoder.vexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:NukeOnDelete
Value:
0
Executable files
0
Suspicious files
2 647
Text files
9
Unknown types
76

Dropped files

PID
Process
Filename
Type
2012encoder.vexe.exe\\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\Boot\BCD.LOG2text
MD5:6645BBC23043CC343F3A49EB6CE3565B
SHA256:B041D745B2D69288030E52CF989CE1CBE2B3D15A72BD65B59F000E8DF7D78151
2012encoder.vexe.exeC:\autoexec.batbinary
MD5:6F511E99A21FC901EA359C06A42B50C0
SHA256:D5B2A45541AB1C61A1F6757B69B38D5F6838F4857692DC000820C055016F1604
2012encoder.vexe.exeC:\autoexec.bat.[b0304ffb16].[BillyHerrington].Gachimuchibinary
MD5:6F511E99A21FC901EA359C06A42B50C0
SHA256:D5B2A45541AB1C61A1F6757B69B38D5F6838F4857692DC000820C055016F1604
2012encoder.vexe.exe\\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\Boot\da-DK\#HOW_TO_DECRYPT#.txtbinary
MD5:04114B8F1A4E38FDFBD9728BDB64A633
SHA256:1C984186DC4394E77A164717557246BA94FAE62059E9E770DEDC7FE56C66F2DC
2012encoder.vexe.exe\\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\Boot\BCD.LOG1binary
MD5:8CF157CB54300307CDB4493FD20E0F0D
SHA256:DEBB928E2BD3AF105A9C022CD17582C00BDA44E095C40441C25E4CCA3BFF7683
2848wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.1.etletl
MD5:26D32DB87288C164B35F2FF2D6FFA930
SHA256:AC0F439EB5DEC449EA3A64B4A406D81D3A37534A84017C3EA8E570C410A7B67F
2848wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.0.etletl
MD5:26D32DB87288C164B35F2FF2D6FFA930
SHA256:AC0F439EB5DEC449EA3A64B4A406D81D3A37534A84017C3EA8E570C410A7B67F
764wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.0.etletl
MD5:6D9D0C86CF10E2F56DFDB17664D87F58
SHA256:65096DE8C60E42F11DE122E8D76E772BEACAF69A2AF7225B7FB842F9CD86B406
764wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.1.etletl
MD5:131B7EDCFCC834AAC3689B7D7548A836
SHA256:DFF1D281399081AAA5276CAE6BED508FDA9B19E2B302162772169D007E0D75FB
2848wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.2.etletl
MD5:131B7EDCFCC834AAC3689B7D7548A836
SHA256:DFF1D281399081AAA5276CAE6BED508FDA9B19E2B302162772169D007E0D75FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
encoder.vexe