analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

AnnaFiles.rar

Full analysis: https://app.any.run/tasks/3f0afb3f-ad1e-4dbe-93ca-c18f6986a109
Verdict: Malicious activity
Analysis date: March 30, 2020, 15:07:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

56821674504A524718BE28502C0204AE

SHA1:

F61293224B7D50E4A112767EE25A9FAE5EC3C464

SHA256:

C1253A3614B07A7E5380158CEA625597662177EC58551E884BB284CD51A6A195

SSDEEP:

24576:M2oAUeQnhJMkyDUo5n91glEtNLE3e6faWshBmn725w4384fQVB3Rhqp4DxEsRC56:M25UeQLlS591zLE3rfaDhcn725w43Pez

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AnnaRansomware.exe (PID: 1632)
      • PlaySound.exe (PID: 3612)
      • ANNA.exe (PID: 2840)
      • AnnaUnlock.exe (PID: 2408)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2580)

    • Loads dropped or rewritten executable

      • migwiz.exe (PID: 3912)
      • migwiz.exe (PID: 2636)

    • UAC/LUA settings modification

      • reg.exe (PID: 3764)
      • reg.exe (PID: 1392)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • AnnaRansomware.exe (PID: 1632)
      • ANNA.exe (PID: 2840)
      • migwiz.exe (PID: 3912)
      • ANNA.exe (PID: 332)
      • migwiz.exe (PID: 2636)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 660)
      • wusa.exe (PID: 1448)
      • wusa.exe (PID: 2452)
      • AnnaUnlock.exe (PID: 2408)
      • AnnaUnlock.exe (PID: 2580)

    • Removes files from Windows directory

      • wusa.exe (PID: 1448)
      • wusa.exe (PID: 2452)

    • Creates files in the Windows directory

      • wusa.exe (PID: 1448)
      • wusa.exe (PID: 2452)

    • Executes scripts

      • cmd.exe (PID: 852)
      • ANNA.exe (PID: 2840)
      • ANNA.exe (PID: 332)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • ANNA.exe (PID: 2840)
      • AnnaUnlock.exe (PID: 2408)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2580)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 3820)

    • Changes the desktop background image

      • ANNA.exe (PID: 2840)
      • AnnaUnlock.exe (PID: 2408)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2580)

    • Executed via COM

      • DllHost.exe (PID: 1748)
      • DllHost.exe (PID: 3976)

  • INFO

    • Manual execution by user

      • AnnaRansomware.exe (PID: 1632)
      • AnnaUnlock.exe (PID: 2408)
      • WINWORD.EXE (PID: 2768)
      • chrome.exe (PID: 404)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2580)
      • WINWORD.EXE (PID: 2780)

    • Application launched itself

      • chrome.exe (PID: 404)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2768)
      • WINWORD.EXE (PID: 2780)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2768)
      • WINWORD.EXE (PID: 2780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
34
Malicious processes
5
Suspicious processes
6

Behavior graph

Click at the process to see the details
start winrar.exe annaransomware.exe no specs cmd.exe no specs playsound.exe no specs wscript.exe no specs anna.exe no specs cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe wscript.exe no specs migwiz.exe no specs migwiz.exe cmd.exe no specs reg.exe no specs winword.exe no specs PhotoViewer.dll no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs annaunlock.exe PhotoViewer.dll no specs anna.exe no specs cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe wscript.exe no specs migwiz.exe no specs migwiz.exe cmd.exe no specs reg.exe no specs annaunlock.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\AnnaFiles.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1632"C:\Users\admin\Desktop\AnnaRansomware.exe" C:\Users\admin\Desktop\AnnaRansomware.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
852"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\795A.tmp\795B.tmp\795C.bat C:\Users\admin\Desktop\AnnaRansomware.exe"C:\Windows\system32\cmd.exeAnnaRansomware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3612PlaySound.exe anna.mp3C:\Users\admin\Desktop\PlaySound.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
3, 3, 8, 1
3344"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\anna.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2840"C:\Users\admin\Desktop\ANNA.exe" C:\Users\admin\Desktop\ANNA.exeWScript.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
2880C:\Windows\system32\cmd.exe /c wusa C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ & exitC:\Windows\system32\cmd.exeANNA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2084wusa C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ C:\Windows\system32\wusa.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1228"C:\Windows\system32\wusa.exe" C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ C:\Windows\system32\wusa.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1448"C:\Windows\system32\wusa.exe" C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ C:\Windows\system32\wusa.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 872
Read events
2 963
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
79
Text files
76
Unknown types
8

Dropped files

PID
Process
Filename
Type
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\autB384.tmp
MD5:
SHA256:
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\ynoldsx
MD5:
SHA256:
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\autB395.tmp
MD5:
SHA256:
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\autB3A6.tmp
MD5:
SHA256:
1448wusa.exeC:\Windows\system32\migwiz\$dpx$.tmp\a3cd2847f701704fa1fa9ceecf2092a7.tmp
MD5:
SHA256:
1448wusa.exeC:\Windows\Logs\DPX\setuperr.log
MD5:
SHA256:
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa660.27332\AnnaFiles\anna.vbstext
MD5:40D876551BD5897E1DECA97B55B99CB9
SHA256:C01AAF1C67FEAB8FE1C77852D5A67F71CCFF050385C4FD3946E30A55819A283E
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa660.27332\AnnaFiles\AnnaRansomware.exeexecutable
MD5:5C2D017FE387F3D4850A5B1D24B350CE
SHA256:D9496FB813563B1E61AA69F095FBA9A008EA1792FD7453E019F47CDA20387ABF
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa660.27332\AnnaFiles\AnnaUnlock.exeexecutable
MD5:9A05513AD5A27EE9EB220940839C2A87
SHA256:70EED4BE4A10E75296242073857FA3C2630581DFF0070D11D8A16155A8E5EF9E
2840ANNA.exeC:\Users\admin\Desktop\Lock.ANNA.exebinary
MD5:C63FD972B1C8C64A94CAC395F6DEE395
SHA256:A9114D8D9E711ADBCED08C2D5EC8E9F15825E54CD6D07EB1CF63F70A27A25BD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AnnaFiles.rar