File name:

AnnaFiles.rar

Full analysis: https://app.any.run/tasks/3f0afb3f-ad1e-4dbe-93ca-c18f6986a109
Verdict: Malicious activity
Analysis date: March 30, 2020, 15:07:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

56821674504A524718BE28502C0204AE

SHA1:

F61293224B7D50E4A112767EE25A9FAE5EC3C464

SHA256:

C1253A3614B07A7E5380158CEA625597662177EC58551E884BB284CD51A6A195

SSDEEP:

24576:M2oAUeQnhJMkyDUo5n91glEtNLE3e6faWshBmn725w4384fQVB3Rhqp4DxEsRC56:M25UeQLlS591zLE3rfaDhcn725w43Pez

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AnnaRansomware.exe (PID: 1632)
      • ANNA.exe (PID: 2840)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2408)
      • AnnaUnlock.exe (PID: 2580)
      • PlaySound.exe (PID: 3612)

    • Loads dropped or rewritten executable

      • migwiz.exe (PID: 3912)
      • migwiz.exe (PID: 2636)

    • UAC/LUA settings modification

      • reg.exe (PID: 3764)
      • reg.exe (PID: 1392)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • AnnaRansomware.exe (PID: 1632)
      • ANNA.exe (PID: 2840)
      • migwiz.exe (PID: 3912)
      • ANNA.exe (PID: 332)
      • migwiz.exe (PID: 2636)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 660)
      • wusa.exe (PID: 1448)
      • AnnaUnlock.exe (PID: 2408)
      • AnnaUnlock.exe (PID: 2580)
      • wusa.exe (PID: 2452)

    • Executes scripts

      • cmd.exe (PID: 852)
      • ANNA.exe (PID: 2840)
      • ANNA.exe (PID: 332)

    • Creates files in the Windows directory

      • wusa.exe (PID: 1448)
      • wusa.exe (PID: 2452)

    • Removes files from Windows directory

      • wusa.exe (PID: 1448)
      • wusa.exe (PID: 2452)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • ANNA.exe (PID: 2840)
      • AnnaUnlock.exe (PID: 2408)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2580)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 3820)

    • Executed via COM

      • DllHost.exe (PID: 1748)
      • DllHost.exe (PID: 3976)

    • Changes the desktop background image

      • AnnaUnlock.exe (PID: 2408)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2580)
      • ANNA.exe (PID: 2840)

  • INFO

    • Manual execution by user

      • AnnaRansomware.exe (PID: 1632)
      • WINWORD.EXE (PID: 2768)
      • chrome.exe (PID: 404)
      • ANNA.exe (PID: 332)
      • AnnaUnlock.exe (PID: 2408)
      • WINWORD.EXE (PID: 2780)
      • AnnaUnlock.exe (PID: 2580)

    • Application launched itself

      • chrome.exe (PID: 404)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2768)
      • WINWORD.EXE (PID: 2780)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2768)
      • WINWORD.EXE (PID: 2780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
34
Malicious processes
5
Suspicious processes
6

Behavior graph

Click at the process to see the details
start winrar.exe annaransomware.exe no specs cmd.exe no specs playsound.exe no specs wscript.exe no specs anna.exe no specs cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe wscript.exe no specs migwiz.exe no specs migwiz.exe cmd.exe no specs reg.exe no specs winword.exe no specs PhotoViewer.dll no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs annaunlock.exe PhotoViewer.dll no specs anna.exe no specs cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe wscript.exe no specs migwiz.exe no specs migwiz.exe cmd.exe no specs reg.exe no specs annaunlock.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
332"C:\Users\admin\Desktop\ANNA.exe" C:\Users\admin\Desktop\ANNA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
3, 3, 8, 1
Modules
Images
c:\users\admin\desktop\anna.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
404"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
660"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\AnnaFiles.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
852"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\795A.tmp\795B.tmp\795C.bat C:\Users\admin\Desktop\AnnaRansomware.exe"C:\Windows\system32\cmd.exeAnnaRansomware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1228"C:\Windows\system32\wusa.exe" C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ C:\Windows\system32\wusa.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
1356C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\cmd.exemigwiz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1392C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1448"C:\Windows\system32\wusa.exe" C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ C:\Windows\system32\wusa.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1632"C:\Users\admin\Desktop\AnnaRansomware.exe" C:\Users\admin\Desktop\AnnaRansomware.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\annaransomware.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
1748C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
3 872
Read events
2 963
Write events
514
Delete events
395

Modification events

(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(660) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\AnnaFiles.rar
(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(660) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@C:\Windows\System32\mshta.exe,-6412
Value:
HTML Application
(PID) Process:(660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
12
Suspicious files
79
Text files
76
Unknown types
8

Dropped files

PID
Process
Filename
Type
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\autB384.tmp
MD5:
SHA256:
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\ynoldsx
MD5:
SHA256:
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\autB395.tmp
MD5:
SHA256:
2840ANNA.exeC:\Users\admin\AppData\Local\Temp\autB3A6.tmp
MD5:
SHA256:
1448wusa.exeC:\Windows\system32\migwiz\$dpx$.tmp\a3cd2847f701704fa1fa9ceecf2092a7.tmp
MD5:
SHA256:
1448wusa.exeC:\Windows\Logs\DPX\setuperr.log
MD5:
SHA256:
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa660.27332\AnnaFiles\ANNA.exeexecutable
MD5:
SHA256:
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa660.27332\AnnaFiles\AnnaRansomware.exeexecutable
MD5:
SHA256:
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa660.27332\AnnaFiles\anna.vbstext
MD5:
SHA256:
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa660.27332\AnnaFiles\anna.jpgimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnnaFiles.rar