analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Spora Ransomware.zip

Full analysis: https://app.any.run/tasks/5bc8d5a6-9553-4973-aac7-82dbac9ab3e3
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 29, 2020, 14:03:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
spora
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D17E10E699E54C04A56227C69AC57235

SHA1:

290F4287E9316B26B8CC750DCD2848E6C48CCAF6

SHA256:

C3B0A77405602E1C03B2493553E930A8361CDBE24AD94A581FEFEA75C347FFEA

SSDEEP:

384:6CpFaW3pT3yyf9dqQ+zDOpekuTQsWg3kzIo9yBbMH:lbaW3X9AQtpFzISyBQH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Actions looks like stealing of personal data

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Writes to a start menu file

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Deletes shadow copies

      • cmd.exe (PID: 2424)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2708)
      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Creates files in the user directory

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Uses WMIC.EXE to create a new process

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Reads the cookies of Mozilla Firefox

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Creates files in the program directory

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Starts Internet Explorer

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Executed as Windows Service

      • vssvc.exe (PID: 3960)

    • Creates files in the Windows directory

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)

    • Executed via WMI

      • cmd.exe (PID: 2424)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3584)

  • INFO

    • Manual execution by user

      • 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe (PID: 1520)
      • chrome.exe (PID: 3584)

    • Application launched itself

      • iexplore.exe (PID: 2456)
      • chrome.exe (PID: 3584)

    • Reads internet explorer settings

      • iexplore.exe (PID: 956)

    • Changes internet zones settings

      • iexplore.exe (PID: 2456)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2456)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2456)

    • Reads the hosts file

      • chrome.exe (PID: 3584)
      • chrome.exe (PID: 968)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2018:10:05 02:53:08
ZipCRC: 0x56ab286f
ZipCompressedSize: 16515
ZipUncompressedSize: 24576
ZipFileName: 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
85
Monitored processes
37
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe wmic.exe no specs iexplore.exe cmd.exe no specs vssadmin.exe no specs iexplore.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2708"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Spora Ransomware.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1520"C:\Users\admin\Desktop\7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe" C:\Users\admin\Desktop\7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3616"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"C:\Windows\System32\wbem\WMIC.exe7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2456"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\US573-ECKTZ-TZTRR-TFRTX.HTMLC:\Program Files\Internet Explorer\iexplore.exe
7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2424cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3192vssadmin.exe delete shadows /all /quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2456 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3960C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2764bcdedit.exe /set {default} recoveryenabled no C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2512bcdedit.exe /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 214
Read events
1 028
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
111
Text files
183
Unknown types
15

Dropped files

PID
Process
Filename
Type
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite
MD5:
SHA256:
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite
MD5:
SHA256:
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\US573-ECKTZ-TZTRR-TFRTX.KEYbinary
MD5:D5040CCF05D708CA9F23307674568495
SHA256:AC78EB16EFDA86D19E0FC0CE2AFBD243C31B7951D39719F23D38C6B86923CACA
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\Desktop\US573-ECKTZ-TZTRR-TFRTX.KEYbinary
MD5:D5040CCF05D708CA9F23307674568495
SHA256:AC78EB16EFDA86D19E0FC0CE2AFBD243C31B7951D39719F23D38C6B86923CACA
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlitebinary
MD5:8C94DE0C8C9D9CA156754233F6357C9F
SHA256:EA827DA02C6DE1F4B07CBD7EAB289F3E4D8BE0C3BFE5ACB6CDEAF1E06581B854
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlitebinary
MD5:81F0BDD2194646AF5472746ABA171916
SHA256:D935ED5E1465D5CA04448230E9991BC6BF60B0FD8F5B1B616019E8EA25BF367B
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\Desktop\nonhope.rtfbinary
MD5:FD0BFB92708FEBA88B3DFA2BF79509C0
SHA256:B697701E477E5464A1C7D7E9CE22DCA2C77C647568CD2032D365C1FE8FAFA131
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\Documents\historicalcatalog.rtfbinary
MD5:232C879B478F24BDC61BC1DDF5DE68C6
SHA256:677D49FC3E3019D935A9D5CB6166FD76F4DDD22175171C5AF823FDA41F0FCA1F
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\AppData\Roaming\US573-ECKTZ-TZTRR-TFRTX.KEYbinary
MD5:D5040CCF05D708CA9F23307674568495
SHA256:AC78EB16EFDA86D19E0FC0CE2AFBD243C31B7951D39719F23D38C6B86923CACA
15207ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02.exeC:\Users\admin\Desktop\canames.rtfbinary
MD5:C683697D0BFA058CFEDA5FB645A885D6
SHA256:1F1DAB4FC874F5CDE135E546AC2C81E1EEF57A8E797AD3A66743EEB0B36D4B0D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
15
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2456
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2456
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2456
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
968
chrome.exe
172.217.17.65:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
968
chrome.exe
172.217.20.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
968
chrome.exe
172.217.23.68:443
www.google.com
Google Inc.
US
whitelisted
968
chrome.exe
216.58.214.14:443
clients2.google.com
Google Inc.
US
whitelisted
2456
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
968
chrome.exe
172.217.23.45:443
accounts.google.com
Google Inc.
US
unknown
968
chrome.exe
172.217.17.67:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.msocsp.com
  • 104.18.24.243
whitelisted
clientservices.googleapis.com
  • 172.217.20.99
whitelisted
accounts.google.com
  • 172.217.23.45
shared
www.google.com
  • 172.217.23.68
whitelisted
ssl.gstatic.com
  • 172.217.17.67
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN Spora Ransomware DNS Query
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Spora Ransomware.zip