| File name: | pepe.exe |
| Full analysis: | https://app.any.run/tasks/cacdc567-390d-44b4-840a-3a0859da95e2 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | March 20, 2024, 08:52:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 12B458301D7CD8F7F1536A62EFDA148E |
| SHA1: | 60FEF33FC40F7AFBD23472A3C9C25E639B3122AF |
| SHA256: | C6729EB170A6209A351D4A8D99EFE0BD7848D08D5AC9CB086F1D8BAD625DBC7A |
| SSDEEP: | 12288:BFHDU7hOYN/W3o3HOKBxWNDc6hCKvaSMSVupdDp0tbtYcOoIlPj3rw/F/F56yR5H:v8N8K3Wq6CS8WGogAeU5+6NA |
MALICIOUS
Drops the executable file immediately after the start
- pepe.exe (PID: 3500)
Create files in the Startup directory
- svchost.exe (PID: 1824)
Renames files like ransomware
- svchost.exe (PID: 1824)
Steals credentials from Web Browsers
- svchost.exe (PID: 1824)
Deletes shadow copies
- cmd.exe (PID: 3068)
- cmd.exe (PID: 2992)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 2772)
Actions looks like stealing of personal data
- svchost.exe (PID: 1824)
SUSPICIOUS
Executable content was dropped or overwritten
- pepe.exe (PID: 3500)
The process creates files with name similar to system file names
- pepe.exe (PID: 3500)
Reads the Internet Settings
- pepe.exe (PID: 3500)
- svchost.exe (PID: 1824)
- WMIC.exe (PID: 3680)
Reads security settings of Internet Explorer
- pepe.exe (PID: 3500)
- svchost.exe (PID: 1824)
Starts itself from another location
- pepe.exe (PID: 3500)
Write to the desktop.ini file (may be used to cloak folders)
- svchost.exe (PID: 1824)
Starts CMD.EXE for commands execution
- svchost.exe (PID: 1824)
Executes as Windows Service
- VSSVC.exe (PID: 2432)
- wbengine.exe (PID: 3520)
- vds.exe (PID: 552)
Creates file in the systems drive root
- ntvdm.exe (PID: 1556)
Start notepad (likely ransomware note)
- svchost.exe (PID: 1824)
INFO
Reads the computer name
- pepe.exe (PID: 3500)
- svchost.exe (PID: 1824)
Creates files or folders in the user directory
- pepe.exe (PID: 3500)
- svchost.exe (PID: 1824)
Checks supported languages
- pepe.exe (PID: 3500)
- svchost.exe (PID: 1824)
Reads the machine GUID from the registry
- svchost.exe (PID: 1824)
Manual execution by a user
- notepad.exe (PID: 2152)
- ntvdm.exe (PID: 1556)
Create files in a temporary directory
- svchost.exe (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:18 19:24:32+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 677376 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa74de |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | pepe.exe |
| LegalCopyright: | |
| OriginalFileName: | pepe.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
63
Monitored processes
17
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 552 | C:\Windows\System32\vds.exe | C:\Windows\System32\vds.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 784 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\read_it.txt | C:\Windows\System32\notepad.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 844 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\System32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1556 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\System32\ntvdm.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1824 | "C:\Users\admin\AppData\Roaming\svchost.exe" | C:\Users\admin\AppData\Roaming\svchost.exe | pepe.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
| 2152 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\read_it.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2432 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2588 | C:\Windows\System32\vdsldr.exe -Embedding | C:\Windows\System32\vdsldr.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2772 | "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2992 | "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
9 432
Read events
9 414
Write events
18
Delete events
0
Modification events
| (PID) Process: | (3500) pepe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3500) pepe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3500) pepe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3500) pepe.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1824) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1824) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1824) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1824) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (844) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\250000e0 |
| Operation: | write | Name: | Element |
Value: 0100000000000000 | |||
| (PID) Process: | (3616) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009 |
| Operation: | write | Name: | Element |
Value: 00 | |||
Executable files
1
Suspicious files
0
Text files
753
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3500 | pepe.exe | C:\Users\admin\AppData\Roaming\svchost.exe | executable | |
MD5:12B458301D7CD8F7F1536A62EFDA148E | SHA256:C6729EB170A6209A351D4A8D99EFE0BD7848D08D5AC9CB086F1D8BAD625DBC7A | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\agencynetwork.jpg.exe | text | |
MD5:93D5B54998821BC8D1AF33FEF25FF25E | SHA256:CF5D070F2290B376D3F5258C1D9633B68AD2DA0FCC82E3E9F0F79219857EA20C | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\filmprotection.rtf.exe | text | |
MD5:68B507F7144CFAB142FD32E7285B8D3F | SHA256:F24DC460524D475CDED42674D929A65A99654D785B911A1B29742148B8EC3E19 | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\allwords.png.exe | text | |
MD5:3A68DA78FD00B50284C80EA630E6033E | SHA256:7514031FB7366DE18C4EA010717BFF7E864163E3DAA2ED3C9C49CB8974501F59 | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\read_it.txt | text | |
MD5:4217B8B83CE3C3F70029A056546F8FD0 | SHA256:7D767E907BE373C680D1F7884D779588EB643BEBB3F27BF3B5ED4864AA4D8121 | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\approvedindividual.rtf | text | |
MD5:A582E8A3134E36D8DA192BD375515F79 | SHA256:3568587305822A6369E4094DB4EBA3B5C7425ABC0E7AA00416A6B5FC4BA81F43 | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\approvedindividual.rtf.exe | text | |
MD5:A582E8A3134E36D8DA192BD375515F79 | SHA256:3568587305822A6369E4094DB4EBA3B5C7425ABC0E7AA00416A6B5FC4BA81F43 | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\coveragek.rtf | text | |
MD5:EA7B2E164782D1ECCC986CC660243E5A | SHA256:80C7F61E8B62AE15051663340058BA7181E680938EBEE329A20692C7E444384D | |||
| 1824 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | text | |
MD5:83660DEB1A47E0B191FDA82BDFD61827 | SHA256:87089BD6FEDDA43B5E4D738B5BF246BA1B2E5C248B9220F0D1E742B827F30B0D | |||
| 1824 | svchost.exe | C:\Users\admin\Desktop\agencynetwork.jpg | text | |
MD5:93D5B54998821BC8D1AF33FEF25FF25E | SHA256:CF5D070F2290B376D3F5258C1D9633B68AD2DA0FCC82E3E9F0F79219857EA20C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |