File name:

Merry X-Mas Loser.exe.bin

Full analysis: https://app.any.run/tasks/f5780e3c-641a-418d-baab-c57877950d1a
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: December 26, 2024, 09:37:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
ransomware
sality
upx
remcos
stealer
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

B475A319C15D72933AA6DD84237EFF18

SHA1:

FF914F0BD3F4651D9EFF9E9CD2E2083CA0E82901

SHA256:

C98BE2DFD0ABDD8D86CDB34DBB13A9291DCB7ACDFA39BEC4CE2D9BDD1E61AFD8

SSDEEP:

12288:B9M7iXfHDc498T/j3SXPgXLGLDAwcEk9ZCnKpHWEbHTCIFT5E:B9eyfHDv9+/j3KgeAwchzCnKpHTbHTCB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Merry X-Mas Loser.exe (PID: 5496)
      • Merry X-Mas Loser.exe (PID: 6912)
    • Changes the autorun value in the registry

      • Merry X-Mas Loser.exe (PID: 6912)
    • Changes Security Center notification settings

      • COMPLAINT.pdf.exe (PID: 5588)
    • SALITY mutex has been found

      • COMPLAINT.pdf.exe (PID: 5588)
      • Merry X-Mas Loser.exe (PID: 6912)
    • UAC/LUA settings modification

      • COMPLAINT.pdf.exe (PID: 5588)
    • Actions looks like stealing of personal data

      • Merry X-Mas Loser.exe (PID: 6912)
    • REMCOS has been detected (YARA)

      • COMPLAINT.pdf.exe (PID: 5588)
    • Steals credentials from Web Browsers

      • Merry X-Mas Loser.exe (PID: 6912)
    • RANSOMWARE has been detected

      • Merry X-Mas Loser.exe (PID: 6912)
    • XORed URL has been found (YARA)

      • Merry X-Mas Loser.exe (PID: 6912)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Merry X-Mas Loser.exe (PID: 5496)
    • Creates file in the systems drive root

      • Merry X-Mas Loser.exe (PID: 6912)
      • COMPLAINT.pdf.exe (PID: 5588)
    • Application launched itself

      • Merry X-Mas Loser.exe (PID: 5496)
    • Checks Windows Trust Settings

      • Merry X-Mas Loser.exe (PID: 5496)
    • Searches for installed software

      • Merry X-Mas Loser.exe (PID: 6912)
    • Executable content was dropped or overwritten

      • COMPLAINT.pdf.exe (PID: 5588)
    • Process drops legitimate windows executable

      • COMPLAINT.pdf.exe (PID: 5588)
  • INFO

    • Checks supported languages

      • Merry X-Mas Loser.exe (PID: 5496)
      • Merry X-Mas Loser.exe (PID: 6912)
      • COMPLAINT.pdf.exe (PID: 5588)
    • Creates files or folders in the user directory

      • Merry X-Mas Loser.exe (PID: 5496)
    • Reads the computer name

      • Merry X-Mas Loser.exe (PID: 5496)
      • Merry X-Mas Loser.exe (PID: 6912)
      • COMPLAINT.pdf.exe (PID: 5588)
    • Reads the machine GUID from the registry

      • Merry X-Mas Loser.exe (PID: 5496)
      • Merry X-Mas Loser.exe (PID: 6912)
    • Manual execution by a user

      • Merry X-Mas Loser.exe (PID: 5496)
      • COMPLAINT.pdf.exe (PID: 5588)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6380)
    • Checks proxy server information

      • Merry X-Mas Loser.exe (PID: 5496)
    • The process uses the downloaded file

      • WinRAR.exe (PID: 6380)
    • Reads the software policy settings

      • Merry X-Mas Loser.exe (PID: 5496)
    • Reads CPU info

      • Merry X-Mas Loser.exe (PID: 6912)
    • Create files in a temporary directory

      • COMPLAINT.pdf.exe (PID: 5588)
    • UPX packer has been detected

      • COMPLAINT.pdf.exe (PID: 5588)
    • The sample compiled with english language support

      • COMPLAINT.pdf.exe (PID: 5588)
    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Merry X-Mas Loser.exe (PID: 6912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6912) Merry X-Mas Loser.exe
Decrypted-URLs (1)http://schemas.microsoft.com/windows/2004/02/mit/task
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe merry x-mas loser.exe #XOR-URL merry x-mas loser.exe svchost.exe #SALITY complaint.pdf.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4952C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5496"C:\Users\admin\Desktop\Merry X-Mas Loser.exe" C:\Users\admin\Desktop\Merry X-Mas Loser.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Advanced Malware Protection
Exit code:
0
Version:
2.70.312
Modules
Images
c:\users\admin\desktop\merry x-mas loser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5588"C:\Users\admin\Desktop\COMPLAINT.pdf.exe" C:\Users\admin\Desktop\COMPLAINT.pdf.exe
explorer.exe
User:
admin
Company:
MicrRp
Integrity Level:
MEDIUM
Description:
MicrRp
Version:
2.4.0.3
Modules
Images
c:\users\admin\desktop\complaint.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6380"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Merry X-Mas Loser.exe.bin.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6912"C:\Users\admin\Desktop\Merry X-Mas Loser.exe"C:\Users\admin\Desktop\Merry X-Mas Loser.exe
Merry X-Mas Loser.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Advanced Malware Protection
Version:
2.70.312
Modules
Images
c:\users\admin\desktop\merry x-mas loser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(6912) Merry X-Mas Loser.exe
Decrypted-URLs (1)http://schemas.microsoft.com/windows/2004/02/mit/task
Total events
5 821
Read events
5 740
Write events
81
Delete events
0

Modification events

(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Merry X-Mas Loser.exe.bin.7z
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6912) Merry X-Mas Loser.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Adobe
Value:
C:\Users\admin\Desktop\Merry X-Mas Loser.exe
Executable files
5
Suspicious files
37
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6380.19731\Merry X-Mas Loser.exeexecutable
MD5:887B35A87FB75E2D889694143E3C9014
SHA256:78CC9626BB8D6F9D8DDF8236C197894A86F9D54A294B38C9C0B82744496B3FAE
6912Merry X-Mas Loser.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak
MD5:
SHA256:
6912Merry X-Mas Loser.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.RMCM1
MD5:
SHA256:
6912Merry X-Mas Loser.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak
MD5:
SHA256:
6912Merry X-Mas Loser.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.RMCM1
MD5:
SHA256:
6912Merry X-Mas Loser.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak
MD5:
SHA256:
6912Merry X-Mas Loser.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.RMCM1
MD5:
SHA256:
6912Merry X-Mas Loser.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak
MD5:
SHA256:
6912Merry X-Mas Loser.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.RMCM1
MD5:
SHA256:
5496Merry X-Mas Loser.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5binary
MD5:B893579759F66D79B894521ECF18EF9B
SHA256:CA6C976CB5F15B0A7D1D1399467AF8D8BA6FDBED66AA4218704530D6554B2A38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
18
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.36.77.81:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6072
svchost.exe
GET
200
23.36.77.81:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.36.77.81:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6072
svchost.exe
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
Merry X-Mas Loser.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
unknown
whitelisted
5496
Merry X-Mas Loser.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA52Wedn092tD1Y5ldpOTKs%3D
unknown
whitelisted
5496
Merry X-Mas Loser.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAk%2BmfTb2czLSkOOaHw6sVI%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.36.77.227:443
www.bing.com
Akamai International B.V.
NO
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.36.77.81:80
crl.microsoft.com
Akamai International B.V.
NO
whitelisted
6072
svchost.exe
23.36.77.81:80
crl.microsoft.com
Akamai International B.V.
NO
whitelisted
23.36.77.81:80
crl.microsoft.com
Akamai International B.V.
NO
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
96.6.17.223:80
www.microsoft.com
AKAMAI-AS
NO
whitelisted
6072
svchost.exe
96.6.17.223:80
www.microsoft.com
AKAMAI-AS
NO
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.74.110
whitelisted
www.bing.com
  • 23.36.77.227
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.36.77.81
whitelisted
www.microsoft.com
  • 96.6.17.223
whitelisted
onion1.pw
unknown

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info