File name:

encrypter-windows-gui-x86.exe

Full analysis: https://app.any.run/tasks/a9108c0d-bbed-423f-b1f4-4d9e23d169ca
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 21, 2024, 13:46:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
beast
ransomware
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BAE8E04226FF74F7C40F9BD2E6E3B4AE

SHA1:

87CA31ACFCB12B6EAC57E1FD47926BE330A11E03

SHA256:

CC0680DE960F3E1B727B61A42E59F9C282BD8E41FE20146ED191C7F4BF9283A7

SSDEEP:

3072:yubEQpf0fDrELS1G2Q/AL26aSguLLb+gVldvbdVQXM:yubE203E216SzLqgVlLVQXM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BEAST mutex has been found

      • encrypter-windows-gui-x86.exe (PID: 5828)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Checks for external IP

      • svchost.exe (PID: 2172)
      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2172)
      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Uses pipe srvsvc via SMB (transferring data)

      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Checks Windows Trust Settings

      • encrypter-windows-gui-x86.exe (PID: 5828)

  • INFO

    • Checks proxy server information

      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Reads the computer name

      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Reads the machine GUID from the registry

      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Create files in a temporary directory

      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Checks supported languages

      • encrypter-windows-gui-x86.exe (PID: 5828)

    • Reads the software policy settings

      • encrypter-windows-gui-x86.exe (PID: 5828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:30 11:34:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 76288
InitializedDataSize: 33792
UninitializedDataSize: -
EntryPoint: 0x619d
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BEAST encrypter-windows-gui-x86.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5828"C:\Users\admin\Desktop\encrypter-windows-gui-x86.exe" C:\Users\admin\Desktop\encrypter-windows-gui-x86.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\encrypter-windows-gui-x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 761
Read events
3 758
Write events
3
Delete events
0

Modification events

(PID) Process:(5828) encrypter-windows-gui-x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5828) encrypter-windows-gui-x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5828) encrypter-windows-gui-x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
5
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
5828encrypter-windows-gui-x86.exeC:\bootTel.datbinary
MD5:4F560E6C3E217B6EC1781D1B8FB7B089
SHA256:ECDCF7FD16F71779D872D6D6C4D913028B179F9C7288646A30A17A07B707BA77
5828encrypter-windows-gui-x86.exeC:\Users\admin\AppData\Local\Temp\default.keybinary
MD5:17754D7D4A80A37014E2F785232CA5F1
SHA256:6F9B81631C8A5DA491962F529562F9081DE3DF522E7BC6C130FA99032C946BC1
5828encrypter-windows-gui-x86.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files (x86)\README.TXTtext
MD5:7D6FF8F56A6B251BBF524957EA185150
SHA256:CA9D73BACF174D6DDAF7BB91D86E3EBE6864D31EBB7E8138CE5D6B80999E6FB8
5828encrypter-windows-gui-x86.exeC:\BOOTNXT.{1F07DA8E-A4F2-FAAA-76B5-35C72B99A5C9}.REVRACbinary
MD5:1D2397CFF9B971052310724B7ECEB09E
SHA256:0A0DE5FAE94787C58CD734FF63496A882837FA06B296368F07FB7250E3171812
5828encrypter-windows-gui-x86.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\README.TXTtext
MD5:7D6FF8F56A6B251BBF524957EA185150
SHA256:CA9D73BACF174D6DDAF7BB91D86E3EBE6864D31EBB7E8138CE5D6B80999E6FB8
5828encrypter-windows-gui-x86.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\README.TXTtext
MD5:7D6FF8F56A6B251BBF524957EA185150
SHA256:CA9D73BACF174D6DDAF7BB91D86E3EBE6864D31EBB7E8138CE5D6B80999E6FB8
5828encrypter-windows-gui-x86.exeC:\bootTel.dat.{1F07DA8E-A4F2-FAAA-76B5-35C72B99A5C9}.REVRACbinary
MD5:4F560E6C3E217B6EC1781D1B8FB7B089
SHA256:ECDCF7FD16F71779D872D6D6C4D913028B179F9C7288646A30A17A07B707BA77
5828encrypter-windows-gui-x86.exeC:\Users\admin\AppData\Local\VirtualStore\README.TXTtext
MD5:7D6FF8F56A6B251BBF524957EA185150
SHA256:CA9D73BACF174D6DDAF7BB91D86E3EBE6864D31EBB7E8138CE5D6B80999E6FB8
5828encrypter-windows-gui-x86.exeC:\BOOTNXTbinary
MD5:1D2397CFF9B971052310724B7ECEB09E
SHA256:0A0DE5FAE94787C58CD734FF63496A882837FA06B296368F07FB7250E3171812
5828encrypter-windows-gui-x86.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CUAssistant\README.TXTtext
MD5:7D6FF8F56A6B251BBF524957EA185150
SHA256:CA9D73BACF174D6DDAF7BB91D86E3EBE6864D31EBB7E8138CE5D6B80999E6FB8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
41
DNS requests
10
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1752
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1752
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
172.67.167.249:443
https://iplogger.co/13JGH4.torrent
unknown
image
116 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1752
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.62:443
www.bing.com
Akamai International B.V.
DE
whitelisted
92.123.104.6:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5828
encrypter-windows-gui-x86.exe
192.168.100.1:445
unknown
5828
encrypter-windows-gui-x86.exe
192.168.100.2:445
whitelisted
5828
encrypter-windows-gui-x86.exe
192.168.100.168:445
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 92.123.104.62
  • 92.123.104.6
  • 92.123.104.5
  • 92.123.104.66
  • 92.123.104.4
  • 92.123.104.10
  • 92.123.104.65
  • 92.123.104.63
  • 92.123.104.67
whitelisted
google.com
  • 142.250.184.238
whitelisted
iplogger.co
  • 172.67.167.249
  • 104.21.82.93
shared
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 52.178.17.2
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET P2P Possible Torrent Download via HTTP Request
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
encrypter-windows-gui-x86.exe