| File name: | HW32.Packed.(2).7z |
| Full analysis: | https://app.any.run/tasks/673a3f52-7ec9-4bb1-af91-14ec3731a5e4 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | November 20, 2023, 19:36:04 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 5DCDDC8646E2A2DA5F35697EB8D2D7E7 |
| SHA1: | B40E77E01C265353543B1A40DB7552CECF97121B |
| SHA256: | D963F871B1D7D07ABE3DBDB9080896E7041A2E7C71EBF0E3AA690AE754BD447B |
| SSDEEP: | 24576:58keOpPGqjGamKpzQyAf7HSZq10urQUiRVHFDTvO+57QbhCRi:58keO9GqjGamKpzQyAf7HSZq10urQUie |
MALICIOUS
Actions looks like stealing of personal data
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
Drops the executable file immediately after the start
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
LOCKY has been detected (SURICATA)
- msedge.exe (PID: 3120)
SUSPICIOUS
Application launched itself
- taskmgr.exe (PID: 3508)
Reads the Internet Settings
- taskmgr.exe (PID: 3508)
Executes as Windows Service
- VSSVC.exe (PID: 1352)
Starts CMD.EXE for commands execution
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
INFO
Manual execution by a user
- taskmgr.exe (PID: 3508)
- wmpnscfg.exe (PID: 3912)
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
- msedge.exe (PID: 3868)
- wmpnscfg.exe (PID: 3664)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3428)
- msedge.exe (PID: 3868)
- msedge.exe (PID: 3120)
Checks supported languages
- wmpnscfg.exe (PID: 3912)
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
- wmpnscfg.exe (PID: 3664)
Reads the computer name
- wmpnscfg.exe (PID: 3912)
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
- wmpnscfg.exe (PID: 3664)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3912)
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
- wmpnscfg.exe (PID: 3664)
Creates files in the program directory
- 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe (PID: 2060)
Application launched itself
- msedge.exe (PID: 2324)
- msedge.exe (PID: 3868)
The dropped object may contain a URL to Tor Browser
- msedge.exe (PID: 3120)
- msedge.exe (PID: 3868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
85
Monitored processes
38
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 444 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3828 --field-trial-handle=1200,i,3798959970498761206,2463704287121158818,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1352 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1364 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1200,i,3798959970498761206,2463704287121158818,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1460 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1316 --field-trial-handle=1196,i,17012565182517376508,9726545078770897281,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1476 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1200,i,3798959970498761206,2463704287121158818,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1836 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6aa3f598,0x6aa3f5a8,0x6aa3f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2060 | "C:\Users\admin\Desktop\70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe" | C:\Users\admin\Desktop\70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2096 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1196,i,17012565182517376508,9726545078770897281,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2316 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2320 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3968 --field-trial-handle=1200,i,3798959970498761206,2463704287121158818,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
6 368
Read events
6 290
Write events
71
Delete events
7
Modification events
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
| Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop | |||
Executable files
9
Suspicious files
587
Text files
443
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3428 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3428.45967\HW32.Packed.(2)\70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe.bak | executable | |
MD5:CF92BEA857AEA977023AD61EC6B6C980 | SHA256:70D06BD4E6A91B60BC8515E327FA1F9FB7AC82125E3C8A06359B5BB3F96E48F3 | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Documents\Outlook Files\NIFPEA1S-M956-F9M5-4BC6F7EE-2ABD45C134D8.ykcol | binary | |
MD5:21CC8FF20FE6574731A46D01B7A91C9B | SHA256:D9DD4E0DD6E550118E5C8EEDD0409AAD7081FFD66DA41B34A48C4C9A28416845 | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Documents\OneNote Notebooks\Personal\NIFPEA1S-M956-F9M5-27EB4A88-D356D708EAB3.ykcol | binary | |
MD5:204ADD72E85EE70C7FBD055E39A1D205 | SHA256:486674F32EC6DBF09EB7F26F7C3C10B6C5ABB3A769D5E344A9D589B161D68862 | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Desktop\NIFPEA1S-M956-F9M5-8763DEC1-76171F6080C9.ykcol | text | |
MD5:EB435A7382A72675C6AD36F323E8EA25 | SHA256:A078FF69397F51EFB69A0AF1CCAFF98A8011F88870AB6A99AD2D48AA431DE8F5 | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Documents\Outlook Files\ykcol-be93.htm | html | |
MD5:37F26A672EFD729D0F7E4599426CC497 | SHA256:3918589BB28111D16092C849BA2EE82CA3FC1064144802A7114E69C31633E92A | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Documents\Outlook Files\NIFPEA1S-M956-F9M5-0F58FAA9-5630579F8881.ykcol | binary | |
MD5:BE3DAB17B8FCA7566FFB0A9E3EF0BC8D | SHA256:718578ECB833C4526630488CB9C7F41108F66BBA0C54E63B636CC9911339CA63 | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Desktop\NIFPEA1S-M956-F9M5-4025A595-C0D0B98454B0.ykcol | text | |
MD5:4B3E0DF6D2431D36EA5BBDD61883346E | SHA256:E69499E07FEAF1915923F0803183E0958201ADEF9E6C73D0CA72E79F465FE076 | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Desktop\NIFPEA1S-M956-F9M5-7D7FE2AF-F1B112D2A91F.ykcol | text | |
MD5:90A0EFADAA15BA6FA7A8BAEC4104D9CB | SHA256:D5EBCFEE3F6A85FEED74A193625856F30E8476EA1E6B8ADB49F141C811FA307C | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Desktop\NIFPEA1S-M956-F9M5-0FB5876B-840B7CF2D24A.ykcol | text | |
MD5:4F4D298F065B13AA3383DC6AF9BAD327 | SHA256:88E35075260E989539D3B4AD3E07A810EC250A28734EC4CE36600748FCC83059 | |||
| 2060 | 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3.exe | C:\Users\admin\Documents\OneNote Notebooks\Personal\ykcol-06fa.htm | html | |
MD5:37F26A672EFD729D0F7E4599426CC497 | SHA256:3918589BB28111D16092C849BA2EE82CA3FC1064144802A7114E69C31633E92A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
34
DNS requests
36
Threats
30
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3120 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3868 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3120 | msedge.exe | 204.79.197.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3120 | msedge.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3120 | msedge.exe | 152.199.21.175:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | EDGECAST | DE | whitelisted |
3120 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
www.torproject.org |
| shared |
nav-edge.smartscreen.microsoft.com |
| whitelisted |
data-edge.smartscreen.microsoft.com |
| whitelisted |
dist.torproject.org |
| whitelisted |
dl-edge.smartscreen.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3120 | msedge.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
3120 | msedge.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
3120 | msedge.exe | Potential Corporate Privacy Violation | AV POLICY DNS Query for .onion Domain Via TOR - Not Google |
3120 | msedge.exe | Potential Corporate Privacy Violation | AV POLICY DNS Query for .onion Domain Via TOR - Not Google |
3120 | msedge.exe | Potential Corporate Privacy Violation | AV POLICY DNS Query for .onion Domain Via TOR - Not Google |
3120 | msedge.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | AV POLICY DNS Query for .onion Domain Via TOR - Not Google |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | AV POLICY DNS Query for .onion Domain Via TOR - Not Google |
10 ETPRO signatures available at the full report