analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip

Full analysis: https://app.any.run/tasks/db522d80-80a2-4b9c-925a-592fa38fbff4
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 11, 2019, 03:56:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

95CD7AC6C12144DD7E3ABB879344465E

SHA1:

BD414274654229B6E94339673187630B9E8FF987

SHA256:

D992871DD45A6302916F809EB54639A656C9E619451C10A03704735C424BE0D9

SSDEEP:

3072:4B4UA79CJyI52vw2AmSXBbCp+s89xPoI0f3uB+MFnSQINX1wCgCbwoEYqEmUukgu:+A8UIAR8/+eBRFSjQsEYdmUukgA+/Y6m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe (PID: 908)
      • Dpwel.exe (PID: 3076)

    • Application was injected by another process

      • dwm.exe (PID: 1996)
      • windanr.exe (PID: 2196)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3204)

    • Runs injected code in another process

      • Dpwel.exe (PID: 3076)

    • Writes file to Word startup folder

      • dwm.exe (PID: 1996)

    • Actions looks like stealing of personal data

      • dwm.exe (PID: 1996)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe (PID: 908)
      • WinRAR.exe (PID: 2960)

    • Starts CMD.EXE for commands execution

      • Dpwel.exe (PID: 3076)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2672)

    • Creates files in the program directory

      • dwm.exe (PID: 1996)

    • Creates files like Ransomware instruction

      • dwm.exe (PID: 1996)

    • Creates files in the user directory

      • dwm.exe (PID: 1996)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • dwm.exe (PID: 1996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
ZipUncompressedSize: 393216
ZipCompressedSize: 195793
ZipCRC: 0x794678da
ZipModifyDate: 2018:08:19 18:01:03
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start inject inject winrar.exe rundll32.exe no specs 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe dpwel.exe no specs cmd.exe no specs dwm.exe reg.exe windanr.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2744"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
908"C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe" C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3076"C:\users\Public\Dpwel.exe" C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeC:\users\Public\Dpwel.exe23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2672"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\Dpwel.exe" /fC:\Windows\System32\cmd.exeDpwel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1996"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3204REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\Dpwel.exe" /fC:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2196"windanr.exe"C:\Windows\system32\windanr.exe
qemu-ga.exe
User:
admin
Integrity Level:
MEDIUM
16288"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
556
Read events
523
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
158
Text files
84
Unknown types
2

Dropped files

PID
Process
Filename
Type
1996dwm.exeC:\ProgramData\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
1996dwm.exeC:\ProgramData\Microsoft\MF\Pending.GRLbinary
MD5:DEFF4C97814FBD2AAC50E15A49249537
SHA256:AD2E9041F7BB8454FCF683D75A24DFB8EBAEA8510D3437536B5D824F61668781
1996dwm.exeC:\ProgramData\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
1996dwm.exeC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
1996dwm.exeC:\Program Files\Google\CrashReports\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
1996dwm.exeC:\ProgramData\Adobe\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
1996dwm.exeC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:93A5AADEEC082FFC1BCA5AA27AF70F52
SHA256:A1A21799E98F97F271657CE656076F33DCB020D9370F1F2671D783CAFD230294
1996dwm.exeC:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
1996dwm.exeC:\ProgramData\Microsoft\eHome\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
1996dwm.exeC:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\RyukReadMe.txttext
MD5:CD99CBA6153CBC0B14B7A849E4D0180F
SHA256:74C43A177917B1D57EA2EAF6212CCF3B9012B4D68BC45284349443EED0BF5EE2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip