analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FileSearch1.exe

Full analysis: https://app.any.run/tasks/9aa3fe2e-87e2-4d53-8d45-7198a3ab2eb3
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: July 18, 2019, 13:37:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

E2C48222AC24485132BF78D7359411DE

SHA1:

5D908A80FC9800D6CC15DCFD4A852A7FF74FCC6D

SHA256:

DF5F0E51753AB6D38373EE2E229DB4F626F13736674DFB47E618ED7058085A83

SSDEEP:

768:Frdiczo1QNi6u6WFA8bugzHZIRZ1fhNFrvfeQAr4xD+oVDV1LfcLEo:xdit6ieU6zR1vfIr4xD+oVDLLa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • FileSearch1.exe (PID: 3604)
    • Modifies files in Chrome extension folder

      • FileSearch1.exe (PID: 3604)
    • Renames files like Ransomware

      • FileSearch1.exe (PID: 3604)
    • Actions looks like stealing of personal data

      • FileSearch1.exe (PID: 3604)
  • SUSPICIOUS

    • Creates files in the program directory

      • FileSearch1.exe (PID: 3604)
    • Creates files in the user directory

      • FileSearch1.exe (PID: 3604)
      • notepad++.exe (PID: 2820)
  • INFO

    • Manual execution by user

      • OUTLOOK.EXE (PID: 4052)
      • notepad++.exe (PID: 2448)
      • notepad++.exe (PID: 2820)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 45056
InitializedDataSize: 16384
UninitializedDataSize: 90112
EntryPoint: 0x211e0
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • Russian - Russia

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00016000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00017000
0x0000B000
0x0000A400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.90644
.rsrc
0x00022000
0x00004000
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.44198

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.11604
9640
UNKNOWN
Russian - Russia
RT_ICON
2
3.30521
4264
UNKNOWN
Russian - Russia
RT_ICON
3
4.39822
1128
UNKNOWN
Russian - Russia
RT_ICON
DVCLAL
3.875
16
UNKNOWN
UNKNOWN
RT_RCDATA
PACKAGEINFO
7.2885
468
UNKNOWN
UNKNOWN
RT_RCDATA
ASMA
2.45849
48
UNKNOWN
Russian - Russia
RT_GROUP_ICON

Imports

KERNEL32.DLL
advapi32.dll
comctl32.dll
gdi32.dll
oleaut32.dll
shell32.dll
user32.dll
winmm.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start filesearch1.exe outlook.exe no specs notepad++.exe gup.exe notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
3604"C:\Users\admin\AppData\Local\Temp\FileSearch1.exe" C:\Users\admin\AppData\Local\Temp\FileSearch1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4052"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /pst "C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
2820"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.crypt"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3540"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
2448"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Downloads\desktop.ini.crypt"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Total events
298
Read events
256
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
586
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_dropdown12x12.png.cryptbinary
MD5:2A577AC8E4A5E061B4E3F7C6AAD99863
SHA256:D69051003A0E7B8551A8DBDCC3A9C380616F0024BD5DD20631B4AB2054F7354C
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_compare20x20.png.cryptbinary
MD5:41D229665A987FC93432DC3FF7CFD3D6
SHA256:467AD6E24389988A4199F859C47CB2A984C10A028934D46DBAAAA080B361E0C2
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_cancel24x24.png.cryptbinary
MD5:AEF39989683B926D35E1D2B7AB578A8B
SHA256:7946F8BC1A199A5448FAD866116B1DACD1BF1211745BBD9F6D6B80B6FF6CC36E
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_filter20x20.png.cryptbinary
MD5:F10E44854BC56EFE1D1A8F36AE7C8615
SHA256:0B46130C7BBA3ECEBBABDB89E72FFBFE7DB82180D879BD0D3CBD07E27D437E94
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_auto16x16.png.cryptbinary
MD5:D067DB31E889823E60DC2190BCC8F002
SHA256:F6A362E9225498930FD9BCD65B317E141D6D65D5306EF626F36F1E616C47CACD
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_find20x20.png.cryptbinary
MD5:34A8420BC71CBB75BB3EDC0A8B1BCE78
SHA256:73CAEDA586D3E5D34FE5AA36474D55990B6DC6C8F0856056ACF7C590EDCF9733
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_close12x12.png.cryptbinary
MD5:7317D3A44A91ED23C8AB3F7B936BCB66
SHA256:43FEBDA935D08FBA1F12EBB10C6CF3C7C00EAF37DA646B055A5925B13B72F28C
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_file16x16.png.cryptbinary
MD5:F9C7E9396736045D01DA3F9A6F97426A
SHA256:BDF1402510A9F13A05784E55BB5063257E79FF43940E2B4E3DB49F56BC251B1E
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_disconnect20x20.png.cryptbinary
MD5:F22F7BD3B324D529C4F3B5F4A83749AC
SHA256:35CC576D0844017950CE968D35A45A665B1F360777059324704AF0823B28CBA6
3604FileSearch1.exeC:\Users\admin\AppData\Local\FileZilla\default_cancel20x20.png.cryptbinary
MD5:B2318E0EFA226336B41ED4E53CFEB982
SHA256:F89590DA1EC4BEAA86C8727F60AFA9DE3D574C43D5DB7878BE96BC0FD20C00F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.36 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3540
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.186.11
  • 2.16.186.35
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093