analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5131014234996736.zip

Full analysis: https://app.any.run/tasks/ea3bdeab-c09c-46d6-bd67-76f437019fcc
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 07:08:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E50464922CBC96E2BB3F35B33AE51F76

SHA1:

C6A4C438B1CCB332F94B78C2037889E465C4FBEF

SHA256:

E23453AE7354B46D33D5589A05DA9550631B205B7B4D4F3203EFC81D91FC9815

SSDEEP:

12288:jGJsOYBUR03I39fgQTW6tzgCcG/FTW8Lwbmn1XMkktPewbUa1V+ElX7Cae:6JsBB803I39oT6w98LM41XQemUa1VD7u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

    • Runs app for hidden code execution

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

    • Changes the autorun value in the registry

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

    • Writes to a start menu file

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

    • Deletes shadow copies

      • cmd.exe (PID: 3028)

    • Renames files like Ransomware

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

    • Creates files in the user directory

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

    • Creates files in the Windows directory

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

    • Executed as Windows Service

      • vssvc.exe (PID: 3664)

    • Creates files in the program directory

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)

  • INFO

    • Manual execution by user

      • 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe (PID: 3292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335
ZipUncompressedSize: 979456
ZipCompressedSize: 656657
ZipCRC: 0xf327daf8
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs 4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe cmd.exe no specs mode.com no specs vssadmin.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2676"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5131014234996736.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3292"C:\Users\admin\Desktop\4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe" C:\Users\admin\Desktop\4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe
explorer.exe
User:
admin
Company:
Abbott Laboratories
Integrity Level:
HIGH
Description:
Influences Continually Lipson
3028"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1196mode con cp select=1251C:\Windows\system32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2808vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3664C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
459
Read events
438
Write events
21
Delete events
0

Modification events

(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2676) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\5131014234996736.zip
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2676) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
0
Suspicious files
365
Text files
30
Unknown types
32

Dropped files

PID
Process
Filename
Type
2676WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2676.37874\4e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335
MD5:
SHA256:
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\Users\admin\AppData\Local\Temp\4951168
MD5:
SHA256:
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\Users\admin\AppData\Local\Temp\raw.txttext
MD5:9E7B4037E9FE152CEDC24F92B9EDFDBC
SHA256:12EED8A2A518DD04BC2308F78D0FCBBBB1432510179BD8B700360F5282572990
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\Windows\System32\CatRoot2\dberr.txttext
MD5:3B45D9C1D232F79AF3F52EBC6FDE8EC3
SHA256:7922D848C549D00B7B576175BB2DF1AF62EBA71F920F6381B10606F09632E62A
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\branding.xml
MD5:
SHA256:
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\Setup.xml
MD5:
SHA256:
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\AccessMUI.xml
MD5:
SHA256:
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id-C4BA3647.[[email protected]].ncov
MD5:
SHA256:
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\branding.xml
MD5:
SHA256:
32924e3f955aa7816091ccc3a65877bdd91b32747dfe6a375e438157521c04f7f335.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\Setup.xml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
5131014234996736.zip