analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

rudZqlH.ZIP

Full analysis: https://app.any.run/tasks/1dc8224d-d1a3-4dc0-907c-5e561adabbd3
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 18:06:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
ryuk
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D46B392A3B4ED438EF294BDDACE2E629

SHA1:

79E0B6286D961A797913CA1CF40B9F0A0925EB36

SHA256:

E3FDED5CF7E9A967C156FD4234C31806E8A261E4F55FDD7E05674C4672AE66A2

SSDEEP:

3072:/nxdeZx4Ovv7PT+GH0+is28KkzKXWZdLdriqAVPL1E70MtoNt4:Pxdqx4qiZzGZdhriHZRE70MtoA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • CWABYwQ.exe (PID: 1636)
      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 36604)
      • MFxczWX.exe (PID: 41544)
      • MFxczWX.exe (PID: 42972)

    • Application was injected by another process

      • dwm.exe (PID: 280)
      • ctfmon.exe (PID: 708)
      • windanr.exe (PID: 3844)
      • taskeng.exe (PID: 2032)
      • conhost.exe (PID: 3696)
      • Dwm.exe (PID: 40000)
      • conhost.exe (PID: 2160)
      • DllHost.exe (PID: 40456)
      • WerFault.exe (PID: 35200)
      • WerFault.exe (PID: 42368)

    • Runs injected code in another process

      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 36604)

    • Starts NET.EXE for service management

      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 1636)
      • CWABYwQ.exe (PID: 36604)

    • Deletes shadow copies

      • CWABYwQ.exe (PID: 1636)
      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 36604)

    • Starts BCDEDIT.EXE to disable recovery

      • CWABYwQ.exe (PID: 1636)
      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 36604)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2364)
      • reg.exe (PID: 15680)
      • reg.exe (PID: 46480)

  • SUSPICIOUS

    • Starts itself from another location

      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 36604)

    • Executable content was dropped or overwritten

      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 36604)

    • Creates files in the program directory

      • CWABYwQ.exe (PID: 1636)
      • CWABYwQ.exe (PID: 36604)
      • rudZqlH.exe (PID: 2556)

    • Uses ICACLS.EXE to modify access control list

      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 1636)
      • CWABYwQ.exe (PID: 36604)

    • Starts CMD.EXE for commands execution

      • CWABYwQ.exe (PID: 1636)
      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 36604)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1016)
      • cmd.exe (PID: 14972)
      • cmd.exe (PID: 44088)

    • Uses TASKKILL.EXE to kill Office Apps

      • rudZqlH.exe (PID: 2556)
      • CWABYwQ.exe (PID: 1636)

  • INFO

    • Manual execution by user

      • rudZqlH.exe (PID: 2556)
      • WINWORD.EXE (PID: 31940)
      • CWABYwQ.exe (PID: 36604)
      • MFxczWX.exe (PID: 42972)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 31940)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 31940)

    • Dropped object may contain Bitcoin addresses

      • WerFault.exe (PID: 35200)
      • rudZqlH.exe (PID: 2556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:01:17 12:43:04
ZipCRC: 0x15153b7b
ZipCompressedSize: 150098
ZipUncompressedSize: 260096
ZipFileName: rudZqlH.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
96
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start inject inject inject drop and start inject inject inject inject inject inject winrar.exe no specs rudzqlh.exe cwabywq.exe taskeng.exe net.exe no specs net.exe no specs net1.exe no specs dwm.exe net1.exe no specs ctfmon.exe windanr.exe icacls.exe no specs cmd.exe no specs vssadmin.exe no specs bcdedit.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs icacls.exe no specs cmd.exe no specs vssadmin.exe no specs bcdedit.exe no specs net.exe no specs cmd.exe no specs wmic.exe no specs reg.exe net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs reg.exe net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs winword.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs cwabywq.exe net.exe no specs net1.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs mfxczwx.exe no specs conhost.exe conhost.exe werfault.exe Thumbnail Cache Out of Proc Server dwm.exe mfxczwx.exe no specs werfault.exe net.exe no specs net.exe no specs net1.exe no specs icacls.exe no specs cmd.exe no specs vssadmin.exe no specs bcdedit.exe no specs cmd.exe no specs net1.exe no specs net.exe no specs net.exe no specs wmic.exe no specs net.exe no specs net.exe no specs reg.exe net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1576"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\rudZqlH.ZIP"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2556"C:\Users\admin\Desktop\rudZqlH.exe" C:\Users\admin\Desktop\rudZqlH.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
1636"C:\Users\admin\Desktop\CWABYwQ.exe" 8 LANC:\Users\admin\Desktop\CWABYwQ.exe
rudZqlH.exe
User:
admin
Integrity Level:
MEDIUM
2032taskeng.exe {532150F8-214C-4D30-9483-0A3BC3E44D0E}C:\Windows\System32\taskeng.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
996"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /yC:\Windows\System32\net.exerudZqlH.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3424"C:\Windows\System32\net.exe" stop "samss" /yC:\Windows\System32\net.exerudZqlH.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3364C:\Windows\system32\net1 stop "audioendpointbuilder" /yC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
280"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
592C:\Windows\system32\net1 stop "samss" /yC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
708C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 146
Read events
1 061
Write events
0
Delete events
0

Modification events

No data
Executable files
51
Suspicious files
1 862
Text files
574
Unknown types
758

Dropped files

PID
Process
Filename
Type
1576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1576.40642\rudZqlH.exe
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Liesmich.htm
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LueMinut.htm
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\EPDF_RHP.aapp
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htm
MD5:
SHA256:
2556rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.179:61440
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
rudZqlH.ZIP