analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

rudZqlH.ZIP

Full analysis: https://app.any.run/tasks/2833db89-8edb-4836-aaf1-9941c80ba8a9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: January 17, 2020, 17:57:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
ryuk
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D46B392A3B4ED438EF294BDDACE2E629

SHA1:

79E0B6286D961A797913CA1CF40B9F0A0925EB36

SHA256:

E3FDED5CF7E9A967C156FD4234C31806E8A261E4F55FDD7E05674C4672AE66A2

SSDEEP:

3072:/nxdeZx4Ovv7PT+GH0+is28KkzKXWZdLdriqAVPL1E70MtoNt4:Pxdqx4qiZzGZdhriHZRE70MtoA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rudZqlH.exe (PID: 3744)
      • ctrPbnd.exe (PID: 328)
    • Application was injected by another process

      • ctfmon.exe (PID: 708)
      • taskeng.exe (PID: 2032)
      • dwm.exe (PID: 280)
      • windanr.exe (PID: 3844)
      • DllHost.exe (PID: 1324)
    • Runs injected code in another process

      • rudZqlH.exe (PID: 3744)
    • Starts NET.EXE for service management

      • rudZqlH.exe (PID: 3744)
      • ctrPbnd.exe (PID: 328)
    • Deletes shadow copies

      • ctrPbnd.exe (PID: 328)
      • rudZqlH.exe (PID: 3744)
    • Starts BCDEDIT.EXE to disable recovery

      • ctrPbnd.exe (PID: 328)
      • rudZqlH.exe (PID: 3744)
    • Changes the autorun value in the registry

      • reg.exe (PID: 784)
      • reg.exe (PID: 23172)
  • SUSPICIOUS

    • Starts itself from another location

      • rudZqlH.exe (PID: 3744)
    • Executable content was dropped or overwritten

      • rudZqlH.exe (PID: 3744)
    • Creates files in the program directory

      • ctrPbnd.exe (PID: 328)
      • rudZqlH.exe (PID: 3744)
    • Starts CMD.EXE for commands execution

      • ctrPbnd.exe (PID: 328)
      • rudZqlH.exe (PID: 3744)
    • Uses ICACLS.EXE to modify access control list

      • ctrPbnd.exe (PID: 328)
      • rudZqlH.exe (PID: 3744)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 22732)
      • cmd.exe (PID: 3388)
    • Uses TASKKILL.EXE to kill Office Apps

      • rudZqlH.exe (PID: 3744)
  • INFO

    • Manual execution by user

      • rudZqlH.exe (PID: 3744)
      • WINWORD.EXE (PID: 39240)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 39240)
    • Dropped object may contain Bitcoin addresses

      • rudZqlH.exe (PID: 3744)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 39240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:01:17 12:43:04
ZipCRC: 0x15153b7b
ZipCompressedSize: 150098
ZipUncompressedSize: 260096
ZipFileName: rudZqlH.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
53
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start inject inject inject inject winrar.exe no specs rudzqlh.exe ctrpbnd.exe taskeng.exe net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs dwm.exe ctfmon.exe windanr.exe Thumbnail Cache Out of Proc Server icacls.exe no specs cmd.exe no specs vssadmin.exe no specs bcdedit.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs icacls.exe no specs cmd.exe no specs vssadmin.exe no specs bcdedit.exe no specs net.exe no specs cmd.exe no specs wmic.exe no specs reg.exe net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs reg.exe net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net1.exe no specs winword.exe no specs taskkill.exe no specs taskkill.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1768"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\rudZqlH.ZIP"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3744"C:\Users\admin\Desktop\rudZqlH.exe" C:\Users\admin\Desktop\rudZqlH.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
328"C:\Users\admin\Desktop\ctrPbnd.exe" 8 LANC:\Users\admin\Desktop\ctrPbnd.exe
rudZqlH.exe
User:
admin
Integrity Level:
MEDIUM
2032taskeng.exe {532150F8-214C-4D30-9483-0A3BC3E44D0E}C:\Windows\System32\taskeng.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3004"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /yC:\Windows\System32\net.exerudZqlH.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2932C:\Windows\system32\net1 stop "audioendpointbuilder" /yC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2124"C:\Windows\System32\net.exe" stop "samss" /yC:\Windows\System32\net.exerudZqlH.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3892C:\Windows\system32\net1 stop "samss" /yC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
280"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
708C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
921
Read events
850
Write events
0
Delete events
0

Modification events

No data
Executable files
31
Suspicious files
687
Text files
169
Unknown types
492

Dropped files

PID
Process
Filename
Type
1768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1768.36915\rudZqlH.exe
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leggimi.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Liesmich.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LueMinut.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm
MD5:
SHA256:
3744rudZqlH.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Edit_R_RHP.aapp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.28:61439
malicious

DNS requests

No data

Threats

No threats detected
No debug info