analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

qilin.exe

Full analysis: https://app.any.run/tasks/0bd5c06c-b1c3-4a1d-83f0-db5746476ef6
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: February 22, 2024, 02:24:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

6A93E618E467ED13F98819172E24FFFA

SHA1:

D34550EBC2BEE47C708C8E048EB78881468E6BCA

SHA256:

E90BDAAF5F9CA900133B699F18E4062562148169B29CB4EB37A0577388C22527

SSDEEP:

49152:qngIXil301bF/SvandXDIKtFSuNgMPyrzrZ9OUFdDhGgEoB0:qnP32MM9VFvGgEo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • qilin.exe (PID: 3700)
    • Deletes shadow copies

      • cmd.exe (PID: 3736)
    • Renames files like ransomware

      • qilin.exe (PID: 3700)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • qilin.exe (PID: 3700)
    • Creates files like ransomware instruction

      • qilin.exe (PID: 3700)
  • INFO

    • Reads the computer name

      • qilin.exe (PID: 3700)
      • wmpnscfg.exe (PID: 1572)
    • Checks supported languages

      • qilin.exe (PID: 3700)
      • wmpnscfg.exe (PID: 1572)
    • Creates files or folders in the user directory

      • qilin.exe (PID: 3700)
    • Manual execution by a user

      • explorer.exe (PID: 2120)
      • wmpnscfg.exe (PID: 1572)
      • notepad.exe (PID: 3508)
      • rundll32.exe (PID: 3540)
    • Dropped object may contain TOR URL's

      • qilin.exe (PID: 3700)
    • The dropped object may contain a URL to Tor Browser

      • qilin.exe (PID: 3700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x14c0
UninitializedDataSize: 512
InitializedDataSize: 1641472
CodeSize: 1053696
LinkerVersion: 2.35
PEType: PE32
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit, No debug
TimeStamp: 2022:09:13 09:55:04+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qilin.exe no specs cmd.exe no specs vssadmin.exe no specs explorer.exe no specs notepad.exe no specs wmpnscfg.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3700"C:\qilin.exe" -password AgendaPassC:\qilin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\qilin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3736"cmd" /C "vssadmin.exe delete shadows /all /quiet"C:\Windows\System32\cmd.exeqilin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3784vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2120"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3508"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Documents\README-RECOVER-MmXReVIxLV.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1572"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3540"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Pictures\averagestudies.jpg.MmXReVIxLVC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
478
Read events
474
Write events
4
Delete events
0

Modification events

(PID) Process:(3508) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosX
Value:
121
(PID) Process:(3508) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosY
Value:
103
(PID) Process:(3508) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDX
Value:
960
(PID) Process:(3508) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDY
Value:
501
Executable files
0
Suspicious files
93
Text files
38
Unknown types
25

Dropped files

PID
Process
Filename
Type
3700qilin.exeC:\Users\admin\Desktop\jobscup.rtf.MmXReVIxLVbinary
MD5:E4D2C89FC0B42BFAA469D9A094153F69
SHA256:48F24D51D9AB1FE10558F5D707EAB3EF0D1D3528184E1B8930865AC7FB1EE5A1
3700qilin.exeC:\Users\admin\Contacts\README-RECOVER-MmXReVIxLV.txttext
MD5:0B080299BD4389F496CB40D4F87BE3BF
SHA256:16CBD60F0E147C4998E3C3D140AF23365E77C3403737BE0157B878753BF4F999
3700qilin.exeC:\Users\admin\Desktop\followparents.jpg.MmXReVIxLVbinary
MD5:BBE1B98CF3FCED488D9AAD10D0997A7B
SHA256:E9207CC3AC868054F7CDE02C973BCC100D409EDEC14C807CD532BDC1D5359833
3700qilin.exeC:\Users\admin\AppData\Local\VirtualStore\README-RECOVER-MmXReVIxLV.txttext
MD5:0B080299BD4389F496CB40D4F87BE3BF
SHA256:16CBD60F0E147C4998E3C3D140AF23365E77C3403737BE0157B878753BF4F999
3700qilin.exeC:\Users\admin\Desktop\choosecare.rtf.MmXReVIxLVbinary
MD5:48D44745E67A9E1B9B6DB408A92E1BED
SHA256:4D0F760157AC59B7734A28C849B51376CFA9C3232EB8211A4E39933914F8A3BB
3700qilin.exeC:\Users\admin\.oracle_jre_usage\README-RECOVER-MmXReVIxLV.txttext
MD5:0B080299BD4389F496CB40D4F87BE3BF
SHA256:16CBD60F0E147C4998E3C3D140AF23365E77C3403737BE0157B878753BF4F999
3700qilin.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.MmXReVIxLVbinary
MD5:AC2DC97E2CA9BB67AC6241A760B47C2D
SHA256:F9F56D8732CEA63E4DD62EF779438137C3684F52ACF8C585DB000ECCDAD25EC4
3700qilin.exeC:\Users\admin\Desktop\albumjewelry.rtf.MmXReVIxLVbinary
MD5:37AC85D24AAE919E076DD70AAE92BB7A
SHA256:79F184D6AE45727CE18C7C14C5B42C3C6E758E2643A83FAD1BC8E1F8B9D5D40A
3700qilin.exeC:\Users\admin\Desktop\jobscup.rtfbinary
MD5:E4D2C89FC0B42BFAA469D9A094153F69
SHA256:48F24D51D9AB1FE10558F5D707EAB3EF0D1D3528184E1B8930865AC7FB1EE5A1
3700qilin.exeC:\Users\admin\Desktop\albumjewelry.rtfbinary
MD5:37AC85D24AAE919E076DD70AAE92BB7A
SHA256:79F184D6AE45727CE18C7C14C5B42C3C6E758E2643A83FAD1BC8E1F8B9D5D40A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info