analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c

Full analysis: https://app.any.run/tasks/cf1ac209-a964-4f24-a43c-a47466d6790d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 29, 2020, 18:56:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cat
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5C281DDACADDF036D2B836B656CC3A8F

SHA1:

93C5595C540181395FAC196ACD3329FDE0C1B1FD

SHA256:

EE453B4BB7C1037FCD146A9C61540EE567953A6A24F7FBE72FA5FB7F700D022C

SSDEEP:

1536:e7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfix+xYjaVLOJ:0q6+ouCpk2mpcWJ0r+QNTBfiFjau

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe (PID: 1692)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1416)
      • ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe (PID: 1692)

    • Executed via COM

      • DllHost.exe (PID: 3064)

    • Executes scripts

      • cmd.exe (PID: 3700)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1000
UninitializedDataSize: -
InitializedDataSize: 45056
CodeSize: 68608
LinkerVersion: 2.5
PEType: PE32
TimeStamp: 2019:07:30 10:52:50+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Jul-2019 08:52:50

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 30-Jul-2019 08:52:50
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.code
0x00001000
0x000037F0
0x00003800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.60878
.text
0x00005000
0x0000D2C2
0x0000D400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55808
.rdata
0x00013000
0x0000339D
0x00003400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.11064
.data
0x00017000
0x0000172C
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.99861
.rsrc
0x00019000
0x00006954
0x00006A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.87228

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.92322
611
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
0FF6B80586887CF7A4B74F77AAAB8AC6
6.35519
106
Latin 1 / Western European
UNKNOWN
RT_RCDATA
2809EFEEF5B76FDCDEFF2F4CF3D9F2F5887415A1
6.71567
135
Latin 1 / Western European
UNKNOWN
RT_RCDATA
6096110D0CA3A4BBB45BFE0573B3291D6E7B7C7D
3.16993
9
Latin 1 / Western European
UNKNOWN
RT_RCDATA
B759CAE41627BF25A66B3711ABE6EB8B94FC2CF9
7.38196
334
Latin 1 / Western European
UNKNOWN
RT_RCDATA
BDAFF2AD07
0
1
Latin 1 / Western European
UNKNOWN
RT_RCDATA
C6271429D1033CC472C913820FC27212
3.6897
21
Latin 1 / Western European
UNKNOWN
RT_RCDATA
CA1E29FB808C88767D36E7D494BBCB4D
7.54277
462
Latin 1 / Western European
UNKNOWN
RT_RCDATA
FD16D24472DDCDDC9291DE505D2FF2EECB1A9398
7.96969
7124
Latin 1 / Western European
UNKNOWN
RT_RCDATA

Imports

COMCTL32.DLL
GDI32.DLL
KERNEL32.dll
MSVCRT.dll
OLE32.DLL
SHELL32.DLL
SHLWAPI.DLL
USER32.DLL
WINMM.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs PhotoViewer.dll no specs wscript.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1692"C:\Users\admin\AppData\Local\Temp\ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe" C:\Users\admin\AppData\Local\Temp\ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3700"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\778A.tmp\778B.tmp\778C.bat C:\Users\admin\AppData\Local\Temp\ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe"C:\Windows\system32\cmd.exeee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2664timeout /t 7 /nobreak C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1940timeout /t 10 /nobreak C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3064C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1416"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\msg.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2796cmd /c ""C:\Users\admin\AppData\Roaming\remove.bat" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
857
Read events
843
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
521
Unknown types
0

Dropped files

PID
Process
Filename
Type
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\diereal.rtftext
MD5:882330F03029400AA3AE982999A82FE8
SHA256:A3720FECD74B14AAD1A430898EDCB650937C9CDE67E16B501FC1E7D81195CA0A
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\bothassociated.pngimage
MD5:F153B2C28D5A1A1D8F74C80EA3162F18
SHA256:74854B0ACD29027F0C11534370C889BA08EFBB11455C22D0500E37D383F28BB5
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\cashpre.jpgimage
MD5:C0932652CF2FCDDD313E2ABC2796AA7B
SHA256:40B8C8E7A8E51FF284028B152F93B2EECDA5AEB1AC84E33834F04BADF86AC6ED
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\monitordavid.pngimage
MD5:B912B15E27002F73684DE79303792B84
SHA256:526033A1D69C5EB00879087AC3C59870CB677E30CDB910E2C4E74A3825D5324D
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\stonelyrics.jpgimage
MD5:0025FC3DB33F8679B08C036FEC5C7823
SHA256:CB5A8E5DFA004A7D1E5CF6C681C5C56C9AB75473CB8B547B23C0DB4384E14DF0
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\mymotor.jpgimage
MD5:B6E4D80462741FFBE65CF5085805D1A1
SHA256:A4AFDC59B8AAFCEEC27B6D44BDDA791413EA194AECA959C60BC5CDE0155ECF77
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\environmentarmy.rtftext
MD5:35BE5D8303CF9E5C782EEF7D193AB398
SHA256:F6166EAA8709B83DC1F1CBBDA50EDAFA51BC730D3A5EE9D6B5229F971D90C37B
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\effortduring.rtftext
MD5:CEDF613A2D6509CF11AAE198F812DC0E
SHA256:6C286BCD8568CD2C6224817C74AC47B5AC85281DB23F81FCD6EB366525F9F33F
3700cmd.exeC:\Users\admin\AppData\Roaming\desk\secretarycondition.pngimage
MD5:4F3DDDC4075A5CC7B8D57554594874BE
SHA256:A19111E6A22195504D571DB880C78ED376F5E4CE75ED802E3331DB7020C2F15E
1692ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exeC:\Users\admin\AppData\Roaming\cat.jpgimage
MD5:675622258B256D20E88FA07A37E77EEA
SHA256:31F1790F9F2C8714C0C274836B71577916541D8CA45FB398A9FC9FDB765B5D23
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c