analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Request for Quotation (RFQ_196).zip

Full analysis: https://app.any.run/tasks/7000486f-2526-40aa-9531-44912a4d7f9d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 18:48:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7377AC541E226C1E99226EC323557CB7

SHA1:

DA985203CAA41A33A0A71C6998EE2F83184540B1

SHA256:

EF7D6CE93E4BD436D9891E07A21B6CD71C01EA4F7463FB001D6CE31CB59D4892

SSDEEP:

98304:SZb878JG9IRIuP7smEqzFLh8oz7kC9ZDIX0D/AgEuB:SZb878J7R170wFLhTz7kLUogEI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

    • Drops executable file immediately after starts

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Writes file to Word startup folder

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Actions looks like stealing of personal data

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Steals credentials from Web Browsers

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Modifies files in Chrome extension folder

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • WannaCry Ransomware was detected

      • cmd.exe (PID: 2708)
      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Loads dropped or rewritten executable

      • taskhsvc.exe (PID: 3128)

    • Deletes shadow copies

      • cmd.exe (PID: 3384)

    • Application was injected by another process

      • svchost.exe (PID: 924)
      • svchost.exe (PID: 3692)
      • wmiprvse.exe (PID: 2324)
      • SearchIndexer.exe (PID: 2796)
      • svchost.exe (PID: 548)

    • Runs injected code in another process

      • wbadmin.exe (PID: 3472)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3384)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 2480)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3948)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3848)
      • WinRAR.exe (PID: 1536)
      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)
      • taskdl.exe (PID: 3052)
      • cmd.exe (PID: 3684)
      • cscript.exe (PID: 580)
      • taskdl.exe (PID: 3692)
      • cmd.exe (PID: 2708)
      • @[email protected] (PID: 3400)
      • @[email protected] (PID: 2464)
      • cmd.exe (PID: 3384)
      • taskhsvc.exe (PID: 3128)
      • WMIC.exe (PID: 572)
      • wmiprvse.exe (PID: 2324)
      • taskdl.exe (PID: 4072)
      • cmd.exe (PID: 3608)
      • @[email protected] (PID: 3596)
      • taskdl.exe (PID: 2316)
      • @[email protected] (PID: 736)
      • @[email protected] (PID: 3976)
      • taskdl.exe (PID: 3464)
      • taskdl.exe (PID: 3444)
      • @[email protected] (PID: 3112)

    • Reads the computer name

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)
      • WinRAR.exe (PID: 1536)
      • WinRAR.exe (PID: 3848)
      • cscript.exe (PID: 580)
      • taskhsvc.exe (PID: 3128)
      • @[email protected] (PID: 3400)
      • WMIC.exe (PID: 572)
      • wmiprvse.exe (PID: 2324)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3848)
      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)
      • @[email protected] (PID: 2464)

    • Application launched itself

      • WinRAR.exe (PID: 1536)

    • Drops a file with too old compile date

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)
      • @[email protected] (PID: 2464)

    • Uses ATTRIB.EXE to modify file attributes

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Uses ICACLS.EXE to modify access control list

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Creates files like Ransomware instruction

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Creates files in the program directory

      • SearchIndexer.exe (PID: 2796)
      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Executes scripts

      • cmd.exe (PID: 3684)

    • Creates files in the user directory

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)
      • taskhsvc.exe (PID: 3128)

    • Starts CMD.EXE for commands execution

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)
      • @[email protected] (PID: 3400)

    • Drops a file that was compiled in debug mode

    • Executed as Windows Service

      • vssvc.exe (PID: 3676)
      • wbengine.exe (PID: 2480)
      • vds.exe (PID: 3844)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 3472)

    • Executed via COM

      • vdsldr.exe (PID: 4088)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3608)

    • Reads Windows owner or organization settings

      • wmiprvse.exe (PID: 2324)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3144)

  • INFO

    • Dropped object may contain TOR URL's

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Dropped object may contain URL to Tor Browser

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Reads the computer name

      • icacls.exe (PID: 3232)
      • vssadmin.exe (PID: 2512)
      • svchost.exe (PID: 3692)
      • vssvc.exe (PID: 3676)
      • wbadmin.exe (PID: 3472)
      • vds.exe (PID: 3844)
      • vdsldr.exe (PID: 4088)
      • wbengine.exe (PID: 2480)
      • chrome.exe (PID: 3144)
      • chrome.exe (PID: 1696)
      • chrome.exe (PID: 3336)
      • chrome.exe (PID: 2956)
      • chrome.exe (PID: 3024)
      • chrome.exe (PID: 2248)
      • chrome.exe (PID: 3384)

    • Checks supported languages

      • attrib.exe (PID: 1164)
      • icacls.exe (PID: 3232)
      • vssadmin.exe (PID: 2512)
      • vssvc.exe (PID: 3676)
      • bcdedit.exe (PID: 3712)
      • bcdedit.exe (PID: 496)
      • svchost.exe (PID: 3692)
      • wbengine.exe (PID: 2480)
      • wbadmin.exe (PID: 3472)
      • vdsldr.exe (PID: 4088)
      • vds.exe (PID: 3844)
      • reg.exe (PID: 3948)
      • chrome.exe (PID: 2684)
      • chrome.exe (PID: 3144)
      • chrome.exe (PID: 2956)
      • chrome.exe (PID: 3336)
      • chrome.exe (PID: 3980)
      • chrome.exe (PID: 1996)
      • chrome.exe (PID: 1384)
      • chrome.exe (PID: 2240)
      • chrome.exe (PID: 3024)
      • chrome.exe (PID: 1696)
      • chrome.exe (PID: 4052)
      • chrome.exe (PID: 1984)
      • chrome.exe (PID: 2380)
      • chrome.exe (PID: 652)
      • chrome.exe (PID: 2248)
      • chrome.exe (PID: 1288)
      • chrome.exe (PID: 3384)

    • Dropped object may contain Bitcoin addresses

      • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3208)

    • Checks Windows Trust Settings

      • cscript.exe (PID: 580)

    • Reads the hosts file

      • chrome.exe (PID: 3144)
      • chrome.exe (PID: 3336)

    • Manual execution by user

      • chrome.exe (PID: 3144)

    • Application launched itself

      • chrome.exe (PID: 3144)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3336)

    • Reads the date of Windows installation

      • chrome.exe (PID: 2248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: None
ZipModifyDate: 2022:01:24 18:47:17
ZipCRC: 0x5bf054b9
ZipCompressedSize: 3481571
ZipUncompressedSize: 3481571
ZipFileName: Request for Quotation (RFQ_196).zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
99
Monitored processes
55
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start inject inject inject inject inject winrar.exe no specs winrar.exe #WANNACRY proforma invoice and bank swift-reg.pi-0086547654.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs cscript.exe no specs taskdl.exe no specs @[email protected] #WANNACRY cmd.exe no specs @[email protected] no specs taskhsvc.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs svchost.exe svchost.exe searchindexer.exe svchost.exe wmiprvse.exe wbengine.exe no specs vdsldr.exe no specs vds.exe no specs taskdl.exe no specs @[email protected] no specs cmd.exe no specs reg.exe taskdl.exe no specs @[email protected] no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskdl.exe no specs @[email protected] no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskdl.exe no specs @[email protected] no specs

Process information

PID
CMD
Path
Indicators
Parent process
1536"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Request for Quotation (RFQ_196).zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3848"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb1536.25086\Request for Quotation (RFQ_196).zip"C:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3208"C:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DiskPart
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1164attrib +h .C:\Windows\system32\attrib.exeProforma Invoice and Bank swift-REG.PI-0086547654.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3232icacls . /grant Everyone:F /T /C /QC:\Windows\system32\icacls.exeProforma Invoice and Bank swift-REG.PI-0086547654.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3052taskdl.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\taskdl.exeProforma Invoice and Bank swift-REG.PI-0086547654.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3684C:\Windows\system32\cmd.exe /c 228411643050108.batC:\Windows\system32\cmd.exeProforma Invoice and Bank swift-REG.PI-0086547654.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
580cscript.exe //nologo m.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft � Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3692taskdl.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\taskdl.exeProforma Invoice and Bank swift-REG.PI-0086547654.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2464@[email protected] coC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\@[email protected]
Proforma Invoice and Bank swift-REG.PI-0086547654.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Load PerfMon Counters
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
25 084
Read events
24 912
Write events
0
Delete events
0

Modification events

No data
Executable files
19
Suspicious files
1 155
Text files
592
Unknown types
32

Dropped files

PID
Process
Filename
Type
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\msg\m_filipino.wnrytext
MD5:08B9E69B57E4C9B966664F8E1C27AB09
SHA256:D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\msg\m_bulgarian.wnrytext
MD5:95673B0F968C0F55B32204361940D184
SHA256:40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\msg\m_chinese (traditional).wnrytext
MD5:2EFC3690D67CD073A9406A25005F7CEA
SHA256:5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\msg\m_italian.wnrytext
MD5:30A200F78498990095B36F574B6E8690
SHA256:49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\msg\m_czech.wnrytext
MD5:537EFEECDFA94CC421E58FD82A58BA9E
SHA256:5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\b.wnryimage
MD5:C17170262312F3BE7027BC2CA825BF0C
SHA256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
1536WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1536.25086\Request for Quotation (RFQ_196).zipcompressed
MD5:D69DC6569B385C0467185D002E252D89
SHA256:80239619C4CA44380C6269873A5B6B695585CCFCF278E0F2C72698658A3A6FD8
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\msg\m_greek.wnrytext
MD5:FB4E8718FEA95BB7479727FDE80CB424
SHA256:E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\c.wnryabr
MD5:AE08F79A0D800B82FCBE1B43CDBDBEFC
SHA256:055C7760512C98C8D51E4427227FE2A7EA3B34EE63178FE78631FA8AA6D15622
3208Proforma Invoice and Bank swift-REG.PI-0086547654.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3848.25686\msg\m_french.wnrytext
MD5:4E57113A6BF6B88FDD32782A4A381274
SHA256:9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
28
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3336
chrome.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
crx
242 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3128
taskhsvc.exe
171.25.193.78:443
Foreningen for digitala fri- och rattigheter
SE
suspicious
3128
taskhsvc.exe
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
3336
chrome.exe
142.250.179.141:443
accounts.google.com
Google Inc.
US
suspicious
3128
taskhsvc.exe
185.35.202.221:9001
Blix Solutions AS
NO
suspicious
3128
taskhsvc.exe
120.29.217.46:443
TATA COMMUNICATIONS (AMERICA) INC
IN
suspicious
3336
chrome.exe
142.251.36.14:443
apis.google.com
Google Inc.
US
whitelisted
3128
taskhsvc.exe
199.254.238.52:443
Riseup Networks
US
malicious
3336
chrome.exe
142.251.36.46:443
clients2.google.com
Google Inc.
US
whitelisted
3128
taskhsvc.exe
136.243.214.137:443
Hetzner Online GmbH
DE
suspicious
3336
chrome.exe
172.217.168.195:443
www.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clients2.google.com
  • 142.251.36.46
whitelisted
accounts.google.com
  • 142.250.179.141
shared
www.google.com
  • 142.250.179.132
whitelisted
clientservices.googleapis.com
  • 142.251.36.3
whitelisted
fonts.googleapis.com
  • 172.217.168.202
whitelisted
www.gstatic.com
  • 172.217.168.195
whitelisted
apis.google.com
  • 142.251.36.14
whitelisted
fonts.gstatic.com
  • 142.250.179.195
whitelisted
ssl.gstatic.com
  • 142.250.179.163
whitelisted
content-autofill.googleapis.com
  • 172.217.168.202
whitelisted

Threats

PID
Process
Class
Message
3128
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375
3128
taskhsvc.exe
Misc Attack
ET TOR Known Tor Exit Node Traffic group 40
3128
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 40
3128
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 295
3336
chrome.exe
Generic Protocol Command Decode
SURICATA STREAM TIMEWAIT ACK with wrong seq
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Request for Quotation (RFQ_196).zip