File name:

선적 서류.zip

Full analysis: https://app.any.run/tasks/79af73ce-e990-472f-8f20-02da421bc140
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 23, 2019, 23:41:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
sodinokibi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C7D3B4F53D8FA03C577700242348218E

SHA1:

6FB345CF3BF90DB43F39C2C30AD2139EF23AC320

SHA256:

F5A996C0413B3BB7DD650DF35E2AAD90A393D96F60AD854C28035CAD88EADFFC

SSDEEP:

6144:TtHQpKx6Z0XDCYcMstxDHtHQpKx6Z0XDCYcMstxDX:TIKx6ZAKDHIKx6ZAKDX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 소포 선언.doc.exe (PID: 3056)
      • 소포 선언.doc.exe (PID: 1680)

    • Deletes shadow copies

      • cmd.exe (PID: 3908)

    • Renames files like Ransomware

      • 소포 선언.doc.exe (PID: 1680)

    • Dropped file may contain instructions of ransomware

      • 소포 선언.doc.exe (PID: 1680)

    • Changes settings of System certificates

      • 소포 선언.doc.exe (PID: 1680)

    • Sodinokibi keys found

      • 소포 선언.doc.exe (PID: 1680)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3908)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 3020)

    • Creates files in the program directory

      • 소포 선언.doc.exe (PID: 1680)

    • Creates files like Ransomware instruction

      • 소포 선언.doc.exe (PID: 1680)

    • Adds / modifies Windows certificates

      • 소포 선언.doc.exe (PID: 1680)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2964)

    • Starts CMD.EXE for commands execution

      • 소포 선언.doc.exe (PID: 1680)

    • Application launched itself

      • 소포 선언.doc.exe (PID: 3056)

  • INFO

    • Dropped object may contain TOR URL's

      • 소포 선언.doc.exe (PID: 1680)

    • Reads settings of System Certificates

      • 소포 선언.doc.exe (PID: 1680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe 소포 선언.doc.exe no specs #SODINOKIBI 소포 선언.doc.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1680"C:\Users\admin\AppData\Local\Temp\Rar$EXa2964.46098\선적 서류\소포 선언.doc.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2964.46098\선적 서류\소포 선언.doc.exe
소포 선언.doc.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2964.46098\선적 서류\소포 선언.doc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2476vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2964"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\선적 서류.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3020C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3056"C:\Users\admin\AppData\Local\Temp\Rar$EXa2964.46098\선적 서류\소포 선언.doc.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2964.46098\선적 서류\소포 선언.doc.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2964.46098\선적 서류\소포 선언.doc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3252bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3460bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3908"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exe소포 선언.doc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 025
Read events
913
Write events
112
Delete events
0

Modification events

(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\선적 서류.zip
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
2
Suspicious files
173
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
1680소포 선언.doc.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
1680소포 선언.doc.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
1680소포 선언.doc.exec:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.911uz
MD5:
SHA256:
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2964.46098\선적 서류\소포 선언.doc.lnklnk
MD5:
SHA256:
1680소포 선언.doc.exeC:\users\admin\911uz-readme.txtbinary
MD5:
SHA256:
1680소포 선언.doc.exeC:\users\911uz-readme.txtbinary
MD5:
SHA256:
1680소포 선언.doc.exeC:\program files\911uz-readme.txtbinary
MD5:
SHA256:
1680소포 선언.doc.exeC:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\911uz-readme.txtbinary
MD5:
SHA256:
1680소포 선언.doc.exeC:\users\admin\.oracle_jre_usage\911uz-readme.txtbinary
MD5:
SHA256:
1680소포 선언.doc.exeC:\users\admin\contacts\911uz-readme.txtbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
276
DNS requests
212
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1680
소포 선언.doc.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.1 Kb
whitelisted
1680
소포 선언.doc.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt
US
der
993 b
whitelisted
1680
소포 선언.doc.exe
GET
200
91.199.212.52:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
1680
소포 선언.doc.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt
US
der
914 b
whitelisted
1680
소포 선언.doc.exe
GET
200
52.222.168.106:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1680
소포 선언.doc.exe
178.20.216.126:443
kroophold-sjaelland.dk
enavn ApS
DK
malicious
1680
소포 선언.doc.exe
104.131.124.190:443
jimprattmediations.com
Digital Ocean, Inc.
US
unknown
1680
소포 선언.doc.exe
93.157.99.138:443
gardenpartner.pl
H88 S.A.
PL
unknown
1680
소포 선언.doc.exe
198.71.233.197:443
larchwoodmarketing.com
GoDaddy.com, LLC
US
malicious
1680
소포 선언.doc.exe
51.38.169.89:443
smartmind.net
GB
unknown
1680
소포 선언.doc.exe
104.31.88.124:443
reputation-medical.online
Cloudflare Inc
US
shared
1680
소포 선언.doc.exe
145.14.145.63:443
bulyginnikitav.000webhostapp.com
Hostinger International Limited
US
shared
1680
소포 선언.doc.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1680
소포 선언.doc.exe
50.62.88.95:443
imaginekithomes.co.nz
GoDaddy.com, LLC
US
malicious
1680
소포 선언.doc.exe
88.99.61.233:443
katherinealy.com
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
bulyginnikitav.000webhostapp.com
  • 145.14.145.63
shared
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
kroophold-sjaelland.dk
  • 178.20.216.126
suspicious
gardenpartner.pl
  • 93.157.99.138
suspicious
jimprattmediations.com
  • 104.131.124.190
malicious
smartmind.net
  • 51.38.169.89
suspicious
larchwoodmarketing.com
  • 198.71.233.197
suspicious
claudiakilian.de
  • 83.133.245.163
malicious
www.claudiakilian.de
  • 83.133.245.163
suspicious
saboboxtel.uk
  • 91.184.14.68
suspicious

Threats

PID
Process
Class
Message
1048
svchost.exe
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
1680
소포 선언.doc.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
선적 서류.zip