File name:	windows.zip
Full analysis:	https://app.any.run/tasks/480976b7-568a-47e0-9e56-62d7bd8caf06
Verdict:	Malicious activity
Threats:	Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	October 18, 2024, 04:22:20
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	arch-exec lynx ransomware
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	6CECEBC76EFD45FCFA7CFBEC5F383150
SHA1:	AA6808022D241E61C0571B428763D5AD8CA81918
SHA256:	F9BB467DDBC18ABA13667ABE99D2289D7C799C289AAE1158E8F7460531BD56B7
SSDEEP:	1536:cclte73+M7XLPAG1YDcsh7Knp+LTM+XIlE5dzWPxn6MPei9fAiE7RVjrU8odc:BlEDpb9YGALTtYlvxnMi4iAzjrFl

ZipRequiredVersion:	788
ZipBitFlag:	0x0001
ZipCompression:	Deflated
ZipModifyDate:	2024:10:13 15:23:30
ZipCRC:	0xf5162aaa
ZipCompressedSize:	89749
ZipUncompressedSize:	169472
ZipFileName:	windows.exe


(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B0500D962CB551521DB01
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\windows.zip
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\windows
(PID) Process:	(2364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0

PID	Process	Filename		Type
2364	WinRAR.exe	C:\Users\admin\AppData\Roaming\WinRAR\version.dat		binary
		MD5:51FB42B8184FFF99A1F7B5CE6711906B	SHA256:57905F52B585B9D883F358DB9763C541A1A5A05811E02945D3356838324C81E9
4400	windows.exe	C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB
4400	windows.exe	C:\ProgramData\Adobe\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB
4400	windows.exe	C:\ProgramData\Adobe\ARM\Acrobat_22.003.20314\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB
4400	windows.exe	C:\Users\admin\AppData\Local\VirtualStore\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB
4400	windows.exe	C:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml		—
		MD5:—	SHA256:—
4400	windows.exe	C:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB
4400	windows.exe	C:\ProgramData\Adobe\Temp\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB
4400	windows.exe	C:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft\AppV\Setup\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB
4400	windows.exe	C:\ProgramData\README.txt		text
		MD5:6B28FE0629ADBB6F11208259FAA88489	SHA256:F3AD1045E0BE113922B41045C87003F864C0E79844B71CBB383ED4287C905FFB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5060	smartscreen.exe	GET	304	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d10e63853eea6c1a	unknown	—	—	whitelisted
5060	smartscreen.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5060	smartscreen.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTkdQGdwyPiJnQdbEA5B5X5BZZGLgQUO3DRU%2Bl2JZ1gqMpmD8abrm9UFmoCEzMAgi58WZZ1Doub1SAAAACCLnw%3D	unknown	—	—	whitelisted
6208	firefox.exe	POST	200	2.16.202.121:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
6208	firefox.exe	POST	200	2.16.202.121:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
6208	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	unknown	—	—	whitelisted
1140	svchost.exe	GET	304	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6d709d11b7687aa8	unknown	—	—	whitelisted
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	whitelisted
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	whitelisted
1140	svchost.exe	GET	304	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2e9603725ad2c005	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	52.109.32.97:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5552	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1296	svchost.exe	2.16.164.35:80	—	Akamai International B.V.	NL	unknown
5060	smartscreen.exe	48.209.180.244:443	checkappexec.microsoft.com	—	US	whitelisted
5060	smartscreen.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	whitelisted
5060	smartscreen.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5060	smartscreen.exe	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
officeclient.microsoft.com	52.109.32.97	whitelisted
google.com	142.250.185.142	whitelisted
checkappexec.microsoft.com	48.209.180.244	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted
incoming.telemetry.mozilla.org	34.120.208.123	whitelisted
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	whitelisted
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	whitelisted

General Info

windows.zip

6CECEBC76EFD45FCFA7CFBEC5F383150

AA6808022D241E61C0571B428763D5AD8CA81918

F9BB467DDBC18ABA13667ABE99D2289D7C799C289AAE1158E8F7460531BD56B7

1536:cclte73+M7XLPAG1YDcsh7Knp+LTM+XIlE5dzWPxn6MPei9fAiE7RVjrU8odc:BlEDpb9YGALTtYlvxnMi4iAzjrFl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LYNX has been detected

Renames files like ransomware

Scans artifacts that could help determine the target

SUSPICIOUS

Creates file in the systems drive root

Reads the Internet Settings

Changes the desktop background image

Executes as Windows Service

Reads security settings of Internet Explorer

Reads settings of System Certificates

Reads the date of Windows installation

Checks Windows Trust Settings

INFO

Reads the computer name

Checks supported languages

Manual execution by a user

Executable content was dropped or overwritten

The process uses the downloaded file

Creates files in the program directory

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Disables trace logs

Reads Microsoft Office registry keys

Reads Environment values

Checks proxy server information

Reads the software policy settings

Reads CPU info

Reads product name

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings