Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

There’s no shortage of ransomware these days. It’s everywhere, lurking in email attachments, hiding in cracked software, and making headlines almost daily. While some ransomware groups vanish or rebrand, new names step in to take their place, keeping security teams in a constant state of alert. 

One of the latest strains making the rounds is PE32 Ransomware, a newcomer that’s quickly gaining attention online, including on Twitter. Despite its amateur execution, it manages to encrypt files, communicate over Telegram, and cause real damage.

 PE32: Key Takeaways 

In this report, Mauro Eldritch takes a closer look at how PE32 works, how it communicates, and why its chaotic behavior still poses a real threat. 

• Fast encryption: Starts encryption after a simple prompt; targets visible folders like Desktop. 

• Unique ransom setup: Two payment tiers: one to unlock files, another to stop data leaks. 

• Telegram C2: Communicates entirely via Telegram Bot API; bot token is exposed in the code. 

• Easy to analyze: ANY.RUN makes it simple to extract bot data and monitor activity. 

• Messy & loud: Drops marker files, triggers disk repair, and encrypts even useless files. 

• No stealth: No obfuscation or evasion tricks; relies on basic Windows libraries. 

• Immature but active: Still evolving, but already a threat due to poor security hygiene. 

Execution Flow and Initial Behavior 

When executed, the sample waits for the operator’s input to determine whether it should encrypt only the folder where it was dropped or the entire system (see Image 2).

View sandbox analysis 

However, regardless of this selection, it immediately starts noisily encrypting the most visible locations, such as the desktop, appending the .pe32s extension (see Image 3). 

Encrypted Desktop files with .pe32s extension 

Instead of dropping a ransom note directly onto the Desktop (as most ransomware does), PE32 creates a folder named PE32-KEY in the root of the C: drive. This folder contains several internal files used during execution: 

• context.pe32c, lock.pe32, pe32lockfile.lock – for internal tracking and state 

• ID – stores the victim’s unique identifier 

• README.txt – the actual ransom note 

PE32 ransom note 

The ransom note stands out for its two-tiered payment model: one fee to unlock encrypted files, and another to prevent stolen data from being leaked. This approach differs from most ransomware strains, which typically bundle both into a single payment.  

Prices vary widely: 

• $700 to $7,000 for individual machines or servers 

• $10,000 to 2 BTC (or more) for corporate targets 

Victims are instructed to reach out via Telegram. If that fails, the attackers provide a Gmail address as a backup contact method, another sign of their operational inexperience. 

Telegram C2: Loud, Exposed, and Easy to Abuse 

Once PE32 finishes prompting the attacker for encryption scope, it hides its process window and shifts to background mode. From there, it begins broadcasting its activity to a hardcoded Telegram group via the Bot API. 

The first message looks like this: 

”[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:44:39] []  

NEW RUN ID: 58994073AC147486]”

If using Telegram as a C2 channel wasn’t already an OPSEC disaster, the actors also expose their Bot Token and Group Chat ID. 

The malware then begins reporting its lifecycle to the Telegram group, detailing every step of its execution, as seen below:[Text Wrapping Break] 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:45:07] [58994073AC147486] 

Staring UltraFast Round C:\”

PE32 struggles to process certain files (or their extensions—misspelled as “extentions” in its messages): 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486] 

Unknown Extentions:  

[...] 

odbc: 1 0MB 

en_gb_e: 1 0MB 

fr_fr_p: 1 0MB 

xls4: 1 0MB 

xls6: 1 0MB 

xsx: 1 0MB 

nettcp: 1 0MB 

xls8: 1 0MB 

access: 1 0MB”

The encryption cycle concludes with three messages. The first one confirms that the “UltraFast” cycle has been completed, followed by two more messages indicating that the “Fast” and “Slow” cycles have also finished successfully. 

“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486] 

UltraFast Compeleted C:\”

With no observable DNS or HTTP requests, we can confirm that this strain of PE32 Ransomware relies exclusively on Telegram Bots for communication. This tactic is commonly observed in the MaaS scene, particularly with certain Stealers, but is rarely used in the RaaS ecosystem. 

CFG Dumping with ANY.RUN 

ANY.RUN’s Interactive Sandbox provides a CFG extraction function, allowing analysts to inspect the malware’s internal configuration. Unsurprisingly, the Telegram Bot Token is scattered throughout the code, making it trivially easy to trace the adversarial infrastructure—it’s almost impossible to miss, even by accident. 

Armed with this token, anyone can easily flood the attacker’s C2 with fake requests or worse, use the bot’s key to impersonate the bot and send messages to any Telegram user. 

By feeding the bot token into third-party tools like Matkap, threat hunters can automate the retrieval of all data exchanged through the bot, ranging from communications to encrypted files, and even victims’ encryption or decryption keys, as long as they were sent to or received from the bot. 

A Chaotic Codebase 

Beyond its network behavior, PE32 operates like a typical ransomware strain. It collects system information such as the computer’s GUID, hostname, software policy settings, and supported languages, a common technique used to avoid infecting machines in specific regions, likely to minimize legal consequences. 

PE32’s untidy nature makes it somewhat difficult to read and profile. For instance, it places a file named “pe32lockfile.lock” in every locked folder, likely as a flag indicating “I was here already.” 

But when dropping the “pe32lockfile.lock” file in directories like the ones belonging to Skype, Firefox or Chrome, it trips a good portion of detection rules, so it’s a behaviour worth nothing. 

The chaos doesn’t stop there. PE32 also drops C:bootTel.dat, a legitimate Windows telemetry file associated with chkdsk.exe (Disk Checker). Although harmless on its own, the creation of this file is directly tied to the ransomware’s activity. 

By aggressively encrypting files across the C: drive, including non-critical system files, PE32 ends up triggering the disk repair utility. While it doesn’t halt system functionality, it does cause Windows to initiate self-repair checks, providing an additional footprint of the malware’s presence. 

With this, we now have additional indicators of PE32’s activity. 

PE32 shows no logic in file selection. It encrypts everything in sight, regardless of extension or value. Chrome’s language packs (messages.json), static resources like .gif and .css files, and even incomplete extension data are all locked without discrimination. 

On the technical side, PE32 keeps things simple. There’s no use of exotic libraries or obfuscated function calls. It relies on the classic combo of ntdll.dll and kernel32.dll to execute processes and manipulate files, while crypt32.dll and bcrypt.dll handle encryption.

It depends on schannel.dll, Windows’ native TLS/SSL to reach its C2 channel using HTTPS, and that’s it. Plain and simple! 

TTPs & IOCs 

Dissecting PE32 is challenging due to its unpredictable and erratic behavior. The ransomware triggers numerous detections, some legitimate, others the result of its careless execution, which can complicate analysis and lead to false trails. 

Fortunately, ANY.RUN’s automatic ATT&CK matrix and IOC collection make this task significantly easier. These features help analysts quickly identify behaviors and map them to known techniques, significantly reducing investigation time. 

One of the most notable techniques observed is T1102 – Web Service Communication, specifically communication via Telegram. Although not the most advanced tactic, it provides a clear indication of PE32’s reliance on a basic and exposed C2 channel. 

This behavior aligns with early-stage or poorly maintained ransomware, which typically lacks data exfiltration capabilities and instead focuses solely on encryption and basic status reporting. In this context, T1102 serves as a valuable early signal for identifying similar threats in the wild. 

PE32 Threat Impact 

The PE32 ransomware campaign introduces notable risks despite its unsophisticated design: 

• For end users: Victims face potential data loss, system instability, and financial pressure from ransom demands. The dual-payment model adds further psychological manipulation by threatening data exposure. 

• For organizations: While PE32 currently lacks data exfiltration, its ability to disrupt operations, encrypt shared resources, and leave behind recoverable indicators (e.g., lock files, telemetry triggers) makes it a growing concern, especially if it evolves. 

• For security teams: The use of Telegram as a C2 channel, combined with erratic behavior and non-selective encryption, can complicate detection and response. Its reliance on public communication channels also introduces new monitoring and containment challenges. 

• For the broader threat landscape: PE32 highlights a trend toward low-effort, fast-deploy ransomware strains, crafted with minimal obfuscation, relying on common tools, yet still capable of causing damage. Its open infrastructure and careless coding make it accessible for copycats and opportunistic attackers. 

Conclusion 

The analysis of PE32 Ransomware reveals how even basic, poorly coded malware can disrupt systems, encrypt valuable data, and leverage public platforms like Telegram for command and control.  

While it lacks advanced evasion or data theft capabilities, PE32 reflects the growing trend of fast-deploy, low-effort ransomware strains that still pose a real threat to individuals and organizations. 

By analyzing PE32 in real time using ANY.RUN’s Interactive Sandbox, we were able to fully observe its execution flow, uncover its communication channels, and extract key artifacts, without relying solely on static reverse engineering. 

Here’s how this kind of analysis brings value: 

• Faster threat detection: Catch suspicious encryption activity and exposed infrastructure early. 

• Full behavioral visibility: Monitor system changes, communication attempts, and encryption logic in real time. 

• Reduced investigation time: Quickly correlate observable behavior with known techniques and IOCs. 

• Improved incident response: Collect and share actionable indicators across teams. 

• Stronger threat intelligence: Identify attacker mistakes, such as hardcoded credentials and bot tokens. 

Try ANY.RUN’s Interactive Sandbox today 

Collect Indicators of Compromise

SHA256:15cb6bd05a35fdbd9a7e53b092a1b0537c64cb5df08ee0262479c0cc24eafd8a 

FilePath:C:PE32-KEYID 

SHA256:5946bdeb8b7bf0603e99cefb15c083a37352fa8a916b2664bbb9f9027f44985b 

FilePath:C:PE32-KEYREADME.txt 

SHA256:c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433 

Filename:PE32.exe 

SHA256:098ee778fca1bfd809499dac65f528ea727f2aee9c6eaf79fe662d9261086e4a 

FilePath:C:PE32-KEYcontext.pe32c 

SHA256:9e561018034479df1493addca30f1d031b9185e1d66f15333b8ea79d16acf64b 

FilePath:C:PE32-KEYlock.pe32 

References: 

Matkap tool: github.com/0x6rss/matkap 

Sandbox analysis: https://app.any.run/tasks/58b336b0-baec-48bb-9675-b2f3d352b63c

The post PE32 Ransomware: A New Telegram-Based Threat on the Rise  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Making ANY.RUN’s products better for the benefit of businesses, organizations, and SOC teams is our top priority. To get maximum value out of our solutions, we provide them with API, a tool enabling users to integrate our services into their security infrastructure. And now, to make this process even smoother, we introduce a software development kit (SDK). 

With it, it’s even easier to make ANY.RUN a part of your security system. Data provided by our solutions will help you establish a safer infrastructure and improve the defense strategy of your company. 

Learn about ANY.RUN’s SDK features, advantages, and use cases below. 

Benefiting the security team of your company 

An SDK is a tool that helps increase the efficiency of your workflow through integration and automation. It simplifies day-to-day tasks for cybersecurity specialists at companies and organizations. This is especially relevant for small security teams who could benefit from automation. 

As a result of making ANY.RUN’s products a part of your security infrastructure via an SDK, you can: 

• Simplify and speed up malware analysis and threat hunting for your security team. 
• Automate routine tasks to save resources for manual in-depth investigation. 
• Access data on real threats collected by 500,000 researchers and 15,000 companies worldwide. 
• Reduce the cost of alert triage, incident investigation, and post-attack response. 
• Mitigate financial and reputational risks by equipping your defense with advanced solutions for threat analysis and detection. 

Our SDK simplifies integration of ANY.RUN’s products into your infrastructure. You can use it for enhanced flexibility, accelerated workflow, and automation of daily tasks.

Tailor the service to the needs of your business with our software development kit by making ANY.RUN’s solutions a part of your system, be that SIEM, SOAR, or XDR. 

Available for all products 

The SDK is available for users with the Hunter plan subscription, as well as with the Enterprise plan for teams. 

You can use ANY.RUN’s SDK with the entire range of our products. It makes it possible to automatically: 

• Submit files and links for analysis and download reports with ANY.RUN’s Interactive Sandbox. 

• Browse URLs and file hashes, as well as check IOCs, IOBs, IOAs and receive other data on threats with TI Lookup. 

• Establish the constant IOCs flow reception with TI Feeds. 

We make sure that the software development kit always complies with the current API version and covers all of its functions, enabling you to always stay on top of things. 

How to implement 

ANY.RUN’s software development kit is based on Python, the most popular programming language for malware analysts. It includes documentation, libraries, and code samples for you to explore. For instructions on how to install and use it, see: 

• ANY.RUN’s SDK documentation on GitHub 

• ANY.RUN’s SDK documentation on PyPI 

We welcome contributions from other developers. You can report bugs and suggest enhancements that would be beneficial for your company, and we’ll be happy to review them, resolve the issues, and make adjustments. For more info on how to contribute, see our guide. 

Use cases of ANY.RUN’s SDK 

Save resources on TI Feeds processing 

ANY.RUN’s TI Feeds provide large amounts of data on IOCs. To process all of this data efficiently, while keeping RAM load low, you can use the SDK. This will help you set up automated download of feeds in chunks, rather than in one go. 

import os

from anyrun.connectors import FeedsConnector
from anyrun.iterators import FeedsIterator


def main():

    with FeedsConnector(api_key) as connector:
        for feed in FeedsIterator.stix(connector, period='week', chunk_size=5):
            print(feed)


if __name__ == '__main__':
    api_key = os.getenv('ANY_RUN_FEEDS_API_KEY')
    main()

Simplify the submission process in ANY.RUN’s Sandbox 

Instead of manually submitting URLs and downloading analysis summaries in ANY.RUN’s Interactive Sandbox, configure the SDK to automate these processes. 

Code to automate URL submission.

Code to automate analysis summary download.

Conduct YARA Search 

YARA Search in TI Lookup allows you to scan our threat intelligence database to find files that match your descriptions. With the SDK, you can receive search results automatically using just one command: 

import os
from pprint import pprint

from anyrun.connectors import YaraLookupConnector


def load_yara_rule() -> str:
    with open('yara_lookup_rule_sample.txt', 'r') as file:
        return file.read()


def main():
    with YaraLookupConnector(api_key) as connector:
        lookup_result = connector.get_yara(load_yara_rule(), stix=True)
        pprint(lookup_result)


if __name__ == '__main__':
    api_key = os.getenv('ANY_RUN_Lookup_API_KEY')
    main()

Choose a connection method (for any service) 

You can use the SDK to connect to any service synchronously or asynchronously. Both methods include the same parameters and functions. For example, in TI Lookup you can switch between them with these code samples: 

• Synchronous version 

• Asynchronous version 

Request a trial period for your SOC team and explore ANY.RUN’s services with new possibilities brought by the SDK.

About ANY.RUN 

ANY.RUN’s services are used by over 500,000 cybersecurity professionals worldwide, including SOC teams at over 15,000 companies. ANY.RUN’s Interactive Sandbox helps businesses ensure fast and accurate analysis of threats targeting Windows, Linux, and Android systems, while the threat intelligence products TI Lookup and TI Feeds enable organizations to enrich their knowledge on active and emerging cyber attacks. 

The post Seamlessly Integrate ANY.RUN’s Services into Your Infrastructure via SDK appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

In cybersecurity, the three main types of indicators are a critical concept for threat detection and response. These main types are indicators of compromise, behavior, and attack (IOCs, IOBs, IOAs). Let’s elaborate on their essence, difference, and use.  

Distinction in a Nutshell 

Indicators of Compromise 

IOCs are pieces of evidence that suggest that a system, network, or device has been compromised by a cyberattack or malicious activity. They are typically reactive, meaning they are identified after an attack has occurred. 

The main purpose of IOCs is to help detect and confirm security incidents with known threats or malware. They serve as forensic evidence in incident investigations and are necessary for adequate incident response and mitigation. 

More often than not IOCs are specific — tied to a particular malware or campaign.  

IOCs can be classified into:  

Being reactive by their nature, IOCs are of immense help in threat prevention. When used smartly, they can be weaponized to block, disrupt, or preempt similar attacks in the future. 

This function is provided by threat intelligence: SOC teams collect indicators associated with known malware and incidents (malicious IPs, domains, file hashes, or URLs) and blacklist them in their security systems to prevent future communication or execution associated with those IOCs. 

For example, a phishing domain seen in a past attack is added to the block list, preventing any user from accessing it if reused. Potential IOCs can be checked with the help of services like ANY.RUN’s Threat Intelligence Lookup.  It searches for information from malware samples added and analyzed in the Interactive Sandbox: 

destinationIP:”147.185.221.26″ 

Another way of using IOCs for proactive protection is setting up decoys (honeypots or honeytokens) to monitor access to known indicators or infrastructure that mimics IOC traits. 

Finally, IOCs reveal which vulnerabilities are being exploited, so teams can prioritize patching or tighten firewall rules accordingly. 

IOCs have their limitations, though. They may not help to detect brand new or advanced threats. It’s important to keep in mind that attackers can easily change IOCs (e.g., domains, hashes), so IOC-based prevention is only as effective as its freshness and context. Context also helps to reduce false positives in detection.  

Context can also be provided by TI Lookup: it supports over 40 search parameters and wildcards which allows to combine indicators and parameters in complex search queries:

(syncObjectName:”PackageManager” or syncObjectName:”DocumentUpdater”) and syncObjectOperation:”Create” 

Mutexes often generate false positive alerts in monitoring systems. Malware samples can contain the same objects as legitimate programs, and a lot of mutex names are generic. 

Switching to the Analyses tab in the search results, we see, that the combination of mutexes with such innocent general names as PackageManager and DocumentUpdater occurs in malware campaigns of MuddyWater APT group from Iran, which is exactly as dangerous as an APT group from Iran is supposed to be.  

On the other hand, this combination of mutexes was last spotted in malware samples about four months ago which allows us to consider this signal obsolete.  

Security teams share IOCs via threat intelligence feeds: continuously updated data streams with indicators from fresh malware samples integrated with monitoring and detection systems. ANY.RUN provides Threat Intelligence Feeds in STIX and MISP formats. 

Indicators of Behavior 

IOBs focus on patterns or behaviors that suggest malicious activity, rather than specific artifacts or static signatures. They describe how an attacker operates, often describing tactics, techniques, and procedures (TTPs). In other words, these indicators focus on what an attacker does rather than specific tools or files. 

This enables them to be used for detecting zero-day attacks, unknown or evolving threats that may not have specific IOCs which makes IOBs useful in proactive threat hunting and monitoring. Suspicious behavior can signal an attack in progress, before significant damage occurs.  

IOBs may refer to:  

Thus, typical examples of IOBs are:  

• Use of living-off-the-land binaries (e.g., rundll32, certutil); 

• Obfuscation techniques; 

• Credential dumping after privilege escalation; 

• Repeated use of valid accounts for persistence.

IOBs also come with a few shortcomings. It requires advanced analytics, such as behavioral analysis or machine learning, to identify anomalies. Sophisticated monitoring tools (e.g., SIEM, UEBA) should be employed to work with this family of indicators. They can be resource-intensive to analyze and validate. And they may produce false positives if legitimate behaviors mimic malicious ones. 

ANY.RUN’s Interactive Sandbox allows analysts to observe how malware or suspicious files behave in a controlled environment and detect anomalous behaviors that may indicate a potential threat. For example, in this analysis session we see remote code execution via mshta.exe triggered by a command entered manually by a user and mentioning a (misspelled) CAPTCHA:

What does this activity indicate? In their latest campaign, Storm-1865 distributed phishing emails impersonating Booking.com. The emails contained links leading to fake CAPTCHA pages designed to build trust and lure users into interaction. The threat actor leveraged the ClickFix technique, instructing victims to paste a malicious command into the Windows command prompt. 

The campaign has been observed delivering several commodity malware families, including XWorm, Lumma Stealer, VenomRAT, AsyncRAT, DanaBot, and NetSupport RAT. With the following TI lookup query, we can search through recent public sandbox analyses and find samples with the same malicious activity for further research: 

commandLine:”mshta92.255.57.155/Capcha“ 

Indicators of Attack 

IOAs are proactive indicators that focus on the intent and actions of an adversary during an attack, emphasizing the “how” and “why” of malicious activity. They aim to detect attacks in real time, and to catch it in its early stages (e.g., during reconnaissance, exploitation, or lateral movement). This allows cybersecurity teams to prevent attacks by interrupting the kill chain. 

Examples of IOAs:  

What typical indicators of attack might look like:  

• Word document spawns PowerShell; 

• Process injection detected; 

• A user logs in from two geographies within minutes; 

• Suspicious lateral movement. 

Since IOAs are specific signs of an active or imminent attack, often tied to known TTPs or malicious artifacts, it is possible to research these indicators with the aid of ANY.RUN’s Threat Intelligence Lookup through the Interactive MITRE ATT&CK Matrix.

The Matrix lets you map TTPs to actual samples of malware and phishing threats and view their entire execution chain inside the Interactive Sandbox, as well as collect additional indicators.

Conclusion  

The most valuable aspect of indicators in institutional cybersecurity is of course their potential to help prevent threats and incidents, stop attacks from succeeding, and thus avoiding financial loss, operational disruption, and reputation damage. Regularly collecting and using IOCs, IOAs, and IOBs, including with the services like ANY.RUN’s TI Lookup and TI Feeds, can help your SOC team fight off threats and keep your infrastructure safe.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals and 15,000 organizations worldwide. The Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. The threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Integrate ANY.RUN’s Threat Intelligence suite in your organization →

The post How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More