VMRay Analyzer Report for Sample #609231
VMRay Analyzer
1.11.0
URI
www.msn.com
Resolved_To
Address
204.79.197.203
URI
go.microsoft.com
Resolved_To
Address
104.84.181.107
Process
1520
9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
2044
9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
"C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe"
C:\Users\WI2yhmtI onvScY7Pe\Desktop
c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
Opened
Created
Opened
Opened
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
1520
9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
2044
9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
"C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe"
C:\Users\WI2yhmtI onvScY7Pe\Desktop
c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
Process
520
explorer.exe
1520
explorer.exe
explorer.exe
C:\Users\WI2yhmtI onvScY7Pe\Desktop
c:\windows\syswow64\explorer.exe
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\wi2yhmti onvscy7pe\desktop\�
users\wi2yhmti onvscy7pe\desktop\�
c:\
c:\users\wi2yhmti onvscy7pe\desktop\�
File
users\wi2yhmti onvscy7pe\desktop\.jpg
users\wi2yhmti onvscy7pe\desktop\.jpg
c:\
c:\users\wi2yhmti onvscy7pe\desktop\.jpg
jpg
WinRegistryKey
System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE
HostName
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
4194304
HKEY_CURRENT_USER
WinRegistryKey
System\CurrentControlSet\Services\Disk\Enum
HKEY_LOCAL_MACHINE
0
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE
File
Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
C:\
C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
exe
Process
520
explorer.exe
1520
explorer.exe
explorer.exe
C:\Users\WI2yhmtI onvScY7Pe\Desktop
c:\windows\syswow64\explorer.exe
Opened
Created
Deleted
Deleted
Deleted
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Created
Opened
Connected_To
Connected_To
Connected_To
File
users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf
users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf
c:\
c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf
File
users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe
users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe
c:\
c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe
exe
MD5
5babf25f698870abea3f10393a1abf31
SHA1
9c0ce809c87b54cbd8aa589a2644a74f7f656462
SHA256
e6d5efed898e2e51a2782bb959b23e2ab3d9dd53bd4ff7f56019901f6fa93a76
Copied_To
File
c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe:zone.identifier
File
users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
c:\
c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
exe
Copied_From
File
users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\wtrrifwf
users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\wtrrifwf
c:\
c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\wtrrifwf
Mutex
FCAA85F5B5437C4D7919D716988890AF30565E9E
WinRegistryKey
Software\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE
svcVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{0D3E9E15-DE7A-300B-96F1-B4AF12B96488}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{BC958BD2-5DAC-3862-BB1A-C1BE0790438D}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
HKEY_LOCAL_MACHINE
HelpLink
URLInfoAbout
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
WinRegistryKey
Software
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER
AppDataLow
C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe
REG_SZ
File
Windows\SysWOW64\explorer.exe
Windows\SysWOW64\explorer.exe
C:\
C:\Windows\SysWOW64\explorer.exe
exe
SocketAddress
www.msn.com
80
TCP
NetworkSocket
www.msn.com
80
TCP
Contains
SocketAddress
www.msn.com
80
NetworkConnection
HTTP
www.msn.com
80
URI
http://www.msn.com/
Contains
Analyzed Sample #609231
Malware Artifacts
609231
Sample-ID: #609231
Job-ID: #661721
Example B
This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 10 system
91
VTI Score based on VTI Database Version 2.2
Metadata of Sample File #609231
Submission-ID: #609231
C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
exe
MD5
5babf25f698870abea3f10393a1abf31
SHA1
9c0ce809c87b54cbd8aa589a2644a74f7f656462
SHA256
e6d5efed898e2e51a2782bb959b23e2ab3d9dd53bd4ff7f56019901f6fa93a76
Opened_By
VMRay Analyzer
Process
VTI rule match with VTI rule score 1/5
vmray_allocate_wx_page
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Allocate a page with write and execute permissions
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_generic_vm_by_registry
Readout system information, commonly used to detect VMs via registry. (Value "0" in key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum").
Try to detect virtual machine
Anti Analysis
VTI rule match with VTI rule score 4/5
vmray_illegitimate_api_usage_by_create_process_internal
Internal API "CreateProcessInternalA" was used to start "explorer.exe".
Illegitimate API usage
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "explorer.exe" starts with hidden window.
Create process with hidden window
Process
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" reads from "explorer.exe".
Read from memory of an other process
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Create mutex with name "FCAA85F5B5437C4D7919D716988890AF30565E9E".
Create system object
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_delete_executed_executable
Delete executable "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe".
Delete file after execution
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_registry
Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe" to windows startup via registry.
Install system startup script or application
Injection
VTI rule match with VTI rule score 3/5
vmray_modify_memory
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe"
Write into memory of an other process
Network
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "www.msn.com:80".
Connect to remote host
Network
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "104.84.181.107:80".
Connect to remote host
Network
VTI rule match with VTI rule score 1/5
vmray_download_data_http_request
Url "http://www.msn.com/".
Download data
Network
VTI rule match with VTI rule score 1/5
vmray_download_data_http_request
Url "http://go.microsoft.com/fwlink/?LinkId=133405".
Download data