04526662...91b7 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Downloader, Trojan

A959.tmp.exe

Windows Exe (x86-32)

Created at 2019-07-08T06:47:00

...

Remarks (2/3)

(0x200000e): The overall sleep time of all monitored processes was truncated from "40 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

VMRay Threat Indicators (20 rules, 57 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 7 -
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" as "Trojan.GenericKD.31534187".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe" as "Trojan.AgentWDCR.SVC".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe" as "Trojan.AgentWDCR.SUF".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe" as "Trojan.GenericKD.41330912".
    ...
5/5
Reputation Known malicious file 5 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" is a known malicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe" is a known malicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe" is a known malicious file.
    ...
4/5
Network Modifies network configuration 1 -
  • Modifies the host.conf file, probably to redirect network traffic.
    ...
4/5
File System Modifies content of user files 1 Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
File System Renames user files 1 Ransomware
  • Renames multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
Reputation Known malicious URL 14 -
  • Contacted URL "http://texet2.ug/tesptc/penelop/updatewin1.exe" is a known malicious URL.
    ...
  • Contacted URL "http://texet2.ug/tesptc/penelop/updatewin2.exe" is a known malicious URL.
    ...
  • Contacted URL "http://texet2.ug/tesptc/penelop/updatewin.exe" is a known malicious URL.
    ...
  • Contacted URL "http://texet2.ug/tesptc/penelop/3.exe" is a known malicious URL.
    ...
  • Contacted URL "http://texet2.ug/tesptc/penelop/4.exe" is a known malicious URL.
    ...
  • Contacted URL "http://texet2.ug/tesptc/penelop/5.exe" is a known malicious URL.
    ...
  • Contacted URL "texet2.ug/1/index.php" is a known malicious URL.
    ...
  • Contacted URL "texet2.ug" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://texet2.ug/tesptc/penelop/5.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://texet2.ug/tesptc/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://texet2.ug/tesptc/penelop/4.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://texet2.ug/tesptc/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://texet2.ug/tesptc/penelop/3.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://texet2.ug/tesptc/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
3/5
File System Possibly drops ransom note files 1 Ransomware
  • Possibly drops ransom note files (creates 28 instances of the file "_readme.txt" in different locations).
    ...
3/5
Anti Analysis Delays execution 1 -
  • Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
1/5
Persistence Installs system startup script or application 1 -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart" to Windows startup via registry.
    ...
1/5
Process Creates process with hidden window 2 -
  • The process "icacls" starts with hidden window.
    ...
  • The process "powershell" starts with hidden window.
    ...
1/5
Process Creates system object 2 -
  • Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
    ...
  • Creates mutex with name "A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69".
    ...
1/5
File System Modifies operating system directory 1 -
1/5
Information Stealing Reads system data 1 -
  • Reads the cryptographic machine GUID from registry.
    ...
1/5
File System Creates an unusually large number of files 1 -
1/5
Process Overwrites code 1 -
1/5
Network Downloads file 1 -
  • Downloads file via http from "http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291".
    ...
1/5
Network Downloads executable 4 Downloader
1/5
Network Connects to HTTP server 10 -
  • URL "http://texet2.ug/tesptc/penelop/updatewin1.exe".
    ...
  • URL "http://texet2.ug/tesptc/penelop/updatewin2.exe".
    ...
  • URL "http://texet2.ug/tesptc/penelop/updatewin.exe".
    ...
  • URL "http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291".
    ...
  • URL "http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291&first=true".
    ...
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #101941
MD5 3f44e8dde637b81989df3d607fb58526 Copy to Clipboard
SHA1 c009f46b4b7db702da474e66760b3ecd02060f3a Copy to Clipboard
SHA256 045266622416793cd2d5e7617d27a6c9b7fd542dcd3a18dff928b554277791b7 Copy to Clipboard
SSDeep 12288:F0rgZ2xUMGuGWGteiM7QwIHhW4cxZRfQOkpmm9Lkf:FeXGToQBWVYOC9LW Copy to Clipboard
ImpHash 3501d5bee191e2fa0dfe253b72d57857 Copy to Clipboard
Filename A959.tmp.exe
File Size 446.50 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-08 08:47 (UTC+2)
Analysis Duration 00:04:26
Number of Monitored Processes 13
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 7
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image