VMRay Analyzer Report for Sample #416354
VMRay Analyzer
3.2.1
URI
u.teknik.io
Resolved_To
Address
5.79.72.163
URI
teknik.io
Resolved_To
Process
1
2432
0ajtd.txt.exe
1092
0ajtd.txt.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0AJTD.txt.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\0ajtd.txt.exe
Child_Of
Child_Of
Created
Created
Opened
Process
2
2416
regasm.exe
2432
regasm.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0AJTD.txt.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
Process
3
2008
regasm.exe
2432
regasm.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0AJTD.txt.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
Opened
Opened
Opened
Mutex
WinRegistryKey
SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE
DbgJITDebugLaunchSetting
DbgManagedDebugger
WinRegistryKey
Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE
Default Impersonation Level
WinRegistryKey
Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE
Default Namespace
Default Namespace
Analyzed Sample #416354
Malware Artifacts
416354
Sample-ID: #416354
Job-ID: #1034631
This sample was analyzed by VMRay Analyzer 3.2.1 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #416354
Submission-ID: #2907329
15a9c96372795124730f77034d64357fa50a82d71ebbc4dc5384c23d13e99cdcexe
MD5
b3c84d5c7cde6b094a0e2c7b9a2004fd
SHA1
f32a43ac984e3ed11f374f69281539aa62acd6dd
SHA256
15a9c96372795124730f77034d64357fa50a82d71ebbc4dc5384c23d13e99cdc
Opened_By
Metadata of Analysis for Job-ID #1034631
False
Timeout
True
236.421
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Masquerade
VTI rule match with VTI rule score 4/5
vmray_use_double_file_extension
File "c:\users\5p5nrgjn0js halpmcxz\desktop\0ajtd.txt.exe" has a double file extension.
Uses a double file extension
Obfuscation
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_evade_debugger_by_nt_set_information_thread
Hides Thread via API "NtSetInformationThread".
Tries to evade debugger
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" starts with hidden window.
Creates process with hidden window
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_allocate_wx_page
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Creates a page with write and execute permissions
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_overwrite_code
Overwrites code to possibly hide behavior.
Overwrites code
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtProtectVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtAllocateVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\users\5p5nrgjn0js halpmcxz\desktop\0ajtd.txt.exe" modifies memory of "c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\users\5p5nrgjn0js halpmcxz\desktop\0ajtd.txt.exe" alters context of "c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe".
Modifies control flow of another process
Network Connection
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "https://u.teknik.io/uEs1w.bin".
Connects to HTTP server
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
Reputation data labels the sample itself as "Win32.Trojan.Genkryptik".
Known malicious file