2767c566...af59 | VMRay Analyzer Report
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Downloader, Trojan

LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe

Windows Exe (x86-32)

Created at 2019-07-19T06:56:00

Remarks (2/3)

(0x200000e): The overall sleep time of all monitored processes was truncated from "40 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

VMRay Threat Indicators (19 rules, 39 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 5 -
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe" as "Trojan.GenericKD.31534187".
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe" as "Trojan.AgentWDCR.SVC".
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe" as "Trojan.AgentWDCR.SUF".
5/5
Reputation Known malicious file 4 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" is a known malicious file.
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe" is a known malicious file.
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe" is a known malicious file.
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe" is a known malicious file.
4/5
Network Modifies network configuration 1 -
  • Modifies the host.conf file, probably to redirect network traffic.
4/5
File System Modifies content of user files 1 Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
4/5
File System Renames user files 1 Ransomware
  • Renames multiple user files. This is an indicator for an encryption attempt.
4/5
Reputation Known malicious URL 2 -
  • Contacted URL "http://bruze2.ug/files/penelop/updatewin2.exe" is a known malicious URL.
  • URL "http://bruze2.ug/files/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
3/5
Anti Analysis Delays execution 1 -
  • Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
1/5
Persistence Installs system startup script or application 1 -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --AutoStart" to Windows startup via registry.
1/5
Process Creates process with hidden window 2 -
  • The process "icacls" starts with hidden window.
  • The process "powershell" starts with hidden window.
1/5
Process Creates system object 1 -
  • Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
1/5
File System Modifies operating system directory 1 -
1/5
File System Creates an unusually large number of files 1 -
1/5
Process Overwrites code 1 -
1/5
Network Downloads file 2 -
  • Downloads file via http from "http://bruze2.ug/ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php?pid=0E11F5E4125223A10BC64F8C25940F2B&first=true".
  • Downloads file via http from "http://bruze2.ug/ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php?pid=0E11F5E4125223A10BC64F8C25940F2B".
1/5
Network Downloads executable 3 Downloader
1/5
Network Connects to HTTP server 9 -
  • URL "http://bruze2.ug/ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php?pid=0E11F5E4125223A10BC64F8C25940F2B&first=true".
  • URL "http://bruze2.ug/files/penelop/updatewin1.exe".
  • URL "http://bruze2.ug/files/penelop/updatewin2.exe".
  • URL "http://bruze2.ug/files/penelop/updatewin.exe".
  • URL "http://bruze2.ug/ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php?pid=0E11F5E4125223A10BC64F8C25940F2B".
1/5
Static Unparsable sections in file 1 -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe.
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Sample Information

ID #115275
MD5 80d04be9495d2f7e662f4ee50d03f1a2 Copy to Clipboard
SHA1 0bacc428bae7d567f2faaf1f3de896d6f690c098 Copy to Clipboard
SHA256 2767c566c6e7de07b85a910e3598cc8e4aa6655cffe7623ccc7f85f508fcaf59 Copy to Clipboard
SSDeep 6144:YwEGfsyTs+FW1rX9eUYLEspL7DFTsfVLy0yAgHGUCacSl1FDkZF/MQWMQE+poCI7:tEGfHx69fspHp2ePCacStkZgHpvI7 Copy to Clipboard
ImpHash e101f33f21879df984d10829637ee304 Copy to Clipboard
Filename LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe
File Size 387.50 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-19 08:56 (UTC+2)
Analysis Duration 00:04:28
Number of Monitored Processes 12
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 5
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image