VMRay Analyzer Report for Sample #18795 VMRay Analyzer 2.2.0 Process 1 2536 ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 1380 ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe Child_Of Created Opened Opened Opened Created Opened Process 2 2592 ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 2536 ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe Read_From File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE Mutex WinRegistryKey SOFTWARE\Microsoft\VBA\Monitors HKEY_LOCAL_MACHINE File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll Analyzed Sample #18795 Malware Artifacts 18795 Sample-ID: #18795 Job-ID: #7828 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #18795 Submission-ID: #18926 C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe exe MD5 f5aceff295707412e7679e7c0f3a797e SHA1 89c58b4bc7130630ff093afe1c57614a4b85ddc7 SHA256 ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d Opened_By Metadata of Analysis for Job-ID #7828 All processes terminated False x86 64-bit win7_64_sp1 True Windows 7 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) 70.193 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create nameless mutex. Create system object Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve above average number of APIs. Dynamic API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Create a page with write and execute permissions File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory. Modify operating system directory Anti Analysis VTI rule match with VTI rule score 2/5 vmray_detect_kernel_debugger_by_api Check via API "NtQuerySystemInformation". Try to detect kernel debugger Anti Analysis VTI rule match with VTI rule score 1/5 vmray_detect_debugger_by_api Check via API "NtQueryInformationProcess". Try to detect debugger