3729c1d6...c9a8 | VMRay Analyzer Report
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Wiper, Ransomware, Trojan

VMRay Threat Indicators (16 rules, 23 matches)

Severity Category Operation Count Classification
5/5
OS Obscures a file's origin 2 -
5/5
File System Encrypts content of user files 1 Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
5/5
Local AV Malicious content was detected by heuristic scan 3 -
  • Local AV detected a memory dump of process "chromeflashplayer_9c354b42e1010314.exe" as "Generic.Ransom.WCryG.79796CE5".
5/5
Reputation Known malicious file 1 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Subpoena.exe" is a known malicious file.
5/5
YARA YARA match 2 -
  • Rule "APT28_IMPLANT_4_v5" from ruleset "APTs" has matched on a memory dump for process "chromeflashplayer_9c354b42e1010314.exe".
4/5
OS Modifies Windows automatic backups 1 -
3/5
Process Creates an unusually large number of processes 1 -
  • Above average number of processes were monitored.
3/5
File System Possibly drops ransom note files 1 Ransomware
  • Possibly drops ransom note files (creates 82 instances of the file "HELP_DECRYPT_YOUR_FILES.HTML" in different locations).
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
1/5
Process Creates system object 1 -
  • Creates mutex with name "ChromeReaderHardWress2_9c354b42e1010314".
1/5
Persistence Installs system startup script or application 2 -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Subpoena.exe"" to Windows startup via registry.
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ChromeFlashPlayer_9c354b42e1010314.exe"" to Windows startup via registry.
1/5
File System Modifies operating system directory 2 -
  • Creates file "C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT" in the OS directory.
  • Creates file "C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML" in the OS directory.
1/5
Process Creates process with hidden window 2 -
1/5
File System Creates an unusually large number of files 1 -
1/5
Network Connects to HTTP server 1 -
1/5
Reputation Known suspicious URL 1 -
  • URL "https://translate.google.com" embedded in file "C:\ProgramData\HELP_DECRYPT_YOUR_FILES.HTML" is a known suspicious URL.

Screenshots

Monitored Processes

Sample Information

ID #76734
MD5 09250d8b8323c62fb59941b458fa70d1 Copy to Clipboard
SHA1 da5f6347207257139ac82b50bc8276de9c1afd9e Copy to Clipboard
SHA256 3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8 Copy to Clipboard
SSDeep 3072:00xSw+RJ356rtdzOXAkn0bioX13JDDNqS:0ISwk6toQCADv Copy to Clipboard
ImpHash a37e461efaa9819419d9e9c262f3e1fe Copy to Clipboard
Filename Subpoena.exe
File Size 133.50 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-06-12 17:41 (UTC+2)
Analysis Duration 00:04:28
Number of Monitored Processes 53
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 5
Number of YARA Matches 4
Termination Reason Timeout
Tags
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image