39811d2e...939c

VTI SCORE: 100/100

Dynamic Analysis Report

Classification:

Ransomware

Wiper

Threat Names:

Gen:Heur.Ransom.HiddenTears.1

Y9Lb705rdKXGXOCu.exe

Windows Exe (x86-32)

Created at 2021-01-13T01:14:00

Remarks (1/1)

Auto Reboot Triggered (0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:

Filename	Category	Type	Severity	Actions

C:\Users\FD1HVy\Desktop\Y9Lb705rdKXGXOCu.exe

Sample File

Binary

Malicious

Also Known As	C:\Users\FD1HVy\AppData\Roaming\{79b77893-1c23-4bc7-8966-529ba4a72f96}.exe (Dropped File)
Mime Type	application/vnd.microsoft.portable-executable
File Size	218.50 KB
MD5	9a6aa1f9abc8bff81d6be600636b445d
SHA1	d52cc4d3ea29a5a34fbe4c7afbff83765a4db3fd
SHA256	39811d2e1a62564b80670c43315eeaab5ba9ae7dadeeb05ebadc9e0fc470939c
SSDeep	3072:254KqOhcIVib0MVSno3C3lK2lKoo95IB:lOR4bjQzs2to9G
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

PE Information

Image Base	0x400000
Entry Point	0x437fe2
Size Of Code	0x36000
Size Of Initialized Data	0x800
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2070-09-24 02:10:07+00:00

Version Information (11)

Assembly Version	1.0.0.0
Comments	-
CompanyName	-
FileDescription	Bytelocker
FileVersion	1.0.0.0
InternalName	Bytelocker.exe
LegalCopyright	Copyright © 2019
LegalTrademarks	-
OriginalFilename	Bytelocker.exe
ProductName	Bytelocker
ProductVersion	1.0.0.0

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x402000	0x35fe8	0x36000	0x200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	4.63
.rsrc	0x438000	0x5bc	0x600	0x36200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.1
.reloc	0x43a000	0xc	0x200	0x36800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	0x0	0x402000	0x37fb5	0x361b5	0x0

Memory Dumps (2)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	AV	YARA	Actions
y9lb705rdkxgxocu.exe	1	0x004F0000	0x0052BFFF	Relevant Image		32-bit	-			... Memory Dump Actions Go to Process Go to AV Match Download Dump
y9lb705rdkxgxocu.exe	1	0x004F0000	0x0052BFFF	Final Dump		32-bit	-			... Memory Dump Actions Go to Process Go to AV Match Download Dump

Local AV Matches (1)

Threat Name	Severity
Gen:Heur.Ransom.HiddenTears.1	Malicious

C:\Users\FD1HVy\Pictures\7B0ILplNwefpfXtyz_xS.jpg.bytcrypttmp

Dropped File

Stream

Unknown

Also Known As	C:\Users\FD1HVy\Pictures\7B0ILplNwefpfXtyz_xS.jpg (Dropped File)
Mime Type	application/octet-stream
File Size	83.27 KB
MD5	a52ac86d3c785148840bf18e462f0f1c
SHA1	697fae1271af6064f6197d8137b5133e29443d8e
SHA256	4b7d0f9731e3e77271f80ad5c3dabea0701f2308353091a5285d183556e73b2e
SSDeep	1536:OTiYJwBjJq38jIWW7B5txYglI4O7Pea/0q4c0lB73vaqiJOV0T9Pyu:OuYJwDe8jIWWtbxYgllakcYB735o80Th
ImpHash	-

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

WHOIS Domain Information

Before

After