3e275093...0901 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Threat Names:
Gen:Variant.Ursu.282611
Trojan.Ransom.AIG
Mal/Generic-S

dddd.exe

Windows Exe (x86-32)

Created at 2020-11-05T03:53:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\dddd.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 583.50 KB
MD5 74d4e0e6dcf5cc7942c35e630036af0c Copy to Clipboard
SHA1 c7c4bb3907344aed022d181eb73f8fd812e06f88 Copy to Clipboard
SHA256 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901 Copy to Clipboard
SSDeep 12288:5D+7m+CQXYm2o0PTYRPA6PHoVhVtknag6g6n+9iuE5vt+PC3H8H:I7mYRyGA6PIzVtknRJ6notmH8H Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
Names Mal/Generic-S
PE Information
»
Image Base 0x400000
Entry Point 0x46b6be
Size Of Code 0x69800
Size Of Initialized Data 0x28400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-10-05 05:30:46+00:00
Version Information (8)
»
Assembly Version 3.8.5150.0
FileDescription Python 3.8.5 (32-bit)
FileVersion 3.8.5150.0
InternalName dddd.exe
LegalCopyright Copyright (c) Python Software Foundation. All rights reserved.
OriginalFilename dddd.exe
ProductName Python 3.8.5 (32-bit)
ProductVersion 3.8.5150.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x696c4 0x69800 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.73
.rsrc 0x46c000 0x280e8 0x28200 0x69a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.51
.reloc 0x496000 0xc 0x200 0x91c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x6b698 0x69898 0x0
Icons (1)
»
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
dddd.exe 1 0x00A70000 0x00B07FFF Relevant Image True 64-bit - False False
...
buffer 1 0x01000000 0x01000FFF First Execution False 64-bit 0x01000000 False False
...
clrjit.dll 1 0x7FFCC8420000 0x7FFCC8533FFF First Execution True 64-bit 0x7FFCC848B400 False False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Variant.Ursu.282611
Malicious
C:\Users\FD1HVy\AppData\Local\Temp\javas.exe Dropped File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 190.00 KB
MD5 e46f463d3ddfd786dcab524aeb34746b Copy to Clipboard
SHA1 0f55e461691889d9899e15cf751d0ba3329dd05a Copy to Clipboard
SHA256 d87d5bddcee15516688768c38cd60e4a0083abe1d80718bbbab9cefacf330b85 Copy to Clipboard
SSDeep 3072:4UQmXEjODtrv7tkcev4UA9hHCZBzmJf0up3OTf5PGa1zgltgmt7b8Ex+E1aqoghG:0m0jODtCci4b3HCLmtnLQ8ada Copy to Clipboard
ImpHash a3581bfe28e762682dbc13d06bf2fda0 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x8ea9d0
Size Of Code 0x11000
Size Of Initialized Data 0x1f000
Size Of Uninitialized Data 0x4d9000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2012-01-29 18:49:03+00:00
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
UPX0 0x401000 0x4d9000 0x0 0x200 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
UPX1 0x8da000 0x11000 0x10c00 0x200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.54
.rsrc 0x8eb000 0x1f000 0x1ea00 0x10e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.59
Imports (7)
»
KERNEL32.DLL (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadLibraryA 0x0 0x909708 0x509708 0x2f508 0x0
GetProcAddress 0x0 0x90970c 0x50970c 0x2f50c 0x0
VirtualProtect 0x0 0x909710 0x509710 0x2f510 0x0
VirtualAlloc 0x0 0x909714 0x509714 0x2f514 0x0
VirtualFree 0x0 0x909718 0x509718 0x2f518 0x0
ExitProcess 0x0 0x90971c 0x50971c 0x2f51c 0x0
advapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCloseKey 0x0 0x909724 0x509724 0x2f524 0x0
comctl32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InitCommonControls 0x0 0x90972c 0x50972c 0x2f52c 0x0
gdi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateFontIndirectA 0x0 0x909734 0x509734 0x2f534 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteA 0x0 0x90973c 0x50973c 0x2f53c 0x0
shlwapi.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PathMatchSpecA 0x0 0x909744 0x509744 0x2f544 0x0
user32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EndPaint 0x0 0x90974c 0x50974c 0x2f54c 0x0
Local AV Matches (1)
»
Threat Name Severity
Trojan.Ransom.AIG
Malicious
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image