50acad3a...d011

VTI SCORE: 91/100

Target:

win7_32_sp1 | exe

Classification:

Trojan, Ransomware

50acad3ad48ff10b990c2af3f4fc41068b3739e5ae020531887cb081ed92d011 (SHA256)

31d65e315115c823f619a381576984f8.exe

Windows Exe (x86-32)

Created at 2018-05-29 20:33:00

Notifications (1/1)

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Severity	Category	Operation	Classification
4/5	File System	Renames user files	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Function Call
4/5	File System	Associated with malicious files	Trojan
File "c:\users\eebsym5\desktop\31d65e315115c823f619a381576984f8.exe" is a known malicious file. ... VTI Actions Go to File Details
3/5	Persistence	Modifies startup configuration	-
Modifies the boot configuration by editing "c:\autoexec.bat". ... VTI Actions Go to Function Call
1/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Function Call
1/5	Network	Performs DNS request	-
Resolves host name "host1681251.hostland.pro". ... VTI Actions Go to Function Call
Resolves host name "www.geoplugin.net". ... VTI Actions Go to Function Call
1/5	Persistence	Installs system startup script or application	-
Adds ""C:\Users\EEBsYm5\Desktop\31d65e315115c823f619a381576984f8.exe" e" to Windows startup via registry. ... VTI Actions Go to Function Call
1/5	File System	Modifies application directory	-
Modifies "c:\program files\adobe\reader 10.0\reader\idtemplates\cat\adobeid.pdf". ... VTI Actions Go to Function Call
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to File Details
1/5	Network	Connects to remote host	-
Outgoing TCP connection to host "185.26.122.70:80". ... VTI Actions Go to Function Call
Outgoing TCP connection to host "178.237.36.10:80". ... VTI Actions Go to Function Call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Before

After