574b7439...b0ea | VMRay Analyzer Report
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Spyware, Trojan

VMRay Threat Indicators (15 rules, 77 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 1 -
5/5
Reputation Known malicious file 1 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Server.exe" is a known malicious file.
4/5
File System Modifies content of user files 1 Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
4/5
File System Renames user files 1 Ransomware
  • Renames multiple user files. This is an indicator for an encryption attempt.
4/5
Information Stealing Exhibits Spyware behavior 1 Spyware
  • Tries to read sensitive data of: Windows Mail, Google Chrome, Internet Explorer / Edge.
3/5
Anti Analysis Tries to detect application sandbox 1 -
  • Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_version".
3/5
File System Possibly drops ransom note files 1 Ransomware
  • Possibly drops ransom note files (creates 36 instances of the file "@ READ ME TO RECOVER FILES @.txt" in different locations).
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
2/5
Information Stealing Reads sensitive browser data 3 -
  • Trying to read sensitive data of web browser "Google Chrome" by file.
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
  • Trying to read sensitive data of web browser "Mozilla Firefox" by file.
2/5
Information Stealing Reads sensitive mail data 1 -
  • Trying to read sensitive data of mail application "Windows Mail" by file.
1/5
Masquerade Changes folder appearance 61 -
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\1nbur4hr" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\6asvn7j7" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\d68g7bij" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\kqmhsvkd" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows mail\stationery" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\history\history.ie5" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\03j4uqw0" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\ketajp6d" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\vb18b0kb" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\xt1rpyg9" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\contacts" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\desktop" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\documents" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\documents\my shapes" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\downloads" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\favorites" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\favorites\links" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\links" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\music" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\pictures" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\saved games" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\searches" has a changed appearance.
  • Folder "c:\users\5p5nrgjn0js halpmcxz\videos" has a changed appearance.
  • Folder "c:\users\default\appdata\local\microsoft\feeds cache" has a changed appearance.
  • Folder "c:\users\default\appdata\local\microsoft\feeds cache\1nbur4hr" has a changed appearance.
  • Folder "c:\users\default\appdata\local\microsoft\feeds cache\6asvn7j7" has a changed appearance.
  • Folder "c:\users\default\appdata\local\microsoft\feeds cache\d68g7bij" has a changed appearance.
  • Folder "c:\users\default\appdata\local\microsoft\feeds cache\kqmhsvkd" has a changed appearance.
  • Folder "c:\users\default\appdata\local\microsoft\windows mail\stationery" has a changed appearance.
  • Folder "c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch" has a changed appearance.
  • Folder "c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" has a changed appearance.
  • Folder "c:\users\default\contacts" has a changed appearance.
  • Folder "c:\users\default\desktop" has a changed appearance.
  • Folder "c:\users\default\documents" has a changed appearance.
  • Folder "c:\users\default\downloads" has a changed appearance.
  • Folder "c:\users\default\favorites" has a changed appearance.
  • Folder "c:\users\default\favorites\links" has a changed appearance.
  • Folder "c:\users\default\links" has a changed appearance.
  • Folder "c:\users\default\music" has a changed appearance.
  • Folder "c:\users\default\pictures" has a changed appearance.
  • Folder "c:\users\default\saved games" has a changed appearance.
  • Folder "c:\users\default\searches" has a changed appearance.
  • Folder "c:\users\default\videos" has a changed appearance.
  • Folder "c:\users\public" has a changed appearance.
  • Folder "c:\users\public\desktop" has a changed appearance.
  • Folder "c:\users\public\documents" has a changed appearance.
  • Folder "c:\users\public\downloads" has a changed appearance.
  • Folder "c:\users\public\libraries" has a changed appearance.
  • Folder "c:\users\public\music" has a changed appearance.
  • Folder "c:\users\public\music\sample music" has a changed appearance.
  • Folder "c:\users\public\pictures" has a changed appearance.
  • Folder "c:\users\public\pictures\sample pictures" has a changed appearance.
  • Folder "c:\users\public\recorded tv" has a changed appearance.
  • Folder "c:\users\public\recorded tv\sample media" has a changed appearance.
  • Folder "c:\users\public\videos" has a changed appearance.
  • Folder "c:\users\public\videos\sample videos" has a changed appearance.
1/5
Information Stealing Possibly does reconnaissance 1 -
  • Possibly trying to gather information about application "Mozilla Firefox" by file.
1/5
Process Creates process with hidden window 1 -
  • The process "C:\Windows\system32\cmd.exe" starts with hidden window.
1/5
Network Performs DNS request 1 -
1/5
PE The PE file was created with a packer 1 -
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Server.exe" is packed with "PECompact 2.xx --> BitSum Technologies".

Screenshots

Monitored Processes

Sample Information

ID #101271
MD5 7fd8fc98d8028afb6426244e61524b69 Copy to Clipboard
SHA1 e061a99ec0fed47f51651335f4b7097c52e80222 Copy to Clipboard
SHA256 574b7439b7469ed10331f4f383da0631a78c71b388eab0db1399d8606108b0ea Copy to Clipboard
SSDeep 24576:BXTxz60xIcx/8RwE6EXOdU+gDK0SAxaQlH:BVz60jRuXO/ge0Sgac Copy to Clipboard
ImpHash 09d0478591d4f788cb3e5ea416c25237 Copy to Clipboard
Filename Server.exe
File Size 804.50 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-07 13:30 (UTC+2)
Analysis Duration 00:02:40
Number of Monitored Processes 3
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 1
Number of YARA Matches 0
Termination Reason All processes terminated
Tags
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image