VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: |
Ransomware
Trojan
|
Threat Names: |
Generic.Ransom.Antefrigus.9438A566
Win32.Trojan.Delshad
|
sqfaea.exe
Windows Exe (x86-32)
Created at 2020-02-01T08:39:00
Remarks (1/1)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "15 seconds" to "10 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sqfaea.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Severity |
Blacklisted
|
First Seen | 2020-01-20 09:00 (UTC+1) |
Last Seen | 2020-02-01 09:28 (UTC+1) |
Names | Win32.Trojan.Delshad |
Families | Delshad |
Classification | Trojan |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x4662f0 |
Size Of Code | 0x28000 |
Size Of Initialized Data | 0x1000 |
Size Of Uninitialized Data | 0x3e000 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_cui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2020-01-16 12:34:29+00:00 |
Packer | UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
UPX0 | 0x401000 | 0x3e000 | 0x0 | 0x400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
UPX1 | 0x43f000 | 0x28000 | 0x27600 | 0x400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.93 |
.rsrc | 0x467000 | 0x1000 | 0x400 | 0x27a00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.34 |
Imports (4)
»
KERNEL32.DLL (6)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
LoadLibraryA | 0x0 | 0x467248 | 0x67248 | 0x27c48 | 0x0 |
GetProcAddress | 0x0 | 0x46724c | 0x6724c | 0x27c4c | 0x0 |
VirtualProtect | 0x0 | 0x467250 | 0x67250 | 0x27c50 | 0x0 |
VirtualAlloc | 0x0 | 0x467254 | 0x67254 | 0x27c54 | 0x0 |
VirtualFree | 0x0 | 0x467258 | 0x67258 | 0x27c58 | 0x0 |
ExitProcess | 0x0 | 0x46725c | 0x6725c | 0x27c5c | 0x0 |
ADVAPI32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegCloseKey | 0x0 | 0x467264 | 0x67264 | 0x27c64 | 0x0 |
USER32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShowWindow | 0x0 | 0x46726c | 0x6726c | 0x27c6c | 0x0 |
WININET.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
InternetOpenW | 0x0 | 0x467274 | 0x67274 | 0x27c74 | 0x0 |
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
Generic.Ransom.Antefrigus.9438A566 |
Malicious
|
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2013-03-17 16:12 (UTC+1) |
Last Seen | 2019-04-17 13:50 (UTC+2) |
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Local/Temp/Cookies/index.dat.bbadc | Dropped File | Stream |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2011-05-28 23:39 (UTC+2) |
Last Seen | 2019-07-12 16:06 (UTC+2) |
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/Microsoft/Network/Connections/Pbk/_hiddenPbk/rasphone.pbk.bbadc | Dropped File | Stream |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2011-05-31 11:47 (UTC+2) |
Last Seen | 2020-01-05 10:10 (UTC+1) |
C:/Users/5p5NrGJn0jS HALPmcxz/Downloads/desktop.ini.bbadc | Dropped File | Text |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2013-01-29 10:18 (UTC+1) |
Last Seen | 2019-09-17 11:48 (UTC+2) |
C:/Users/5p5NrGJn0jS HALPmcxz/Saved Games/desktop.ini.bbadc | Dropped File | Text |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2013-03-17 16:08 (UTC+1) |
Last Seen | 2019-04-17 13:50 (UTC+2) |
C:/MSOCache/All Users/{90140000-0016-0409-1000-0000000FF1CE}-C/ExcelLR.cab.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0016-0409-1000-0000000FF1CE}-C/ExcelMUI.msi.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0016-0409-1000-0000000FF1CE}-C/ExcelMUI.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0016-0409-1000-0000000FF1CE}-C/Setup.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0018-0409-1000-0000000FF1CE}-C/PowerPointMUI.msi.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0018-0409-1000-0000000FF1CE}-C/PowerPointMUI.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0018-0409-1000-0000000FF1CE}-C/Setup.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0019-0409-1000-0000000FF1CE}-C/PublisherMUI.msi.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0019-0409-1000-0000000FF1CE}-C/PublisherMUI.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0019-0409-1000-0000000FF1CE}-C/PubLR.cab.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0019-0409-1000-0000000FF1CE}-C/Setup.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-001A-0409-1000-0000000FF1CE}-C/OutlkLR.cab.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-001A-0409-1000-0000000FF1CE}-C/OutlookMUI.msi.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-001A-0409-1000-0000000FF1CE}-C/OutlookMUI.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-001A-0409-1000-0000000FF1CE}-C/Setup.xml.bbadc | Dropped File | Text |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0115-0409-1000-0000000FF1CE}-C/OfficeMUI.msi.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/MSOCache/All Users/{90140000-0115-0409-1000-0000000FF1CE}-C/1033/dwintl20.dll.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Local/Adobe/Color/ACECache11.lst.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Local/Microsoft/FORMS/FRMCACHE.DAT.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Local/Temp/oxWc1bfIw0.avi | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/OipkaHKh.bmp.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/Microsoft/Document Building Blocks/1033/14/Built-In Building Blocks.dotx.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/Microsoft/MS Project/14/1033/Global.MPT.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/Microsoft/Office/MSO1033.acl.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/Microsoft/Publisher Building Blocks/ContentStore.xml.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/Microsoft/Templates/Normal.dotm.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/AppData/Roaming/Microsoft/UProof/CUSTOM.DIC.bbadc | Dropped File | Stream |
Unknown
|
...
|
»
C:/Users/5p5NrGJn0jS HALPmcxz/Documents/DythYZf1DZqfSUtTi_x.xlsx.bbadc | Dropped File | Stream |
Unknown
|
...
|
»