62a41801...758d | VMRay Analyzer Report
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Spyware, Ransomware, Downloader, Dropper, Trojan

CUsersHPAppDataLocal03562a36-8263-4270-b004-3b05eb1758e3E285.tmp.exe

Windows Exe (x86-32)

Created at 2019-07-13T15:56:00

Remarks (2/3)

(0x200000e): The overall sleep time of all monitored processes was truncated from "30 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

VMRay Threat Indicators (27 rules, 127 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 8 -
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\14eec914-0e8f-4440-8677-a8df15bdfc40\updatewin1.exe" as "Trojan.GenericKD.31534187".
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\14eec914-0e8f-4440-8677-a8df15bdfc40\updatewin2.exe" as "Trojan.AgentWDCR.SVC".
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\14eec914-0e8f-4440-8677-a8df15bdfc40\updatewin.exe" as "Trojan.AgentWDCR.SUF".
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\14eec914-0e8f-4440-8677-a8df15bdfc40\5.exe" as "Trojan.GenericKD.32145393".
  • Local AV detected a memory dump of process "cusershpappdatalocal03562a36-8263-4270-b004-3b05eb1758e3e285.tmp.exe" as "Gen:Variant.Graftor.594430".
5/5
Reputation Known malicious file 5 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersHPAppDataLocal03562a36-8263-4270-b004-3b05eb1758e3E285.tmp.exe" is a known malicious file.
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\14eec914-0e8f-4440-8677-a8df15bdfc40\updatewin1.exe" is a known malicious file.
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\14eec914-0e8f-4440-8677-a8df15bdfc40\updatewin2.exe" is a known malicious file.
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\14eec914-0e8f-4440-8677-a8df15bdfc40\updatewin.exe" is a known malicious file.
4/5
Network Modifies network configuration 1 -
  • Modifies the host.conf file, probably to redirect network traffic.
4/5
Information Stealing Exhibits Spyware behavior 1 Spyware
  • Tries to read sensitive data of: Microsoft Outlook, Mozilla Firefox, Comodo IceDragon, Cyberfox, Internet Explorer / Edge.
4/5
File System Modifies content of user files 1 Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
4/5
File System Renames user files 1 Ransomware
  • Renames multiple user files. This is an indicator for an encryption attempt.
4/5
Reputation Known malicious URL 14 -
  • Contacted URL "http://bronze2.hk/tesptc/penelop/updatewin1.exe" is a known malicious URL.
  • Contacted URL "http://bronze2.hk/tesptc/penelop/updatewin2.exe" is a known malicious URL.
  • Contacted URL "http://bronze2.hk/tesptc/penelop/updatewin.exe" is a known malicious URL.
  • Contacted URL "http://bronze2.hk/tesptc/penelop/3.exe" is a known malicious URL.
  • Contacted URL "http://bronze2.hk/tesptc/penelop/4.exe" is a known malicious URL.
  • Contacted URL "http://bronze2.hk/tesptc/penelop/5.exe" is a known malicious URL.
  • Contacted URL "bronze2.hk/1/index.php" is a known malicious URL.
  • Contacted URL "bronze2.hk" is a known malicious URL.
  • URL "http://bronze2.hk/tesptc/penelop/5.exe" embedded in file "analysis.pcap" is a known malicious URL.
  • URL "http://bronze2.hk/tesptc/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known malicious URL.
  • URL "http://bronze2.hk/tesptc/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known malicious URL.
  • URL "http://bronze2.hk/tesptc/penelop/4.exe" embedded in file "analysis.pcap" is a known malicious URL.
  • URL "http://bronze2.hk/tesptc/penelop/3.exe" embedded in file "analysis.pcap" is a known malicious URL.
  • URL "http://bronze2.hk/tesptc/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
3/5
Information Stealing Reads cryptocurrency wallet locations 2 -
3/5
Anti Analysis Delays execution 1 -
  • Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\6b294fe4-e3b3-4741-b743-c8423c8d7aef\CUsersHPAppDataLocal03562a36-8263-4270-b004-3b05eb1758e3E285.tmp.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
2/5
Information Stealing Reads sensitive browser data 6 -
  • Trying to read sensitive data of web browser "Mozilla Firefox" by file.
  • Trying to read sensitive data of web browser "Comodo IceDragon" by file.
  • Trying to read sensitive data of web browser "Cyberfox" by file.
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry.
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
2/5
Information Stealing Reads sensitive mail data 1 -
  • Trying to read sensitive data of mail application "Microsoft Outlook" by registry.
2/5
Information Stealing Reads sensitive ftp data 1 -
  • Trying to read sensitive data of ftp application "FileZilla" by file.
2/5
Information Stealing Reads sensitive application data 2 -
  • Trying to read sensitive data of application "WinSCP" by registry.
  • Trying to read sensitive data of application "Pidgin" by file.
1/5
Persistence Installs system startup script or application 1 -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\6b294fe4-e3b3-4741-b743-c8423c8d7aef\CUsersHPAppDataLocal03562a36-8263-4270-b004-3b05eb1758e3E285.tmp.exe" --AutoStart" to Windows startup via registry.
1/5
Process Creates process with hidden window 2 -
  • The process "icacls" starts with hidden window.
  • The process "powershell" starts with hidden window.
1/5
Process Creates system object 2 -
  • Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
  • Creates mutex with name "A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69".
1/5
File System Modifies operating system directory 1 -
1/5
Information Stealing Reads system data 1 -
  • Reads the cryptographic machine GUID from registry.
1/5
Information Stealing Possibly does reconnaissance 8 -
  • Possibly trying to gather information about application "Mozilla Firefox" by file.
  • Possibly trying to gather information about application "Comodo IceDragon" by file.
  • Possibly trying to gather information about application "Cyberfox" by file.
  • Possibly trying to gather information about application "FileZilla" by file.
  • Possibly trying to gather information about application "WinSCP" by registry.
  • Possibly trying to gather information about application "Pidgin" by file.
  • Possibly trying to gather information about application "Monero" by registry.
  • Possibly trying to gather information about application "Bitcoin-Qt" by registry.
1/5
File System Creates an unusually large number of files 1 -
1/5
Process Overwrites code 1 -
1/5
Network Downloads file 2 -
  • Downloads file via http from "http://bronze1.hk/asd73456lHISJdhf6834hj23/Askjd48598hisdf/get.php?pid=6F1FD8FD0D4976892B2858396FD186FE&first=true".
  • Downloads file via http from "http://bronze1.hk/asd73456lHISJdhf6834hj23/Askjd48598hisdf/get.php?pid=6F1FD8FD0D4976892B2858396FD186FE".
1/5
Network Downloads executable 4 Downloader
1/5
Network Connects to HTTP server 10 -
  • URL "http://bronze1.hk/asd73456lHISJdhf6834hj23/Askjd48598hisdf/get.php?pid=6F1FD8FD0D4976892B2858396FD186FE&first=true".
  • URL "http://bronze2.hk/tesptc/penelop/updatewin1.exe".
  • URL "http://bronze2.hk/tesptc/penelop/updatewin2.exe".
  • URL "http://bronze2.hk/tesptc/penelop/updatewin.exe".
  • URL "http://bronze1.hk/asd73456lHISJdhf6834hj23/Askjd48598hisdf/get.php?pid=6F1FD8FD0D4976892B2858396FD186FE".
1/5
PE Drops PE file 48 Dropper
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Sample Information

ID #107399
MD5 60d8a2635761fc6413be207283a62df5 Copy to Clipboard
SHA1 a01783132bbff465f26e47a7d5bb2a27999d424d Copy to Clipboard
SHA256 62a41801d8901c667a7b06ce2a41be7adc147857d4f6d5f724ea0d4eb2d1758d Copy to Clipboard
SSDeep 12288:i644SL+ZzPnbWT6S2hx1gHlwNQSg6DMYM/CNR2X1fuN:inUm6rgHlwaSHYiR2FO Copy to Clipboard
ImpHash 7a24230424ac145ce28bc4c346e7dd5e Copy to Clipboard
Filename CUsersHPAppDataLocal03562a36-8263-4270-b004-3b05eb1758e3E285.tmp.exe
File Size 584.00 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-13 17:56 (UTC+2)
Analysis Duration 00:04:26
Number of Monitored Processes 13
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 9
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image