64ad5e61...5383 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Dropper

1.exe

Windows Exe (x86-32)

Created at 2019-07-03T15:12:00

...

Remarks (2/2)

(0x200000e): The overall sleep time of all monitored processes was truncated from "5 minutes, 30 seconds" to "1 minute, 10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

VMRay Threat Indicators (15 rules, 25 matches)

Severity Category Operation Count Classification
5/5
OS Obscures a file's origin 2 -
4/5
File System Renames user files 1 Ransomware
  • Renames multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
Injection Writes into the memory of another running process 2 -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\1.exe" modifies memory of "c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe".
    ...
  • "c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe" modifies memory of "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe".
    ...
4/5
Injection Modifies control flow of another process 2 -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\1.exe" alters context of "c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe".
    ...
  • "c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe" alters context of "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe".
    ...
3/5
Anti Analysis Tries to detect application sandbox 1 -
  • Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_unix_file_name".
    ...
3/5
File System Possibly drops ransom note files 1 Ransomware
  • Possibly drops ransom note files (creates 108 instances of the file "@@_README_@@.txt" in different locations).
    ...
3/5
YARA YARA match 1 -
2/5
Anti Analysis Tries to detect virtual machine 2 -
  • Reads out system information, commonly used to detect "VirtualBox" via registry. (Key is "HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions").
    ...
  • Reads out system information, commonly used to detect "VMware" via registry. (Key is "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools").
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
1/5
Process Creates system object 2 -
  • Creates mutex with name "frenchy_shellcode_003".
    ...
  • Creates mutex with name "92d3ce18e22c4e57b8d53faf2f44156a_logger".
    ...
1/5
Process Creates process with hidden window 4 -
  • The process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" starts with hidden window.
    ...
  • The process "cmd.exe" starts with hidden window.
    ...
  • The process "schtasks" starts with hidden window.
    ...
  • The process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" starts with hidden window.
    ...
1/5
Process Reads from memory of another process 2 -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\1.exe" reads from "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe".
    ...
  • "c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe" reads from "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe".
    ...
1/5
Persistence Installs system startup script or application 2 -
  • Adds "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\\java.exe" to Windows startup via registry.
    ...
  • Adds ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" e" to Windows startup via registry.
    ...
1/5
File System Creates an unusually large number of files 1 -
1/5
PE Drops PE file 1 Dropper
  • Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\regedit.exe".
    ...

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #97592
MD5 51bae3ef8cda64d0fc68fa101d9f4e08 Copy to Clipboard
SHA1 806af15ca70e3ff46717438011666892c02e8d52 Copy to Clipboard
SHA256 64ad5e61454fee018519a63a1475f8ac9d269ca5466c6d71eb92e30da17d5383 Copy to Clipboard
SSDeep 12288:nTCv7vkIyg16D0fpcZDHbE5lIJ639mu3wL5n+eKW4fmLyo0N/GG:nT2BED0fpMDHbE0QwvKW4+Wo+ Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
Filename 1.exe
File Size 747.00 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-03 17:12 (UTC+2)
Analysis Duration 00:04:26
Number of Monitored Processes 12
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 0
Number of YARA Matches 1
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image