VMRay Analyzer Report for Sample #609231 VMRay Analyzer 1.11.0 URI www.msn.com Resolved_To Address 204.79.197.203 URI go.microsoft.com Resolved_To Address 104.84.181.107 Process 1520 9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe 2044 9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe "C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe Opened Created Opened Opened Opened Created Created Opened Opened Opened Opened Opened Opened Process 1520 9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe 2044 9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe "C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe Process 520 explorer.exe 1520 explorer.exe explorer.exe C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\explorer.exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File users\wi2yhmti onvscy7pe\desktop\� users\wi2yhmti onvscy7pe\desktop\� c:\ c:\users\wi2yhmti onvscy7pe\desktop\� File users\wi2yhmti onvscy7pe\desktop\.jpg users\wi2yhmti onvscy7pe\desktop\.jpg c:\ c:\users\wi2yhmti onvscy7pe\desktop\.jpg jpg WinRegistryKey System\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE HostName WinRegistryKey HKEY_CURRENT_USER WinRegistryKey 4194304 HKEY_CURRENT_USER WinRegistryKey System\CurrentControlSet\Services\Disk\Enum HKEY_LOCAL_MACHINE 0 WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall HKEY_LOCAL_MACHINE File Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe C:\ C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe exe Process 520 explorer.exe 1520 explorer.exe explorer.exe C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\explorer.exe Opened Created Deleted Deleted Deleted Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Created Opened Connected_To Connected_To Connected_To File users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf File users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe exe MD5 5babf25f698870abea3f10393a1abf31 SHA1 9c0ce809c87b54cbd8aa589a2644a74f7f656462 SHA256 e6d5efed898e2e51a2782bb959b23e2ab3d9dd53bd4ff7f56019901f6fa93a76 Copied_To File c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe:zone.identifier File users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe c:\ c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe exe Copied_From File users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\wtrrifwf users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\wtrrifwf c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\wtrrifwf Mutex FCAA85F5B5437C4D7919D716988890AF30565E9E WinRegistryKey Software\Microsoft\Internet Explorer HKEY_LOCAL_MACHINE svcVersion WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{0D3E9E15-DE7A-300B-96F1-B4AF12B96488} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{BC958BD2-5DAC-3862-BB1A-C1BE0790438D} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} HKEY_LOCAL_MACHINE HelpLink URLInfoAbout WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER AppDataLow C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe REG_SZ File Windows\SysWOW64\explorer.exe Windows\SysWOW64\explorer.exe C:\ C:\Windows\SysWOW64\explorer.exe exe SocketAddress www.msn.com 80 TCP NetworkSocket www.msn.com 80 TCP Contains SocketAddress www.msn.com 80 NetworkConnection HTTP www.msn.com 80 URI http://www.msn.com/ Contains Analyzed Sample #609231 Malware Artifacts 609231 Sample-ID: #609231 Job-ID: #661721 Example B This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 10 system 91 VTI Score based on VTI Database Version 2.2 Metadata of Sample File #609231 Submission-ID: #609231 C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe exe MD5 5babf25f698870abea3f10393a1abf31 SHA1 9c0ce809c87b54cbd8aa589a2644a74f7f656462 SHA256 e6d5efed898e2e51a2782bb959b23e2ab3d9dd53bd4ff7f56019901f6fa93a76 Opened_By VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Allocate a page with write and execute permissions Anti Analysis VTI rule match with VTI rule score 2/5 vmray_detect_generic_vm_by_registry Readout system information, commonly used to detect VMs via registry. (Value "0" in key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum"). Try to detect virtual machine Anti Analysis VTI rule match with VTI rule score 4/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalA" was used to start "explorer.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "explorer.exe" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" reads from "explorer.exe". Read from memory of an other process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "FCAA85F5B5437C4D7919D716988890AF30565E9E". Create system object Hide Tracks VTI rule match with VTI rule score 1/5 vmray_delete_executed_executable Delete executable "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe". Delete file after execution Persistence VTI rule match with VTI rule score 1/5 vmray_install_startup_script_by_registry Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe" to windows startup via registry. Install system startup script or application Injection VTI rule match with VTI rule score 3/5 vmray_modify_memory "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe" Write into memory of an other process Network VTI rule match with VTI rule score 1/5 vmray_tcp_out_connection Outgoing TCP connection to host "www.msn.com:80". Connect to remote host Network VTI rule match with VTI rule score 1/5 vmray_tcp_out_connection Outgoing TCP connection to host "104.84.181.107:80". Connect to remote host Network VTI rule match with VTI rule score 1/5 vmray_download_data_http_request Url "http://www.msn.com/". Download data Network VTI rule match with VTI rule score 1/5 vmray_download_data_http_request Url "http://go.microsoft.com/fwlink/?LinkId=133405". Download data