680949c3...8f31 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Riskware, Wiper, Ransomware

680949c3c5b4b6ffdbe297fcb15096b5d53c8480d0c53ab4dd9801d711a78f31 (SHA256)

ransom_poc.exe

Windows Exe (x86-32)

Created at 2019-01-18 15:12:00

...

Notifications (1/1)

Every analysis has a preconfigured maximum VM disk size for temporary changes. This limit was reached during this analysis and, as an result, the analysis was terminated prematurely.

Filters:
Filename Category Type Severity Actions
c:\windows\JAMES\james_flag Created File Unknown
Whitelisted
...
»
Mime Type application/x-empty
File Size 0.00 KB
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2011-05-27 11:27 (UTC+2)
Last Seen 2017-04-19 12:47 (UTC+2)
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ransom_poc.exe Sample File Binary
Unknown
...
»
Mime Type application/x-dosexec
File Size 134.50 KB
MD5 5ea82f3fecbebe37cf282c813a0b8466 Copy to Clipboard
SHA1 ee9f072a9c774f3a75ec2dc61cdca97c70196be5 Copy to Clipboard
SHA256 680949c3c5b4b6ffdbe297fcb15096b5d53c8480d0c53ab4dd9801d711a78f31 Copy to Clipboard
SSDeep 3072:skX/5R+RdZCrw3xieUnoVpboZoYztsQiQuo5c:skX/AXZUOboqjQ35 Copy to Clipboard
ImpHash 208424e0e795541cc838516fef4d77b4 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x409ac2
Size Of Code 0x17800
Size Of Initialized Data 0x9e00
File Type executable
Subsystem windows_cui
Machine Type i386
Compile Timestamp 2018-11-07 06:54:16+00:00
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x17681 0x17800 0x400 cnt_code, mem_execute, mem_read 6.57
.rdata 0x419000 0x5e64 0x6000 0x17c00 cnt_initialized_data, mem_read 4.91
.data 0x41f000 0x347c 0x1600 0x1dc00 cnt_initialized_data, mem_read, mem_write 3.21
.rsrc 0x423000 0x318 0x400 0x1f200 cnt_initialized_data, mem_read 6.13
.reloc 0x424000 0x2330 0x2400 0x1f600 cnt_initialized_data, mem_discardable, mem_read 4.83
Imports (4)
»
KERNEL32.dll (91)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetModuleHandleA 0x0 0x41903c 0x1e51c 0x1d11c 0x215
FindResourceA 0x0 0x419040 0x1e520 0x1d120 0x14b
LoadResource 0x0 0x419044 0x1e524 0x1d124 0x341
LockResource 0x0 0x419048 0x1e528 0x1d128 0x354
SizeofResource 0x0 0x41904c 0x1e52c 0x1d12c 0x4b1
GetComputerNameA 0x0 0x419050 0x1e530 0x1d130 0x18c
RemoveDirectoryA 0x0 0x419054 0x1e534 0x1d134 0x400
GetVersionExA 0x0 0x419058 0x1e538 0x1d138 0x2a3
WinExec 0x0 0x41905c 0x1e53c 0x1d13c 0x512
CopyFileA 0x0 0x419060 0x1e540 0x1d140 0x70
GetModuleFileNameA 0x0 0x419064 0x1e544 0x1d144 0x213
DeleteFileA 0x0 0x419068 0x1e548 0x1d148 0xd3
SetFilePointer 0x0 0x41906c 0x1e54c 0x1d14c 0x466
WriteFile 0x0 0x419070 0x1e550 0x1d150 0x525
GetLastError 0x0 0x419074 0x1e554 0x1d154 0x202
ReadFile 0x0 0x419078 0x1e558 0x1d158 0x3c0
CloseHandle 0x0 0x41907c 0x1e55c 0x1d15c 0x52
GetFileSize 0x0 0x419080 0x1e560 0x1d160 0x1f0
CreateFileA 0x0 0x419084 0x1e564 0x1d164 0x88
FindClose 0x0 0x419088 0x1e568 0x1d168 0x12e
FindNextFileA 0x0 0x41908c 0x1e56c 0x1d16c 0x143
FindFirstFileA 0x0 0x419090 0x1e570 0x1d170 0x132
SetEndOfFile 0x0 0x419094 0x1e574 0x1d174 0x453
CreateFileW 0x0 0x419098 0x1e578 0x1d178 0x8f
SetStdHandle 0x0 0x41909c 0x1e57c 0x1d17c 0x487
CreateDirectoryA 0x0 0x4190a0 0x1e580 0x1d180 0x7c
GetLogicalDriveStringsA 0x0 0x4190a4 0x1e584 0x1d184 0x207
InterlockedIncrement 0x0 0x4190a8 0x1e588 0x1d188 0x2ef
InterlockedDecrement 0x0 0x4190ac 0x1e58c 0x1d18c 0x2eb
Sleep 0x0 0x4190b0 0x1e590 0x1d190 0x4b2
InitializeCriticalSection 0x0 0x4190b4 0x1e594 0x1d194 0x2e2
DeleteCriticalSection 0x0 0x4190b8 0x1e598 0x1d198 0xd1
EnterCriticalSection 0x0 0x4190bc 0x1e59c 0x1d19c 0xee
LeaveCriticalSection 0x0 0x4190c0 0x1e5a0 0x1d1a0 0x339
EncodePointer 0x0 0x4190c4 0x1e5a4 0x1d1a4 0xea
DecodePointer 0x0 0x4190c8 0x1e5a8 0x1d1a8 0xca
HeapFree 0x0 0x4190cc 0x1e5ac 0x1d1ac 0x2cf
HeapAlloc 0x0 0x4190d0 0x1e5b0 0x1d1b0 0x2cb
GetProcAddress 0x0 0x4190d4 0x1e5b4 0x1d1b4 0x245
GetModuleHandleW 0x0 0x4190d8 0x1e5b8 0x1d1b8 0x218
ExitProcess 0x0 0x4190dc 0x1e5bc 0x1d1bc 0x119
GetCommandLineA 0x0 0x4190e0 0x1e5c0 0x1d1c0 0x186
HeapSetInformation 0x0 0x4190e4 0x1e5c4 0x1d1c4 0x2d3
RtlUnwind 0x0 0x4190e8 0x1e5c8 0x1d1c8 0x418
WideCharToMultiByte 0x0 0x4190ec 0x1e5cc 0x1d1cc 0x511
LCMapStringW 0x0 0x4190f0 0x1e5d0 0x1d1d0 0x32d
MultiByteToWideChar 0x0 0x4190f4 0x1e5d4 0x1d1d4 0x367
GetCPInfo 0x0 0x4190f8 0x1e5d8 0x1d1d8 0x172
RaiseException 0x0 0x4190fc 0x1e5dc 0x1d1dc 0x3b1
TerminateProcess 0x0 0x419100 0x1e5e0 0x1d1e0 0x4c0
GetCurrentProcess 0x0 0x419104 0x1e5e4 0x1d1e4 0x1c0
UnhandledExceptionFilter 0x0 0x419108 0x1e5e8 0x1d1e8 0x4d3
SetUnhandledExceptionFilter 0x0 0x41910c 0x1e5ec 0x1d1ec 0x4a5
IsDebuggerPresent 0x0 0x419110 0x1e5f0 0x1d1f0 0x300
HeapCreate 0x0 0x419114 0x1e5f4 0x1d1f4 0x2cd
IsProcessorFeaturePresent 0x0 0x419118 0x1e5f8 0x1d1f8 0x304
SetHandleCount 0x0 0x41911c 0x1e5fc 0x1d1fc 0x46f
GetStdHandle 0x0 0x419120 0x1e600 0x1d200 0x264
InitializeCriticalSectionAndSpinCount 0x0 0x419124 0x1e604 0x1d204 0x2e3
GetFileType 0x0 0x419128 0x1e608 0x1d208 0x1f3
GetStartupInfoW 0x0 0x41912c 0x1e60c 0x1d20c 0x263
GetModuleFileNameW 0x0 0x419130 0x1e610 0x1d210 0x214
GetConsoleCP 0x0 0x419134 0x1e614 0x1d214 0x19a
GetConsoleMode 0x0 0x419138 0x1e618 0x1d218 0x1ac
LoadLibraryW 0x0 0x41913c 0x1e61c 0x1d21c 0x33f
GetLocaleInfoW 0x0 0x419140 0x1e620 0x1d220 0x206
TlsAlloc 0x0 0x419144 0x1e624 0x1d224 0x4c5
TlsGetValue 0x0 0x419148 0x1e628 0x1d228 0x4c7
TlsSetValue 0x0 0x41914c 0x1e62c 0x1d22c 0x4c8
TlsFree 0x0 0x419150 0x1e630 0x1d230 0x4c6
SetLastError 0x0 0x419154 0x1e634 0x1d234 0x473
GetCurrentThreadId 0x0 0x419158 0x1e638 0x1d238 0x1c5
FlushFileBuffers 0x0 0x41915c 0x1e63c 0x1d23c 0x157
FreeEnvironmentStringsW 0x0 0x419160 0x1e640 0x1d240 0x161
GetEnvironmentStringsW 0x0 0x419164 0x1e644 0x1d244 0x1da
QueryPerformanceCounter 0x0 0x419168 0x1e648 0x1d248 0x3a7
GetTickCount 0x0 0x41916c 0x1e64c 0x1d24c 0x293
GetCurrentProcessId 0x0 0x419170 0x1e650 0x1d250 0x1c1
GetSystemTimeAsFileTime 0x0 0x419174 0x1e654 0x1d254 0x279
HeapSize 0x0 0x419178 0x1e658 0x1d258 0x2d4
GetACP 0x0 0x41917c 0x1e65c 0x1d25c 0x168
GetOEMCP 0x0 0x419180 0x1e660 0x1d260 0x237
IsValidCodePage 0x0 0x419184 0x1e664 0x1d264 0x30a
GetUserDefaultLCID 0x0 0x419188 0x1e668 0x1d268 0x29b
GetLocaleInfoA 0x0 0x41918c 0x1e66c 0x1d26c 0x204
EnumSystemLocalesA 0x0 0x419190 0x1e670 0x1d270 0x10d
IsValidLocale 0x0 0x419194 0x1e674 0x1d274 0x30c
GetStringTypeW 0x0 0x419198 0x1e678 0x1d278 0x269
HeapReAlloc 0x0 0x41919c 0x1e67c 0x1d27c 0x2d2
WriteConsoleW 0x0 0x4191a0 0x1e680 0x1d280 0x524
GetProcessHeap 0x0 0x4191a4 0x1e684 0x1d284 0x24a
ADVAPI32.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptGenKey 0x0 0x419000 0x1e4e0 0x1d0e0 0xc0
CryptDestroyHash 0x0 0x419004 0x1e4e4 0x1d0e4 0xb6
CryptGetHashParam 0x0 0x419008 0x1e4e8 0x1d0e8 0xc4
CryptHashData 0x0 0x41900c 0x1e4ec 0x1d0ec 0xc8
CryptCreateHash 0x0 0x419010 0x1e4f0 0x1d0f0 0xb3
CryptExportKey 0x0 0x419014 0x1e4f4 0x1d0f4 0xbf
CryptDestroyKey 0x0 0x419018 0x1e4f8 0x1d0f8 0xb7
CryptDecrypt 0x0 0x41901c 0x1e4fc 0x1d0fc 0xb4
CryptImportKey 0x0 0x419020 0x1e500 0x1d100 0xca
CryptEncrypt 0x0 0x419024 0x1e504 0x1d104 0xba
CryptAcquireContextA 0x0 0x419028 0x1e508 0x1d108 0xb0
CryptReleaseContext 0x0 0x41902c 0x1e50c 0x1d10c 0xcb
SHELL32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation 0x0 0x4191ac 0x1e68c 0x1d28c 0xdf
SHGetPathFromIDListA 0x0 0x4191b0 0x1e690 0x1d290 0xd5
CRYPT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptStringToBinaryA 0x0 0x419034 0x1e514 0x1d114 0xd8
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\ef23ed436bc1ea25e8a353e8da348db5_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 0.05 KB
MD5 1ddcdb94900f6f4166fe71c5c698fca6 Copy to Clipboard
SHA1 69ce46c117d5e6f347c633c9c8fdbb64f7191d05 Copy to Clipboard
SHA256 d2a655c7fa9ced0cc83f4cc8dbd7655da324cab5e4883b413677f4c376dded85 Copy to Clipboard
SSDeep 3:/l1llAGAXl:u Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image