VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: Riskware, Wiper, Ransomware |
680949c3c5b4b6ffdbe297fcb15096b5d53c8480d0c53ab4dd9801d711a78f31 (SHA256)
ransom_poc.exe
Windows Exe (x86-32)
Created at 2019-01-18 15:12:00
Notifications (1/1)
Every analysis has a preconfigured maximum VM disk size for temporary changes. This limit was reached during this analysis and, as an result, the analysis was terminated prematurely.
This is a filtered view
This list contains only the embedded files and created files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2011-05-27 11:27 (UTC+2) |
Last Seen | 2017-04-19 12:47 (UTC+2) |
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ransom_poc.exe | Sample File | Binary |
Unknown
|
...
|
»
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x409ac2 |
Size Of Code | 0x17800 |
Size Of Initialized Data | 0x9e00 |
File Type | executable |
Subsystem | windows_cui |
Machine Type | i386 |
Compile Timestamp | 2018-11-07 06:54:16+00:00 |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0x17681 | 0x17800 | 0x400 | cnt_code, mem_execute, mem_read | 6.57 |
.rdata | 0x419000 | 0x5e64 | 0x6000 | 0x17c00 | cnt_initialized_data, mem_read | 4.91 |
.data | 0x41f000 | 0x347c | 0x1600 | 0x1dc00 | cnt_initialized_data, mem_read, mem_write | 3.21 |
.rsrc | 0x423000 | 0x318 | 0x400 | 0x1f200 | cnt_initialized_data, mem_read | 6.13 |
.reloc | 0x424000 | 0x2330 | 0x2400 | 0x1f600 | cnt_initialized_data, mem_discardable, mem_read | 4.83 |
Imports (4)
»
KERNEL32.dll (91)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetModuleHandleA | 0x0 | 0x41903c | 0x1e51c | 0x1d11c | 0x215 |
FindResourceA | 0x0 | 0x419040 | 0x1e520 | 0x1d120 | 0x14b |
LoadResource | 0x0 | 0x419044 | 0x1e524 | 0x1d124 | 0x341 |
LockResource | 0x0 | 0x419048 | 0x1e528 | 0x1d128 | 0x354 |
SizeofResource | 0x0 | 0x41904c | 0x1e52c | 0x1d12c | 0x4b1 |
GetComputerNameA | 0x0 | 0x419050 | 0x1e530 | 0x1d130 | 0x18c |
RemoveDirectoryA | 0x0 | 0x419054 | 0x1e534 | 0x1d134 | 0x400 |
GetVersionExA | 0x0 | 0x419058 | 0x1e538 | 0x1d138 | 0x2a3 |
WinExec | 0x0 | 0x41905c | 0x1e53c | 0x1d13c | 0x512 |
CopyFileA | 0x0 | 0x419060 | 0x1e540 | 0x1d140 | 0x70 |
GetModuleFileNameA | 0x0 | 0x419064 | 0x1e544 | 0x1d144 | 0x213 |
DeleteFileA | 0x0 | 0x419068 | 0x1e548 | 0x1d148 | 0xd3 |
SetFilePointer | 0x0 | 0x41906c | 0x1e54c | 0x1d14c | 0x466 |
WriteFile | 0x0 | 0x419070 | 0x1e550 | 0x1d150 | 0x525 |
GetLastError | 0x0 | 0x419074 | 0x1e554 | 0x1d154 | 0x202 |
ReadFile | 0x0 | 0x419078 | 0x1e558 | 0x1d158 | 0x3c0 |
CloseHandle | 0x0 | 0x41907c | 0x1e55c | 0x1d15c | 0x52 |
GetFileSize | 0x0 | 0x419080 | 0x1e560 | 0x1d160 | 0x1f0 |
CreateFileA | 0x0 | 0x419084 | 0x1e564 | 0x1d164 | 0x88 |
FindClose | 0x0 | 0x419088 | 0x1e568 | 0x1d168 | 0x12e |
FindNextFileA | 0x0 | 0x41908c | 0x1e56c | 0x1d16c | 0x143 |
FindFirstFileA | 0x0 | 0x419090 | 0x1e570 | 0x1d170 | 0x132 |
SetEndOfFile | 0x0 | 0x419094 | 0x1e574 | 0x1d174 | 0x453 |
CreateFileW | 0x0 | 0x419098 | 0x1e578 | 0x1d178 | 0x8f |
SetStdHandle | 0x0 | 0x41909c | 0x1e57c | 0x1d17c | 0x487 |
CreateDirectoryA | 0x0 | 0x4190a0 | 0x1e580 | 0x1d180 | 0x7c |
GetLogicalDriveStringsA | 0x0 | 0x4190a4 | 0x1e584 | 0x1d184 | 0x207 |
InterlockedIncrement | 0x0 | 0x4190a8 | 0x1e588 | 0x1d188 | 0x2ef |
InterlockedDecrement | 0x0 | 0x4190ac | 0x1e58c | 0x1d18c | 0x2eb |
Sleep | 0x0 | 0x4190b0 | 0x1e590 | 0x1d190 | 0x4b2 |
InitializeCriticalSection | 0x0 | 0x4190b4 | 0x1e594 | 0x1d194 | 0x2e2 |
DeleteCriticalSection | 0x0 | 0x4190b8 | 0x1e598 | 0x1d198 | 0xd1 |
EnterCriticalSection | 0x0 | 0x4190bc | 0x1e59c | 0x1d19c | 0xee |
LeaveCriticalSection | 0x0 | 0x4190c0 | 0x1e5a0 | 0x1d1a0 | 0x339 |
EncodePointer | 0x0 | 0x4190c4 | 0x1e5a4 | 0x1d1a4 | 0xea |
DecodePointer | 0x0 | 0x4190c8 | 0x1e5a8 | 0x1d1a8 | 0xca |
HeapFree | 0x0 | 0x4190cc | 0x1e5ac | 0x1d1ac | 0x2cf |
HeapAlloc | 0x0 | 0x4190d0 | 0x1e5b0 | 0x1d1b0 | 0x2cb |
GetProcAddress | 0x0 | 0x4190d4 | 0x1e5b4 | 0x1d1b4 | 0x245 |
GetModuleHandleW | 0x0 | 0x4190d8 | 0x1e5b8 | 0x1d1b8 | 0x218 |
ExitProcess | 0x0 | 0x4190dc | 0x1e5bc | 0x1d1bc | 0x119 |
GetCommandLineA | 0x0 | 0x4190e0 | 0x1e5c0 | 0x1d1c0 | 0x186 |
HeapSetInformation | 0x0 | 0x4190e4 | 0x1e5c4 | 0x1d1c4 | 0x2d3 |
RtlUnwind | 0x0 | 0x4190e8 | 0x1e5c8 | 0x1d1c8 | 0x418 |
WideCharToMultiByte | 0x0 | 0x4190ec | 0x1e5cc | 0x1d1cc | 0x511 |
LCMapStringW | 0x0 | 0x4190f0 | 0x1e5d0 | 0x1d1d0 | 0x32d |
MultiByteToWideChar | 0x0 | 0x4190f4 | 0x1e5d4 | 0x1d1d4 | 0x367 |
GetCPInfo | 0x0 | 0x4190f8 | 0x1e5d8 | 0x1d1d8 | 0x172 |
RaiseException | 0x0 | 0x4190fc | 0x1e5dc | 0x1d1dc | 0x3b1 |
TerminateProcess | 0x0 | 0x419100 | 0x1e5e0 | 0x1d1e0 | 0x4c0 |
GetCurrentProcess | 0x0 | 0x419104 | 0x1e5e4 | 0x1d1e4 | 0x1c0 |
UnhandledExceptionFilter | 0x0 | 0x419108 | 0x1e5e8 | 0x1d1e8 | 0x4d3 |
SetUnhandledExceptionFilter | 0x0 | 0x41910c | 0x1e5ec | 0x1d1ec | 0x4a5 |
IsDebuggerPresent | 0x0 | 0x419110 | 0x1e5f0 | 0x1d1f0 | 0x300 |
HeapCreate | 0x0 | 0x419114 | 0x1e5f4 | 0x1d1f4 | 0x2cd |
IsProcessorFeaturePresent | 0x0 | 0x419118 | 0x1e5f8 | 0x1d1f8 | 0x304 |
SetHandleCount | 0x0 | 0x41911c | 0x1e5fc | 0x1d1fc | 0x46f |
GetStdHandle | 0x0 | 0x419120 | 0x1e600 | 0x1d200 | 0x264 |
InitializeCriticalSectionAndSpinCount | 0x0 | 0x419124 | 0x1e604 | 0x1d204 | 0x2e3 |
GetFileType | 0x0 | 0x419128 | 0x1e608 | 0x1d208 | 0x1f3 |
GetStartupInfoW | 0x0 | 0x41912c | 0x1e60c | 0x1d20c | 0x263 |
GetModuleFileNameW | 0x0 | 0x419130 | 0x1e610 | 0x1d210 | 0x214 |
GetConsoleCP | 0x0 | 0x419134 | 0x1e614 | 0x1d214 | 0x19a |
GetConsoleMode | 0x0 | 0x419138 | 0x1e618 | 0x1d218 | 0x1ac |
LoadLibraryW | 0x0 | 0x41913c | 0x1e61c | 0x1d21c | 0x33f |
GetLocaleInfoW | 0x0 | 0x419140 | 0x1e620 | 0x1d220 | 0x206 |
TlsAlloc | 0x0 | 0x419144 | 0x1e624 | 0x1d224 | 0x4c5 |
TlsGetValue | 0x0 | 0x419148 | 0x1e628 | 0x1d228 | 0x4c7 |
TlsSetValue | 0x0 | 0x41914c | 0x1e62c | 0x1d22c | 0x4c8 |
TlsFree | 0x0 | 0x419150 | 0x1e630 | 0x1d230 | 0x4c6 |
SetLastError | 0x0 | 0x419154 | 0x1e634 | 0x1d234 | 0x473 |
GetCurrentThreadId | 0x0 | 0x419158 | 0x1e638 | 0x1d238 | 0x1c5 |
FlushFileBuffers | 0x0 | 0x41915c | 0x1e63c | 0x1d23c | 0x157 |
FreeEnvironmentStringsW | 0x0 | 0x419160 | 0x1e640 | 0x1d240 | 0x161 |
GetEnvironmentStringsW | 0x0 | 0x419164 | 0x1e644 | 0x1d244 | 0x1da |
QueryPerformanceCounter | 0x0 | 0x419168 | 0x1e648 | 0x1d248 | 0x3a7 |
GetTickCount | 0x0 | 0x41916c | 0x1e64c | 0x1d24c | 0x293 |
GetCurrentProcessId | 0x0 | 0x419170 | 0x1e650 | 0x1d250 | 0x1c1 |
GetSystemTimeAsFileTime | 0x0 | 0x419174 | 0x1e654 | 0x1d254 | 0x279 |
HeapSize | 0x0 | 0x419178 | 0x1e658 | 0x1d258 | 0x2d4 |
GetACP | 0x0 | 0x41917c | 0x1e65c | 0x1d25c | 0x168 |
GetOEMCP | 0x0 | 0x419180 | 0x1e660 | 0x1d260 | 0x237 |
IsValidCodePage | 0x0 | 0x419184 | 0x1e664 | 0x1d264 | 0x30a |
GetUserDefaultLCID | 0x0 | 0x419188 | 0x1e668 | 0x1d268 | 0x29b |
GetLocaleInfoA | 0x0 | 0x41918c | 0x1e66c | 0x1d26c | 0x204 |
EnumSystemLocalesA | 0x0 | 0x419190 | 0x1e670 | 0x1d270 | 0x10d |
IsValidLocale | 0x0 | 0x419194 | 0x1e674 | 0x1d274 | 0x30c |
GetStringTypeW | 0x0 | 0x419198 | 0x1e678 | 0x1d278 | 0x269 |
HeapReAlloc | 0x0 | 0x41919c | 0x1e67c | 0x1d27c | 0x2d2 |
WriteConsoleW | 0x0 | 0x4191a0 | 0x1e680 | 0x1d280 | 0x524 |
GetProcessHeap | 0x0 | 0x4191a4 | 0x1e684 | 0x1d284 | 0x24a |
ADVAPI32.dll (12)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CryptGenKey | 0x0 | 0x419000 | 0x1e4e0 | 0x1d0e0 | 0xc0 |
CryptDestroyHash | 0x0 | 0x419004 | 0x1e4e4 | 0x1d0e4 | 0xb6 |
CryptGetHashParam | 0x0 | 0x419008 | 0x1e4e8 | 0x1d0e8 | 0xc4 |
CryptHashData | 0x0 | 0x41900c | 0x1e4ec | 0x1d0ec | 0xc8 |
CryptCreateHash | 0x0 | 0x419010 | 0x1e4f0 | 0x1d0f0 | 0xb3 |
CryptExportKey | 0x0 | 0x419014 | 0x1e4f4 | 0x1d0f4 | 0xbf |
CryptDestroyKey | 0x0 | 0x419018 | 0x1e4f8 | 0x1d0f8 | 0xb7 |
CryptDecrypt | 0x0 | 0x41901c | 0x1e4fc | 0x1d0fc | 0xb4 |
CryptImportKey | 0x0 | 0x419020 | 0x1e500 | 0x1d100 | 0xca |
CryptEncrypt | 0x0 | 0x419024 | 0x1e504 | 0x1d104 | 0xba |
CryptAcquireContextA | 0x0 | 0x419028 | 0x1e508 | 0x1d108 | 0xb0 |
CryptReleaseContext | 0x0 | 0x41902c | 0x1e50c | 0x1d10c | 0xcb |
SHELL32.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SHGetSpecialFolderLocation | 0x0 | 0x4191ac | 0x1e68c | 0x1d28c | 0xdf |
SHGetPathFromIDListA | 0x0 | 0x4191b0 | 0x1e690 | 0x1d290 | 0xd5 |
CRYPT32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CryptStringToBinaryA | 0x0 | 0x419034 | 0x1e514 | 0x1d114 | 0xd8 |
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\ef23ed436bc1ea25e8a353e8da348db5_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f | Created File | Stream |
Unknown
|
...
|
»