680949c3...8f31

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Riskware, Wiper, Ransomware

680949c3c5b4b6ffdbe297fcb15096b5d53c8480d0c53ab4dd9801d711a78f31 (SHA256)

ransom_poc.exe

Windows Exe (x86-32)

Created at 2019-01-18 15:12:00

Notifications (1/1)

Every analysis has a preconfigured maximum VM disk size for temporary changes. This limit was reached during this analysis and, as an result, the analysis was terminated prematurely.

Severity	Category	Operation	Classification
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to function call
1/5	Process	Creates process with hidden window	-
The process "worm.exe" starts with hidden window. ... VTI Actions Go to function call
1/5	File System	Modifies operating system directory	-
Creates file "c:\windows\JAMES\james_flag" in the OS directory. ... VTI Actions Go to function call
Creates file "c:\windows\JAMES\Encrypted_Files.txt" in the OS directory. ... VTI Actions Go to function call
Creates file "c:\windows\JAMES\KeyHash" in the OS directory. ... VTI Actions Go to function call
Creates file "c:\windows\JAMES\EncryptedKey" in the OS directory. ... VTI Actions Go to function call
1/5	Masquerade	Changes folder appearance	Riskware
Folder "c:\$recycle.bin\s-1-5-21-3388679973-3930757225-3770151564-1000" has a changed appearance. ... VTI Actions Go to function call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Before

After