74f9b8d8...0196 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Wiper, Trojan

GottaCry.exe

Windows Exe (x86-32)

Created at 2019-05-25T08:39:00

...

Remarks (2/2)

(0x2000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Remarks

(0x200000c): The maximum memory dump size was exceeded. Some dumps may be missing in the report.

Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\GottaCry.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 467.00 KB
MD5 f7c18136d44ce6e56710016841ca8aa3 Copy to Clipboard
SHA1 68994fa66e39ff9082f822e5a019b8bab4ec83af Copy to Clipboard
SHA256 74f9b8d8ad9cd5da148c4459560be843ee9443bf01e2bc7dff77fb333a470196 Copy to Clipboard
SSDeep 3072:X7idbvXLQ666C66G666i666o666y666B66c666G66f666+666u6669p666366o60:md7XgXtwU3xvpOVKW6Q Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Suspicious
First Seen 2019-05-16 00:48 (UTC+2)
Last Seen 2019-05-24 21:24 (UTC+2)
Names ByteCode-MSIL.Trojan.Encoder
Families Encoder
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x476196
Size Of Code 0x74200
Size Of Initialized Data 0x800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2099-06-18 01:03:58+00:00
Version Information (11)
»
Assembly Version 1.0.0.0
Comments -
CompanyName -
FileDescription GottaCry
FileVersion 1.0.0.0
InternalName GottaCry.exe
LegalCopyright Copyright © 2019
LegalTrademarks -
OriginalFilename GottaCry.exe
ProductName GottaCry
ProductVersion 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x7419c 0x74200 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.86
.rsrc 0x478000 0x5ac 0x600 0x74400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.08
.reloc 0x47a000 0xc 0x200 0x74a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x76169 0x74369 0x0
Memory Dumps (27)
»
Name Process ID Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104B97D8, 0x7FF9105D9820, ... False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105E6820, 0x7FF9104B97D8 False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104BE708 False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105E8B30, 0x7FF9104BE708 False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104B8EF0 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC7E760 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC80200 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC86000 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC7F000 False False
...
system.xml.ni.dll 1 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4EF000 False False
...
system.xml.ni.dll 1 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F04C0 False False
...
system.xml.ni.dll 1 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F1960 False False
...
system.xml.ni.dll 1 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F4100 False False
...
system.xml.ni.dll 1 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F2A70 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC81B60 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC82010 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC8319F False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC84040 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC890E0 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC87000 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC989E0 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC88000 False False
...
system.configuration.ni.dll 1 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC8ABB0 False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104B8EF8 False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105E7160 False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104BCEE0 False False
...
microsoft.visualbasic.ni.dll 1 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105DA0A0, 0x7FF9104BCEE0 False False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Heur.Ransom.REntS.Gen.1
Malicious
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_idx.db Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 113.77 KB
MD5 ef8f2a92b695a814a831823462993327 Copy to Clipboard
SHA1 b2525154aa9f539c5c6ec9c3276ba5fb488c335b Copy to Clipboard
SHA256 bb06660e07d9c6c11d8cbc5877a298998554abbc2f78319c39f9b18d393a79a2 Copy to Clipboard
SSDeep 384:Sns0cn3yWhXKXx2QuLD/z35OqXp1OKPo7Ep+erXofe/co37qwLDeYf7Wm:SnXOakzLrz30MYWxvXofc7q8T Copy to Clipboard
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_32.db Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 3.00 MB
MD5 d42da5feab76d156eed14386b3ba0fc9 Copy to Clipboard
SHA1 e075d399a08c2a365a0f5204df10907884da7585 Copy to Clipboard
SHA256 1771938a553949a51bcd766c9626947e65a3c3b4329cc0c2dd9fa9f2b6b043b7 Copy to Clipboard
SSDeep 24576:EVZt4VPVJ02LPknyS5iz7ZTYqjYKqsdN7OQ:EVZt0PVu2LgiPZTYoXqsd Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image