75ca5c2c...7783

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Spyware

75ca5c2caf5216140f8e3e34160bdc64ce59d75fce1feeaa809ec18f01427783 (SHA256)

volumesound.exe

Windows Exe (x86-32)

Created at 2018-11-06 10:28:00

Severity	Category	Operation	Classification
5/5	YARA	YARA match	-
Rule "APT28_IMPLANT_4_v10" from ruleset "APTs" has matched for "\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe" ... VTI Actions Go to YARA match
4/5	Injection	Writes into the memory of another running process	-
"c:\users\ciihmnxmn6ps\desktop\volumesound.exe" modifies memory of "c:\windows\syswow64\explorer.exe" ... VTI Actions Go to function call
3/5	Anti Analysis	Tries to detect application sandbox	-
Possibly trying to detect "Sandboxie" by checking for existence of module "sbiedll.dll". ... VTI Actions Go to function call
2/5	Anti Analysis	Tries to detect virtual machine	-
Reads out system information, commonly used to detect VMs via registry. (Value "VideoBiosVersion" in key "HKEY_LOCAL_MACHINE\HARDWARE\Description\System"). ... VTI Actions Go to function call
2/5	Anti Analysis	Tries to detect debugger	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to function call
2/5	File System	Known suspicious file	-
File "C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe" is a known suspicious file. ... VTI Actions Go to file details Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "Lambda". ... VTI Actions Go to function call
Creates mutex with name "Global\UzFCA0D558". ... VTI Actions Go to function call
1/5	Information Stealing	Reads system data	Spyware
Reads the Windows installation date from registry. ... VTI Actions Go to function call
1/5	Process	Creates process with hidden window	-
The process "C:\Windows\SysWOW64\explorer.exe" starts with hidden window. ... VTI Actions Go to function call
1/5	Process	Reads from memory of another process	-
"c:\users\ciihmnxmn6ps\desktop\volumesound.exe" reads from "C:\Windows\SysWOW64\explorer.exe". ... VTI Actions Go to function call
1/5	Anti Analysis	Resolves APIs dynamically	-
Resolves an unusually high number of APIs. ... VTI Actions Go to function call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

After