7713cce5...c671 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Downloader, Dropper, Trojan

EB54.tmp.exe

Windows Exe (x86-32)

Created at 2019-05-13T17:21:00

...

Remarks (2/2)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

VMRay Threat Indicators (17 rules, 55 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 7 -
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe" as "Trojan.GenericKD.31534187".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe" as "DeepScan:Generic.Zamg.8.B9502EF1".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe" as "DeepScan:Generic.Zamg.8.C0B90587".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe" as "Trojan.GenericKD.31898868".
    ...
5/5
Reputation Known malicious file 1 Trojan
4/5
Network Modifies network configuration 1 -
  • Modifies the host.conf file, probably to redirect network traffic.
    ...
4/5
Reputation Known malicious URL 17 -
  • Contacted URL "http://pool.ug/tesptc/penelop/updatewin1.exe" is a known malicious URL.
    ...
  • Contacted URL "http://pool.ug/tesptc/penelop/updatewin2.exe" is a known malicious URL.
    ...
  • Contacted URL "http://pool.ug/tesptc/penelop/updatewin.exe" is a known malicious URL.
    ...
  • Contacted URL "http://pool.ug/tesptc/penelop/3.exe" is a known malicious URL.
    ...
  • Contacted URL "http://pool.ug/tesptc/penelop/4.exe" is a known malicious URL.
    ...
  • Contacted URL "http://pool.ug/tesptc/penelop/5.exe" is a known malicious URL.
    ...
  • Contacted URL "http://root.ug/AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php?pid=32EB8DA0DCF8DD23092C768E66F3E191&first=true" is a known malicious URL.
    ...
  • Contacted URL "pool.ug/1/index.php" is a known malicious URL.
    ...
  • Contacted URL "pool.ug" is a known malicious URL.
    ...
    • VTI Actions
  • Contacted URL "root.ug" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/3.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://root.ug/AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php?pid=32EB8DA0DCF8DD23092C768E66F3E191&first=true" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/4.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/5.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
3/5
Anti Analysis Delays execution 1 -
  • Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
2/5
Reputation Known suspicious file 5 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe" is a known suspicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe" is a known suspicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe" is a known suspicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe" is a known suspicious file.
    ...
1/5
Persistence Installs system startup script or application 1 -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe" --AutoStart" to Windows startup via registry.
    ...
1/5
Process Creates process with hidden window 2 -
  • The process "icacls" starts with hidden window.
    ...
  • The process "powershell" starts with hidden window.
    ...
1/5
File System Modifies operating system directory 1 -
1/5
Information Stealing Reads system data 1 -
  • Reads the cryptographic machine GUID from registry.
    ...
1/5
Process Creates system object 1 -
  • Creates mutex with name "A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69".
    ...
1/5
Process Overwrites code 1 -
1/5
Network Downloads executable 4 Downloader
1/5
Network Connects to HTTP server 9 -
  • URL "http://pool.ug/tesptc/penelop/updatewin1.exe".
    ...
  • URL "http://pool.ug/tesptc/penelop/updatewin2.exe".
    ...
  • URL "http://pool.ug/tesptc/penelop/updatewin.exe".
    ...
  • URL "http://root.ug/AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php?pid=32EB8DA0DCF8DD23092C768E66F3E191&first=true".
    ...
1/5
PE Drops PE file 1 Dropper
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #647522
MD5 241f592a445513811b3bc3f104ffb2a8 Copy to Clipboard
SHA1 578c0a16e2428764c928db50738db2d843ca6c2f Copy to Clipboard
SHA256 7713cce5768ed6d8250d01a006e26b5cfab3ff296f8c6dd8684a5142cc54c671 Copy to Clipboard
SSDeep 6144:3z2W1PSKq67m+2xgx08t3tmrFLLgjIv5+dHgSnSppJlV3/jKGKYoezUtyB:/u6sxgK8t9mrFL0jougpJL3/jKGxN9 Copy to Clipboard
ImpHash 8d3acf51068be57a00101493a8206aa2 Copy to Clipboard
Filename EB54.tmp.exe
File Size 442.50 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-05-13 19:21 (UTC+2)
Analysis Duration 00:04:49
Number of Monitored Processes 12
Execution Successful True
Reputation Enabled True
WHOIS Enabled True
Local AV Enabled True
YARA Enabled True
Number of AV Matches 7
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image