7a616846...55ad | VTI
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Riskware, Dropper, Trojan, Ransomware

7a61684657c789eafc051d7107f6a0917e86f92cecaa108e4ba3f08d631c55ad (SHA256)

CRYPT.EXE

Windows Exe (x86-32)

Created at 2019-01-19 16:50:00

Notifications (2/3)

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The overall sleep time of all monitored processes was truncated from "1 minute, 30 seconds" to "30 seconds" to reveal dormant functionality.

The operating system was rebooted during the analysis.

Severity Category Operation Classification
5/5
File System Encrypts content of user files Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
4/5
File System Known malicious file Trojan
  • File "C:\Users\CIiHmnxMn6Ps\Desktop\CRYPT.EXE" is a known malicious file.
1/5
Anti Analysis Resolves APIs dynamically -
1/5
Persistence Installs system startup script or application -
  • Adds ""c:\How To Restore Files.hta"" to Windows startup via registry.
1/5
File System Modifies operating system directory -
1/5
Hide Tracks Writes an unually large amount of data to the registry -
  • Hides 1280 byte in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\\rsa".
1/5
Process Creates process with hidden window -
  • The process "C:\Windows\system32\cmd.exe" starts with hidden window.
1/5
Masquerade Changes folder appearance Riskware
  • Folder "c:\$recycle.bin\s-1-5-21-1462094071-1423818996-289466292-1000" has a changed appearance.
  • Folder "c:\users\ciihmnxmn6ps\saved games" has a changed appearance.
  • Folder "c:\program files (x86)\common files\microsoft shared\stationery" has a changed appearance.
  • Folder "c:\program files\common files\microsoft shared\stationery" has a changed appearance.
1/5
File System Modifies application directory -
  • Modifies "c:\program files (x86)\desktop.ini id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\common files\how to restore files.hta".
  • Modifies "c:\program files (x86)\common files\extensiveadvertisement.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\internet explorer\how to restore files.hta".
  • Modifies "c:\program files\microsoft office\how to restore files.hta".
  • Modifies "c:\program files\microsoft office 15\charity.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\microsoft office\appxmanifest.xml id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\reference assemblies\how to restore files.hta".
  • Modifies "c:\program files\reference assemblies\commands.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\uninstall information\how to restore files.hta".
  • Modifies "c:\program files\uninstall information\just_instant_bulgaria.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\uninstall information\lined-tex.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\windows journal\how to restore files.hta".
  • Modifies "c:\program files\windows nt\lowest forwarding sitemap.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\windows journal\orders oxide shift.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\windows portable devices\how to restore files.hta".
  • Modifies "c:\program files\windows photo viewer\collecting_vb_les.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\windows media player\how to restore files.hta".
  • Modifies "c:\program files\windows media player\affected.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\windows multimedia platform\freeware.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\windows mail\tr_wireless.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\microsoft office\filesystemmetadata.xml id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\common files\designer\how to restore files.hta".
  • Modifies "c:\program files\common files\services\how to restore files.hta".
  • Modifies "c:\program files\common files\system\how to restore files.hta".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\how to restore files.hta".
  • Modifies "c:\program files (x86)\common files\services\how to restore files.hta".
  • Modifies "c:\program files\common files\designer\msaddndr.olb id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\windows photo viewer\runtime recommendation.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\internet explorer\how to restore files.hta".
  • Modifies "c:\program files (x86)\microsoft.net\how to restore files.hta".
  • Modifies "c:\program files (x86)\microsoft.net\flavor.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\mozilla maintenance service\how to restore files.hta".
  • Modifies "c:\program files (x86)\windows media player\how to restore files.hta".
  • Modifies "c:\program files (x86)\windows media player\kg_tools_them.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\windows multimedia platform\how to restore files.hta".
  • Modifies "c:\program files (x86)\windows mail\how to restore files.hta".
  • Modifies "c:\program files (x86)\windows portable devices\how to restore files.hta".
  • Modifies "c:\program files (x86)\windows photo viewer\limousines.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\internet explorer\reveal_medicare_ebay.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\internet explorer\en-us\how to restore files.hta".
  • Modifies "c:\program files\windows media player\en-us\how to restore files.hta".
  • Modifies "c:\program files\windows defender\en-us\how to restore files.hta".
  • Modifies "c:\program files\windows nt\accessories\how to restore files.hta".
  • Modifies "c:\program files\java\jre1.8.0_131\copyright id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\java\jre1.8.0_131\license id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\java\jre1.8.0_131\readme.txt id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\java\jre1.8.0_131\release id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\common files\system\how to restore files.hta".
  • Modifies "c:\program files\internet explorer\signup\how to restore files.hta".
  • Modifies "c:\program files (x86)\common files\java\java update\how to restore files.hta".
  • Modifies "c:\program files\windows mail\en-us\how to restore files.hta".
  • Modifies "c:\program files\windows journal\en-us\how to restore files.hta".
  • Modifies "c:\program files (x86)\windows portable devices\semiconductor phys.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\windows multimedia platform\pump.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\readme.htm id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\microsoft office 15\clientx64\integratedoffice.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\common files\microsoft shared\source engine\how to restore files.hta".
  • Modifies "c:\program files\common files\system\ado\how to restore files.hta".
  • Modifies "c:\program files\common files\microsoft shared\msinfo\how to restore files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\dao\how to restore files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\ink\how to restore files.hta".
  • Modifies "c:\program files (x86)\windows portable devices\slightly.exe id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\internet explorer\signup\install.ins id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\java\jre1.8.0_131\thirdpartylicensereadme-javafx.txt id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\common files\microsoft shared\vsto\how to restore files.hta".
  • Modifies "c:\program files\windows media player\media renderer\how to restore files.hta".
  • Modifies "c:\program files\common files\microsoft shared\stationery\how to restore files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\stationery\desktop.ini id-br3n0g72wub8cejt.lyas".
  • Modifies "c:\program files\microsoft office\root\flattener\how to restore files.hta".
  • Modifies "c:\program files (x86)\common files\system\ado\how to restore files.hta".
  • Modifies "c:\program files (x86)\mozilla firefox\accessible.tlb id-br3n0g72wub8cejt.lyas".
1/5
File System Creates an unusually large number of files -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: \\?\C:\ProgramData\Oracle\Java\javapath_target_5923062\java.exe id-Br3n0G72wUb8CejT.LyaS.
1/5
PE The PE file was created with a packer -
  • File "C:\Users\CIiHmnxMn6Ps\Desktop\CRYPT.EXE" is packed with "ASPack v2.12 -> Alexey Solodovnikov".
1/5
PE Drops PE file Dropper
  • Drops file "\\?\C:\ProgramData\Oracle\Java\javapath_target_5923062\java.exe id-Br3n0G72wUb8CejT.LyaS".
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image