7bcd69b3...dd26

VMRay Threat Indicators (9 rules, 73 matches)

Severity	Category	Operation	Classification
5/5	File System	Known malicious file	Trojan
File "C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe" is a known malicious file. ... VTI Actions Go to file details
4/5	File System	Renames user files	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Behavior
2/5	Device	Sends control codes to connected devices	-
Controls device "C:\Documents and Settings" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvStream32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\client\C2R32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\client\C2R64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\Office16\AppvIsvStream64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\Office16\C2R64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvStream32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvStream64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvStream32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvStream32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll" through API DeviceIOControl. ... VTI Actions Go to Behavior
1/5	Process	Creates process with hidden window	-
The process "C:\WINDOWS\system32\cmd.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe" starts with hidden window. ... VTI Actions Go to Behavior
1/5	Process	Creates system object	-
Creates mutex with name "MX-zzbdrimp". ... VTI Actions Go to Behavior
1/5	File System	Modifies application directory	-
Modifies "\??\\C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Mozilla Firefox\browser\chrome.manifest.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Mozilla Firefox\dependentlibs.list.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Mozilla Firefox\freebl3.chk.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\rempl\remsh.exe.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\rempl\rempl.xml.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\rempl\Unlock.xml.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\rempl\Logs\Remediation.003.etl.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\rempl\Logs\Remediation.002.etl.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\rempl\Logs\Remediation.001.etl.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked". ... VTI Actions Go to Behavior
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked". ... VTI Actions Go to Behavior
1/5	Information Stealing	Possibly does reconnaissance	-
Possibly trying to gather information about application "Mozilla Firefox" by file. ... VTI Actions Go to Behavior
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to file details

Screenshots

Monitored Processes

Sample Information

ID	#526138
MD5	7e3f8b6b7ac0565bfcbf0a1e3e6fcfbc
SHA1	b2a701225c8c7f839be3c5009d52b4421063d93e
SHA256	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
SSDeep	24576:VnJVtmfwkmE2j2uD3bMUPMGOc0dfe3WuEK2/0vPY0uZTp+Xksy:jVtmfwkmE2jrcHdfelcYPMZTp+Xksy
ImpHash	39a85c613973fb6d8d786a3deb3c0666
Filename	zzbdrimp2939.exe
File Size	1.19 MB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-03-23 11:12 (UTC+1)
Analysis Duration	00:04:00
Number of Monitored Processes	41
Execution Successful
Reputation Enabled
WHOIS Enabled
YARA Enabled
Number of YARA Matches	0
Termination Reason	Maximum binlog size reached
Tags

VMRay Threat Indicators (9 rules, 73 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After