VMRay Analyzer Report for Sample #88184
VMRay Analyzer
3.0.2
URI
api.2ip.ua
Resolved_To
Address
77.123.139.189
URI
texet1.ug
Resolved_To
Address
45.86.180.158
Process
1
1044
370e.tmp.exe
1116
370e.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\370E.tmp.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\370e.tmp.exe
Child_Of
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Created
Opened
Opened
Process
3
304
icacls.exe
1044
icacls.exe
icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\icacls.exe
Process
4
1292
taskeng.exe
876
taskeng.exe
taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Process
5
516
370e.tmp.exe
1044
370e.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\370E.tmp.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\370e.tmp.exe
Opened
Opened
Opened
Process
6
1812
taskeng.exe
876
taskeng.exe
taskeng.exe {6D8B2882-1230-420E-9307-11BBC8B69057} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Child_Of
Process
7
1560
370e.tmp.exe
1812
370e.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401\370E.tmp.exe" --Task
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401\370e.tmp.exe
Opened
Opened
Opened
Process
10
1388
370e.tmp.exe
892
370e.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401\370E.tmp.exe" --AutoStart
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401\370e.tmp.exe
Opened
Opened
Opened
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\5p5nrgjn0js halpmcxz\appdata\local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401
users\5p5nrgjn0js halpmcxz\appdata\local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401\370E.tmp.exe" --AutoStart
REG_EXPAND_SZ
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
_readme.txt
_readme.txt
c:\
c:\_readme.txt
txt
File
boot\_readme.txt
boot\_readme.txt
c:\
c:\boot\_readme.txt
txt
File
config.msi\_readme.txt
config.msi\_readme.txt
c:\
c:\config.msi\_readme.txt
txt
File
boot\cs-cz\_readme.txt
boot\cs-cz\_readme.txt
c:\
c:\boot\cs-cz\_readme.txt
txt
File
boot\da-dk\_readme.txt
boot\da-dk\_readme.txt
c:\
c:\boot\da-dk\_readme.txt
txt
File
boot\de-de\_readme.txt
boot\de-de\_readme.txt
c:\
c:\boot\de-de\_readme.txt
txt
File
boot\el-gr\_readme.txt
boot\el-gr\_readme.txt
c:\
c:\boot\el-gr\_readme.txt
txt
File
boot\en-us\_readme.txt
boot\en-us\_readme.txt
c:\
c:\boot\en-us\_readme.txt
txt
File
boot\es-es\_readme.txt
boot\es-es\_readme.txt
c:\
c:\boot\es-es\_readme.txt
txt
File
boot\fi-fi\_readme.txt
boot\fi-fi\_readme.txt
c:\
c:\boot\fi-fi\_readme.txt
txt
File
boot\fonts\_readme.txt
boot\fonts\_readme.txt
c:\
c:\boot\fonts\_readme.txt
txt
File
boot\fr-fr\_readme.txt
boot\fr-fr\_readme.txt
c:\
c:\boot\fr-fr\_readme.txt
txt
File
boot\hu-hu\_readme.txt
boot\hu-hu\_readme.txt
c:\
c:\boot\hu-hu\_readme.txt
txt
File
boot\it-it\_readme.txt
boot\it-it\_readme.txt
c:\
c:\boot\it-it\_readme.txt
txt
File
boot\ja-jp\_readme.txt
boot\ja-jp\_readme.txt
c:\
c:\boot\ja-jp\_readme.txt
txt
File
boot\ko-kr\_readme.txt
boot\ko-kr\_readme.txt
c:\
c:\boot\ko-kr\_readme.txt
txt
File
boot\nb-no\_readme.txt
boot\nb-no\_readme.txt
c:\
c:\boot\nb-no\_readme.txt
txt
File
boot\nl-nl\_readme.txt
boot\nl-nl\_readme.txt
c:\
c:\boot\nl-nl\_readme.txt
txt
File
boot\pl-pl\_readme.txt
boot\pl-pl\_readme.txt
c:\
c:\boot\pl-pl\_readme.txt
txt
File
boot\pt-br\_readme.txt
boot\pt-br\_readme.txt
c:\
c:\boot\pt-br\_readme.txt
txt
File
boot\pt-pt\_readme.txt
boot\pt-pt\_readme.txt
c:\
c:\boot\pt-pt\_readme.txt
txt
File
boot\ru-ru\_readme.txt
boot\ru-ru\_readme.txt
c:\
c:\boot\ru-ru\_readme.txt
txt
File
boot\sv-se\_readme.txt
boot\sv-se\_readme.txt
c:\
c:\boot\sv-se\_readme.txt
txt
File
boot\tr-tr\_readme.txt
boot\tr-tr\_readme.txt
c:\
c:\boot\tr-tr\_readme.txt
txt
File
boot\zh-cn\_readme.txt
boot\zh-cn\_readme.txt
c:\
c:\boot\zh-cn\_readme.txt
txt
File
boot\zh-hk\_readme.txt
boot\zh-hk\_readme.txt
c:\
c:\boot\zh-hk\_readme.txt
txt
File
boot\zh-tw\_readme.txt
boot\zh-tw\_readme.txt
c:\
c:\boot\zh-tw\_readme.txt
txt
File
bootsect.bak
bootsect.bak
c:\
c:\bootsect.bak
bak
File
boot\bcd.log
boot\bcd.log
c:\
c:\boot\bcd.log
log
File
boot\bcd.log1
boot\bcd.log1
c:\
c:\boot\bcd.log1
log1
File
boot\bcd.log2
boot\bcd.log2
c:\
c:\boot\bcd.log2
log2
File
boot\bootstat.dat
boot\bootstat.dat
c:\
c:\boot\bootstat.dat
dat
File
boot\memtest.exe
boot\memtest.exe
c:\
c:\boot\memtest.exe
exe
File
boot\cs-cz\bootmgr.exe.mui
boot\cs-cz\bootmgr.exe.mui
c:\
c:\boot\cs-cz\bootmgr.exe.mui
mui
File
boot\da-dk\bootmgr.exe.mui
boot\da-dk\bootmgr.exe.mui
c:\
c:\boot\da-dk\bootmgr.exe.mui
mui
File
boot\de-de\bootmgr.exe.mui
boot\de-de\bootmgr.exe.mui
c:\
c:\boot\de-de\bootmgr.exe.mui
mui
File
boot\el-gr\bootmgr.exe.mui
boot\el-gr\bootmgr.exe.mui
c:\
c:\boot\el-gr\bootmgr.exe.mui
mui
File
boot\en-us\bootmgr.exe.mui
boot\en-us\bootmgr.exe.mui
c:\
c:\boot\en-us\bootmgr.exe.mui
mui
File
boot\en-us\memtest.exe.mui
boot\en-us\memtest.exe.mui
c:\
c:\boot\en-us\memtest.exe.mui
mui
File
boot\es-es\bootmgr.exe.mui
boot\es-es\bootmgr.exe.mui
c:\
c:\boot\es-es\bootmgr.exe.mui
mui
File
boot\fi-fi\bootmgr.exe.mui
boot\fi-fi\bootmgr.exe.mui
c:\
c:\boot\fi-fi\bootmgr.exe.mui
mui
File
boot\fonts\chs_boot.ttf
boot\fonts\chs_boot.ttf
c:\
c:\boot\fonts\chs_boot.ttf
ttf
File
boot\fonts\cht_boot.ttf
boot\fonts\cht_boot.ttf
c:\
c:\boot\fonts\cht_boot.ttf
ttf
File
boot\fonts\jpn_boot.ttf
boot\fonts\jpn_boot.ttf
c:\
c:\boot\fonts\jpn_boot.ttf
ttf
File
boot\fonts\kor_boot.ttf
boot\fonts\kor_boot.ttf
c:\
c:\boot\fonts\kor_boot.ttf
ttf
File
boot\fonts\wgl4_boot.ttf
boot\fonts\wgl4_boot.ttf
c:\
c:\boot\fonts\wgl4_boot.ttf
ttf
File
boot\fr-fr\bootmgr.exe.mui
boot\fr-fr\bootmgr.exe.mui
c:\
c:\boot\fr-fr\bootmgr.exe.mui
mui
File
boot\hu-hu\bootmgr.exe.mui
boot\hu-hu\bootmgr.exe.mui
c:\
c:\boot\hu-hu\bootmgr.exe.mui
mui
File
boot\it-it\bootmgr.exe.mui
boot\it-it\bootmgr.exe.mui
c:\
c:\boot\it-it\bootmgr.exe.mui
mui
File
boot\ja-jp\bootmgr.exe.mui
boot\ja-jp\bootmgr.exe.mui
c:\
c:\boot\ja-jp\bootmgr.exe.mui
mui
File
boot\ko-kr\bootmgr.exe.mui
boot\ko-kr\bootmgr.exe.mui
c:\
c:\boot\ko-kr\bootmgr.exe.mui
mui
File
boot\nb-no\bootmgr.exe.mui
boot\nb-no\bootmgr.exe.mui
c:\
c:\boot\nb-no\bootmgr.exe.mui
mui
File
boot\nl-nl\bootmgr.exe.mui
boot\nl-nl\bootmgr.exe.mui
c:\
c:\boot\nl-nl\bootmgr.exe.mui
mui
File
boot\pl-pl\bootmgr.exe.mui
boot\pl-pl\bootmgr.exe.mui
c:\
c:\boot\pl-pl\bootmgr.exe.mui
mui
File
boot\pt-br\bootmgr.exe.mui
boot\pt-br\bootmgr.exe.mui
c:\
c:\boot\pt-br\bootmgr.exe.mui
mui
File
boot\pt-pt\bootmgr.exe.mui
boot\pt-pt\bootmgr.exe.mui
c:\
c:\boot\pt-pt\bootmgr.exe.mui
mui
File
boot\ru-ru\bootmgr.exe.mui
boot\ru-ru\bootmgr.exe.mui
c:\
c:\boot\ru-ru\bootmgr.exe.mui
mui
File
boot\sv-se\bootmgr.exe.mui
boot\sv-se\bootmgr.exe.mui
c:\
c:\boot\sv-se\bootmgr.exe.mui
mui
File
boot\tr-tr\bootmgr.exe.mui
boot\tr-tr\bootmgr.exe.mui
c:\
c:\boot\tr-tr\bootmgr.exe.mui
mui
File
boot\zh-cn\bootmgr.exe.mui
boot\zh-cn\bootmgr.exe.mui
c:\
c:\boot\zh-cn\bootmgr.exe.mui
mui
File
boot\zh-hk\bootmgr.exe.mui
boot\zh-hk\bootmgr.exe.mui
c:\
c:\boot\zh-hk\bootmgr.exe.mui
mui
File
boot\zh-tw\bootmgr.exe.mui
boot\zh-tw\bootmgr.exe.mui
c:\
c:\boot\zh-tw\bootmgr.exe.mui
mui
File
users\5p5nrgjn0js halpmcxz\ntuser.dat
users\5p5nrgjn0js halpmcxz\ntuser.dat
c:\
c:\users\5p5nrgjn0js halpmcxz\ntuser.dat
dat
File
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
c:\
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
vss
File
systemid
systemid
c:\
c:\systemid
Mutex
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER
SysHelper
SysHelper
1
REG_DWORD_LITTLE_ENDIAN
Analyzed Sample #88184
Malware Artifacts
88184
Sample-ID: #88184
Job-ID: #217062
This sample was analyzed by VMRay Analyzer 3.0.2 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.3
Metadata of Sample File #88184
Submission-ID: #136988
7f3f9eedfbaa1807390b1659ebc5e9d8ff9a54d7c5ece5974e2fe382d5fe4841exe
MD5
0ac0905c5f2e529a64543cd366c1ad08
SHA1
2beace9cc3f075676384b29daf10f517ae4e062e
SHA256
7f3f9eedfbaa1807390b1659ebc5e9d8ff9a54d7c5ece5974e2fe382d5fe4841
Opened_By
Metadata of Analysis for Job-ID #217062
True
Timeout
True
266.688
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Process
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_registry
Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401\370E.tmp.exe" --AutoStart" to Windows startup via registry.
Installs system startup script or application
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "icacls" starts with hidden window.
Creates process with hidden window
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
Creates system object
File System
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
File System
VTI rule match with VTI rule score 4/5
vmray_rename_user_files
Renames multiple user files. This is an indicator for an encryption attempt.
Renames user files
File System
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates an unusually large number of files.
Creates an unusually large number of files
Process
VTI rule match with VTI rule score 1/5
vmray_overwrite_code
Overwrites code to possibly hide behavior.
Overwrites code
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_delay_by_scheduled_task_delayed
Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3f2aa1c4-e619-4d34-a21e-283f3d2a3401\370E.tmp.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
Delays execution
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.GenericKD.41391252".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "370e.tmp.exe" as "Generic.Ransom.Stop.BD490148".
Malicious content was detected by heuristic scan
Network
VTI rule match with VTI rule score 1/5
vmray_download_file_by_http
Downloads file via http from "http://texet1.ug/ASUdy34576lUAd8756y90/Asd7356oisudfh345683g/get.php?pid=0C9F822062B97945A1C3E8A42C889890".
Downloads file
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet1.ug/ASUdy34576lUAd8756y90/Asd7356oisudfh345683g/get.php?pid=0C9F822062B97945A1C3E8A42C889890".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "https://api.2ip.ua/geo.json".
Connects to HTTP server
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\370E.tmp.exe" is a known malicious file.
Known malicious file