8ebf2ae4...291e

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Trojan, Dropper, Wiper, Ransomware

8ebf2ae4c362f76d402703efe3dc095901f2d78917f88a520b67584a7d8f291e (SHA256)

LIGMA.exe

Windows Exe (x86-32)

Created at 2018-09-08 08:53:00

Notifications (2/3)

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The overall sleep time of all monitored processes was truncated from "1 minute, 15 seconds" to "30 seconds" to reveal dormant functionality.

The operating system was rebooted during the analysis.

Severity	Category	Operation	Classification
5/5	Device	Writes to Master Boot Record (MBR)	-
Writes 512 bytes to master boot record (MBR). ... VTI Actions Go to MBR modification
4/5	File System	Modifies content of user files	Ransomware
Modifies the content of multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to function call
4/5	File System	Deletes user files	Wiper
Deletes multiple user files. This is an indicator for ransomware or wiper malware. ... VTI Actions Go to function call
4/5	OS	Disables a crucial system tool	-
Disables the Registry Editor. ... VTI Actions Go to function call
4/5	File System	Known malicious file	Trojan
File "C:\Users\CIiHmnxMn6Ps\Desktop\LIGMA.exe" is a known malicious file. ... VTI Actions Go to file details
3/5	OS	Modifies system security configuration	-
Disables UAC notifications. ... VTI Actions Go to function call
3/5	OS	Modifies system configuration	-
Disables the display of hidden files and folders. ... VTI Actions Go to function call
2/5	Device	Accesses physical drive	-
Accesses physical drive "\device\harddisk0\dr0". ... VTI Actions Go to function call
2/5	Anti Analysis	Tries to detect virtual machine	-
Possibly trying to detect VM via rdtsc. ... VTI Actions
1/5	Process	Creates process with hidden window	-
The process ""C:\WinWOW32\\work.bat"" starts with hidden window. ... VTI Actions Go to function call
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to file details Go to function call
1/5	PE	Drops PE file	Dropper
Drops file "C:\WinWOW32\Payloads.dll". ... VTI Actions Go to file details Go to function call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (2/3)

Before

After