91f77399...e631 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Spyware, Downloader, Dropper, Trojan

bxavdk.exe

Windows Exe (x86-32)

Created at 2019-07-30T00:49:00

...

Remarks (2/3)

(0x200000e): The overall sleep time of all monitored processes was truncated from "40 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

VMRay Threat Indicators (29 rules, 127 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 6 -
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c3cc523b-34fa-482c-bfe9-b2817c5e36f9\updatewin1.exe" as "Trojan.GenericKD.31534187".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c3cc523b-34fa-482c-bfe9-b2817c5e36f9\updatewin2.exe" as "Trojan.AgentWDCR.SVC".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c3cc523b-34fa-482c-bfe9-b2817c5e36f9\updatewin.exe" as "Trojan.AgentWDCR.SUF".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c3cc523b-34fa-482c-bfe9-b2817c5e36f9\5.exe" as "Trojan.GenericKD.32145393".
    ...
5/5
Reputation Known malicious file 6 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c3cc523b-34fa-482c-bfe9-b2817c5e36f9\updatewin1.exe" is a known malicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c3cc523b-34fa-482c-bfe9-b2817c5e36f9\updatewin2.exe" is a known malicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c3cc523b-34fa-482c-bfe9-b2817c5e36f9\updatewin.exe" is a known malicious file.
    ...
4/5
Network Modifies network configuration 1 -
  • Modifies the host.conf file, probably to redirect network traffic.
    ...
4/5
File System Modifies content of user files 1 Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
File System Renames user files 1 Ransomware
  • Renames multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
Information Stealing Exhibits Spyware behavior 1 Spyware
  • Tries to read sensitive data of: Microsoft Outlook, Mozilla Firefox, Comodo IceDragon, Cyberfox, Internet Explorer / Edge.
    ...
    • VTI Actions
4/5
Reputation Known malicious URL 6 -
  • Contacted URL "http://dell1.ug/files/penelop/updatewin2.exe" is a known malicious URL.
    ...
  • Contacted URL "http://dell1.ug/files/penelop/5.exe" is a known malicious URL.
    ...
  • Contacted URL "bronze2.hk/1/index.php" is a known malicious URL.
    ...
  • Contacted URL "bronze2.hk" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://dell1.ug/files/penelop/5.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://dell1.ug/files/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
3/5
Information Stealing Reads cryptocurrency wallet locations 2 -
3/5
File System Possibly drops ransom note files 1 Ransomware
  • Possibly drops ransom note files (creates 28 instances of the file "_readme.txt" in different locations).
    ...
3/5
Anti Analysis Delays execution 1 -
  • Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3a21fbc5-dd69-4c4d-8afb-49507938dea0\bxavdk.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
2/5
Information Stealing Reads sensitive browser data 6 -
  • Trying to read sensitive data of web browser "Mozilla Firefox" by file.
    ...
  • Trying to read sensitive data of web browser "Comodo IceDragon" by file.
    ...
  • Trying to read sensitive data of web browser "Cyberfox" by file.
    ...
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry.
    ...
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
    ...
2/5
Information Stealing Reads sensitive mail data 1 -
  • Trying to read sensitive data of mail application "Microsoft Outlook" by registry.
    ...
2/5
Information Stealing Reads sensitive ftp data 1 -
  • Trying to read sensitive data of ftp application "FileZilla" by file.
    ...
2/5
Information Stealing Reads sensitive application data 2 -
  • Trying to read sensitive data of application "WinSCP" by registry.
    ...
  • Trying to read sensitive data of application "Pidgin" by file.
    ...
2/5
Reputation Known suspicious URL 11 -
  • Contacted URL "http://dell1.ug/Aksdj8457hljskdfsdf/Asdh4835yo3iuhlkjdfgdf/get.php?pid=36D07653B13F0945D4104F0CC1D31E1D&first=true" is a known suspicious URL.
    ...
  • Contacted URL "http://dell1.ug/files/penelop/updatewin1.exe" is a known suspicious URL.
    ...
  • Contacted URL "http://dell1.ug/files/penelop/updatewin.exe" is a known suspicious URL.
    ...
  • Contacted URL "http://dell1.ug/files/penelop/3.exe" is a known suspicious URL.
    ...
  • Contacted URL "http://dell1.ug/files/penelop/4.exe" is a known suspicious URL.
    ...
  • Contacted URL "dell1.ug" is a known suspicious URL.
    ...
    • VTI Actions
  • URL "http://dell1.ug/files/penelop/4.exe" embedded in file "analysis.pcap" is a known suspicious URL.
    ...
    • VTI Actions
  • URL "http://dell1.ug/Aksdj8457hljskdfsdf/Asdh4835yo3iuhlkjdfgdf/get.php?pid=36D07653B13F0945D4104F0CC1D31E1D&first=true" embedded in file "analysis.pcap" is a known suspicious URL.
    ...
    • VTI Actions
  • URL "http://dell1.ug/files/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known suspicious URL.
    ...
    • VTI Actions
  • URL "http://dell1.ug/files/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known suspicious URL.
    ...
    • VTI Actions
  • URL "http://dell1.ug/files/penelop/3.exe" embedded in file "analysis.pcap" is a known suspicious URL.
    ...
    • VTI Actions
1/5
Persistence Installs system startup script or application 1 -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\3a21fbc5-dd69-4c4d-8afb-49507938dea0\bxavdk.exe" --AutoStart" to Windows startup via registry.
    ...
1/5
Process Creates process with hidden window 2 -
  • The process "icacls" starts with hidden window.
    ...
  • The process "powershell" starts with hidden window.
    ...
1/5
Process Creates system object 2 -
  • Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
    ...
  • Creates mutex with name "A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69".
    ...
1/5
File System Modifies operating system directory 1 -
1/5
Information Stealing Reads system data 1 -
  • Reads the cryptographic machine GUID from registry.
    ...
1/5
Information Stealing Possibly does reconnaissance 8 -
  • Possibly trying to gather information about application "Mozilla Firefox" by file.
    ...
  • Possibly trying to gather information about application "Comodo IceDragon" by file.
    ...
  • Possibly trying to gather information about application "Cyberfox" by file.
    ...
  • Possibly trying to gather information about application "FileZilla" by file.
    ...
  • Possibly trying to gather information about application "WinSCP" by registry.
    ...
  • Possibly trying to gather information about application "Pidgin" by file.
    ...
  • Possibly trying to gather information about application "Monero" by registry.
    ...
  • Possibly trying to gather information about application "Bitcoin-Qt" by registry.
    ...
1/5
File System Creates an unusually large number of files 1 -
1/5
Process Overwrites code 1 -
1/5
Network Downloads file 1 -
  • Downloads file via http from "http://dell1.ug/Aksdj8457hljskdfsdf/Asdh4835yo3iuhlkjdfgdf/get.php?pid=36D07653B13F0945D4104F0CC1D31E1D&first=true".
    ...
1/5
Network Downloads executable 4 Downloader
1/5
Network Connects to HTTP server 9 -
  • URL "http://dell1.ug/Aksdj8457hljskdfsdf/Asdh4835yo3iuhlkjdfgdf/get.php?pid=36D07653B13F0945D4104F0CC1D31E1D&first=true".
    ...
  • URL "http://dell1.ug/files/penelop/updatewin1.exe".
    ...
  • URL "http://dell1.ug/files/penelop/updatewin2.exe".
    ...
  • URL "http://dell1.ug/files/penelop/updatewin.exe".
    ...
1/5
PE Drops PE file 47 Dropper
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #128317
MD5 7483afe53920181f720c1ee19e824126 Copy to Clipboard
SHA1 da2383fdee2ebc4a7a02b7fa5cce0e3d0eff6d9a Copy to Clipboard
SHA256 91f773991e29b1b3b8924651d0f90124a9fab914999204abcb52aaacf544e631 Copy to Clipboard
SSDeep 12288:DDEFjByUqLsV3+gVUqchrcB4+rH4BVfUs:DD+QUqLQVUbhrw4NVfU Copy to Clipboard
ImpHash 728eebd5d6c96c2f9a53306b79d555e9 Copy to Clipboard
Filename bxavdk.exe
File Size 559.50 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-30 02:49 (UTC+2)
Analysis Duration 00:04:27
Number of Monitored Processes 13
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 6
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image