9c17cc38...7a59 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Downloader, Dropper, Trojan

E0A7.tmp.exe

Windows Exe (x86-32)

Created at 2019-05-05T18:38:00

...

Remarks (2/2)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

VMRay Threat Indicators (17 rules, 42 matches)

Severity Category Operation Count Classification
5/5
Local AV Malicious content was detected by heuristic scan 5 -
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c557195c-349f-4f92-bc77-a9a63b9592e0\updatewin1.exe" as "Trojan.GenericKD.31534187".
    ...
  • Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c557195c-349f-4f92-bc77-a9a63b9592e0\updatewin2.exe" as "DeepScan:Generic.Zamg.8.B9502EF1".
    ...
  • Local AV detected the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c557195c-349f-4f92-bc77-a9a63b9592e0\updatewin.exe" as "Gen:Variant.Ulise.24131".
    ...
4/5
File System Modifies content of user files 1 Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
File System Renames user files 1 Ransomware
  • Renames multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
Reputation Known malicious URL 12 -
  • Contacted URL "http://pool.ug/tesptc/penelop/updatewin1.exe" is a known malicious URL.
    ...
  • Contacted URL "http://pool.ug/tesptc/penelop/updatewin2.exe" is a known malicious URL.
    ...
  • Contacted URL "http://pool.ug/tesptc/penelop/updatewin.exe" is a known malicious URL.
    ...
  • Contacted URL "http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php?pid=E3674298AE18BF5A335DF90DDA3F669F" is a known malicious URL.
    ...
  • Contacted URL "http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php?pid=E3674298AE18BF5A335DF90DDA3F669F&first=true" is a known malicious URL.
    ...
  • Contacted URL "pool.ug" is a known malicious URL.
    ...
    • VTI Actions
  • Contacted URL "root.ug" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php?pid=E3674298AE18BF5A335DF90DDA3F669F&first=true" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://pool.ug/tesptc/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
  • URL "http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php?pid=E3674298AE18BF5A335DF90DDA3F669F" embedded in file "analysis.pcap" is a known malicious URL.
    ...
    • VTI Actions
3/5
Anti Analysis Delays execution 1 -
  • Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2006ca9c-6d4b-419c-b4a6-823d20d370ff\E0A7.tmp.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection 1 -
2/5
Reputation Known suspicious file 4 Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c557195c-349f-4f92-bc77-a9a63b9592e0\updatewin.exe" is a known suspicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c557195c-349f-4f92-bc77-a9a63b9592e0\updatewin1.exe" is a known suspicious file.
    ...
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c557195c-349f-4f92-bc77-a9a63b9592e0\updatewin2.exe" is a known suspicious file.
    ...
1/5
Persistence Installs system startup script or application 1 -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2006ca9c-6d4b-419c-b4a6-823d20d370ff\E0A7.tmp.exe" --AutoStart" to Windows startup via registry.
    ...
1/5
Process Creates process with hidden window 2 -
  • The process "icacls" starts with hidden window.
    ...
  • The process "powershell" starts with hidden window.
    ...
1/5
Process Creates system object 1 -
  • Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
    ...
1/5
File System Creates an unusually large number of files 1 -
1/5
Process Overwrites code 1 -
1/5
Network Downloads executable 2 Downloader
1/5
Network Connects to HTTP server 6 -
  • URL "http://pool.ug/tesptc/penelop/updatewin1.exe".
    ...
  • URL "http://pool.ug/tesptc/penelop/updatewin2.exe".
    ...
  • URL "http://pool.ug/tesptc/penelop/updatewin.exe".
    ...
  • URL "http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php?pid=E3674298AE18BF5A335DF90DDA3F669F".
    ...
  • URL "http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php?pid=E3674298AE18BF5A335DF90DDA3F669F&first=true".
    ...
1/5
PE Drops PE file 1 Dropper
1/5
Static Unparsable sections in file 1 -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E0A7.tmp.exe.
    ...
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #639029
MD5 246d6fa957bd9bd9bd444ba8a6c38457 Copy to Clipboard
SHA1 fb90a2e9e3f3d4bf350a5c8d475c843f072bc1f5 Copy to Clipboard
SHA256 9c17cc38feddc8aec42f4d7e84ff85260e0e5d955c38e42573a21c18836c7a59 Copy to Clipboard
SSDeep 6144:agBl9KO2wSlnYlm8px3b3RY+F2q9QgW6jw5oJ48ph1nt2EuqAs00:aEKOZSlnbE3b3RiqW6jw5o6831/A Copy to Clipboard
ImpHash 859ea9b82a80f048456c437967082433 Copy to Clipboard
Filename E0A7.tmp.exe
File Size 466.00 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-05-05 20:38 (UTC+2)
Analysis Duration 00:04:51
Number of Monitored Processes 11
Execution Successful True
Reputation Enabled True
WHOIS Enabled True
Local AV Enabled True
YARA Enabled True
Number of AV Matches 7
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image