Ransomware
Mal/Generic-S
Created on 2024-04-27T09:25:04+00:00
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe
Remarks (2/3)
(0x02000008): One or more processes crashed during the analysis. Analysis results may be incomplete.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "35 minutes, 56 seconds" to "42 seconds" to reveal dormant functionality.
Remarks
(0x0200005D): 12210 additional dumps with the reason "Content Changed" and a total of 20668 MB were skipped because the respective maximum limit was reached.
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\kEecfMwgj\Desktop\2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | Sample File | Binary |
Malicious
|
...
|
Verdict |
Malicious
|
Names | Mal/Generic-S |
Image Base | 0x00400000 |
Entry Point | 0x00DDED44 |
Size Of Code | 0x00002000 |
Size Of Initialized Data | 0x00008000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2008-11-16 03:29 (UTC) |
FileDescription | - |
FileVersion | 1, 0, 0, 0 |
CompiledScript | *E_P_E_N KA* Sorong_papua 17-08-2008 By PinkCell,MentariCell,SimpatiCell,CakcraCell,and LunaMaya Ilove you Script: 1, 0, 0, 0 |
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
0x00401000 | 0x00022000 | 0x00005200 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.97 | |
0x00423000 | 0x00002000 | 0x00002000 | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98 | |
0x00425000 | 0x00002000 | 0x00000200 | 0x00007600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.62 | |
.rsrc | 0x00427000 | 0x00006000 | 0x00005E00 | 0x00007800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.18 |
0x0042D000 | 0x0079D000 | 0x00032800 | 0x0000D600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 8.0 | |
.data | 0x00BCA000 | 0x00217000 | 0x00216400 | 0x0003FE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetModuleHandleA | - | 0x00BCDF4C | 0x007CDF4C | 0x00043D4C | 0x00000000 |
GetProcAddress | - | 0x00BCDF50 | 0x007CDF50 | 0x00043D50 | 0x00000000 |
ExitProcess | - | 0x00BCDF54 | 0x007CDF54 | 0x00043D54 | 0x00000000 |
LoadLibraryA | - | 0x00BCDF58 | 0x007CDF58 | 0x00043D58 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
MessageBoxA | - | 0x00BCDF60 | 0x007CDF60 | 0x00043D60 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegCloseKey | - | 0x00BCDF68 | 0x007CDF68 | 0x00043D68 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SysFreeString | - | 0x00BCDF70 | 0x007CDF70 | 0x00043D70 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontA | - | 0x00BCDF78 | 0x007CDF78 | 0x00043D78 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShellExecuteA | - | 0x00BCDF80 | 0x007CDF80 | 0x00043D80 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetFileVersionInfoA | - | 0x00BCDF88 | 0x007CDF88 | 0x00043D88 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
__vbaVarSub | - | 0x00BCDF90 | 0x007CDF90 | 0x00043D90 | 0x00000000 |
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Relevant Image | 32-bit | 0x00DDED44 |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x00578BB0 |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x0057D818 |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x0053C458 |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x00431238 |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x0043BC68 |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x0048BD90 |
...
|
||
buffer | 1 | 0x002A0000 | 0x002A0FFF | Content Changed | 32-bit | - |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x0048E3C0 |
...
|
||
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe | 1 | 0x00400000 | 0x00DE0FFF | Content Changed | 32-bit | 0x0049045C |
...
|
||
buffer | 1 | 0x7EBD0000 | 0x7EFA0FFF | First Execution | 32-bit | 0x7EBD0000 |
...
|
||
kernel32.dll | 1 | 0x75A80000 | 0x75B8FFFF | First Execution | 32-bit | 0x75A917E9 |
...
|
||
user32.dll | 1 | 0x75980000 | 0x75A7FFFF | First Execution | 32-bit | 0x7599DB21 |
...
|
||
oleaut32.dll | 1 | 0x775D0000 | 0x7765EFFF | First Execution | 32-bit | 0x775D45D2 |
...
|
||
gdi32.dll | 1 | 0x771B0000 | 0x7723FFFF | First Execution | 32-bit | 0x771C4EB8 |
...
|
||
advapi32.dll | 1 | 0x76F40000 | 0x76FDFFFF | First Execution | 32-bit | 0x76F54620 |
...
|
||
buffer | 1 | 0x003E0000 | 0x003EFFFF | First Execution | 32-bit | 0x003E7298 |
...
|
||
msvcrt.dll | 1 | 0x76DC0000 | 0x76E6BFFF | First Execution | 32-bit | 0x76DC9910 |
...
|
||
rpcrt4.dll | 1 | 0x774E0000 | 0x775CFFFF | First Execution | 32-bit | 0x774FDE1D |
...
|
||
buffer | 1 | 0x002C0000 | 0x002C0FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x031E0000 | 0x032DFFFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x03314000 | 0x03317FFF | Marked Executable | 32-bit | - |
...
|
\??\c:\users\keecfmwgj\appdata\local\temp\avscan.exe | Dropped File | Binary |
Malicious
|
...
|
Image Base | 0x00400000 |
Entry Point | 0x00DDED44 |
Size Of Code | 0x00002000 |
Size Of Initialized Data | 0x00008000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2008-11-16 03:29 (UTC) |
FileDescription | - |
FileVersion | 1, 0, 0, 0 |
CompiledScript | *E_P_E_N KA* Sorong_papua 17-08-2008 By PinkCell,MentariCell,SimpatiCell,CakcraCell,and LunaMaya Ilove you Script: 1, 0, 0, 0 |
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
0x00401000 | 0x00022000 | 0x00005200 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.97 | |
0x00423000 | 0x00002000 | 0x00002000 | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98 | |
0x00425000 | 0x00002000 | 0x00000200 | 0x00007600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.62 | |
.rsrc | 0x00427000 | 0x00006000 | 0x00005E00 | 0x00007800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.18 |
0x0042D000 | 0x0079D000 | 0x00032800 | 0x0000D600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 8.0 | |
.data | 0x00BCA000 | 0x00217000 | 0x00216400 | 0x0003FE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetModuleHandleA | - | 0x00BCDF4C | 0x007CDF4C | 0x00043D4C | 0x00000000 |
GetProcAddress | - | 0x00BCDF50 | 0x007CDF50 | 0x00043D50 | 0x00000000 |
ExitProcess | - | 0x00BCDF54 | 0x007CDF54 | 0x00043D54 | 0x00000000 |
LoadLibraryA | - | 0x00BCDF58 | 0x007CDF58 | 0x00043D58 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
MessageBoxA | - | 0x00BCDF60 | 0x007CDF60 | 0x00043D60 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegCloseKey | - | 0x00BCDF68 | 0x007CDF68 | 0x00043D68 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SysFreeString | - | 0x00BCDF70 | 0x007CDF70 | 0x00043D70 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontA | - | 0x00BCDF78 | 0x007CDF78 | 0x00043D78 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShellExecuteA | - | 0x00BCDF80 | 0x007CDF80 | 0x00043D80 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetFileVersionInfoA | - | 0x00BCDF88 | 0x007CDF88 | 0x00043D88 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
__vbaVarSub | - | 0x00BCDF90 | 0x007CDF90 | 0x00043D90 | 0x00000000 |
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
avscan.exe | 5 | 0x00400000 | 0x00DE0FFF | Relevant Image | 32-bit | 0x00DDED44 |
...
|
||
kernel32.dll | 5 | 0x75A80000 | 0x75B8FFFF | First Execution | 32-bit | 0x75A917E9 |
...
|
||
user32.dll | 5 | 0x75980000 | 0x75A7FFFF | First Execution | 32-bit | 0x7599DB21 |
...
|
||
oleaut32.dll | 5 | 0x775D0000 | 0x7765EFFF | First Execution | 32-bit | 0x775D45D2 |
...
|
||
gdi32.dll | 5 | 0x771B0000 | 0x7723FFFF | First Execution | 32-bit | 0x771C4EB8 |
...
|
||
advapi32.dll | 5 | 0x76F40000 | 0x76FDFFFF | First Execution | 32-bit | 0x76F54620 |
...
|
||
buffer | 5 | 0x003A0000 | 0x003AFFFF | First Execution | 32-bit | 0x003A7298 |
...
|
||
hosts.exe | 7 | 0x00400000 | 0x00DE0FFF | Relevant Image | 32-bit | 0x00DDED44 |
...
|
||
avscan.exe | 5 | 0x00400000 | 0x00DE0FFF | Final Dump | 32-bit | 0x00523EA2 |
...
|
||
hosts.exe | 7 | 0x00400000 | 0x00DE0FFF | Final Dump | 32-bit | - |
...
|
||
avscan.exe | 9 | 0x00400000 | 0x00DE0FFF | Relevant Image | 32-bit | 0x00DDED44 |
...
|
Verdict |
Malicious
|
Names | Mal/Generic-S |