VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: Ransomware, Trojan, Worm |
1.EXE.QUARANTINE.exe
Windows Exe (x86-32)
Created at 2019-11-05T15:39:00
Remarks
(0x200001e): The maximum size of extracted files was exceeded. Some files may be missing in the report.
(0x200001d): The maximum number of extracted files was exceeded. Some files may be missing in the report.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\1.EXE.QUARANTINE.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Severity |
Blacklisted
|
First Seen | 2019-11-05 00:04 (UTC+1) |
Last Seen | 2019-11-05 00:04 (UTC+1) |
Names | Win32.Trojan.Filecoder |
Families | Filecoder |
Classification | Trojan |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x4031e0 |
Size Of Code | 0x2400 |
Size Of Initialized Data | 0x2600 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2019-11-03 16:40:53+00:00 |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0x22ff | 0x2400 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.3 |
.rdata | 0x404000 | 0xb44 | 0xc00 | 0x2800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.54 |
.data | 0x405000 | 0x2658 | 0x200 | 0x3400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.58 |
.rsrc | 0x408000 | 0x13a4 | 0x1400 | 0x3600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.08 |
.reloc | 0x40a000 | 0x3f4 | 0x400 | 0x4a00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.73 |
Imports (4)
»
SHLWAPI.dll (5)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
wnsprintfW | 0x0 | 0x4040b4 | 0x46f0 | 0x2ef0 | 0x16e |
StrStrIW | 0x0 | 0x4040b8 | 0x46f4 | 0x2ef4 | 0x145 |
StrCmpNA | 0x0 | 0x4040bc | 0x46f8 | 0x2ef8 | 0x11b |
StrCmpNW | 0x0 | 0x4040c0 | 0x46fc | 0x2efc | 0x122 |
PathRemoveFileSpecW | 0x0 | 0x4040c4 | 0x4700 | 0x2f00 | 0x8b |
WININET.dll (8)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
InternetReadFile | 0x0 | 0x4040cc | 0x4708 | 0x2f08 | 0x9f |
InternetOpenW | 0x0 | 0x4040d0 | 0x470c | 0x2f0c | 0x9a |
InternetConnectW | 0x0 | 0x4040d4 | 0x4710 | 0x2f10 | 0x72 |
HttpSendRequestW | 0x0 | 0x4040d8 | 0x4714 | 0x2f14 | 0x5e |
HttpOpenRequestW | 0x0 | 0x4040dc | 0x4718 | 0x2f18 | 0x58 |
InternetCloseHandle | 0x0 | 0x4040e0 | 0x471c | 0x2f1c | 0x6b |
InternetQueryDataAvailable | 0x0 | 0x4040e4 | 0x4720 | 0x2f20 | 0x9b |
InternetCrackUrlW | 0x0 | 0x4040e8 | 0x4724 | 0x2f24 | 0x74 |
KERNEL32.dll (40)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ExpandEnvironmentStringsW | 0x0 | 0x404010 | 0x464c | 0x2e4c | 0x11d |
CreateThread | 0x0 | 0x404014 | 0x4650 | 0x2e50 | 0xb5 |
lstrcpyW | 0x0 | 0x404018 | 0x4654 | 0x2e54 | 0x548 |
GetWindowsDirectoryW | 0x0 | 0x40401c | 0x4658 | 0x2e58 | 0x2af |
CloseHandle | 0x0 | 0x404020 | 0x465c | 0x2e5c | 0x52 |
DeleteCriticalSection | 0x0 | 0x404024 | 0x4660 | 0x2e60 | 0xd1 |
CreateToolhelp32Snapshot | 0x0 | 0x404028 | 0x4664 | 0x2e64 | 0xbe |
FindNextFileW | 0x0 | 0x40402c | 0x4668 | 0x2e68 | 0x145 |
lstrcatW | 0x0 | 0x404030 | 0x466c | 0x2e6c | 0x53f |
lstrcmpiW | 0x0 | 0x404034 | 0x4670 | 0x2e70 | 0x545 |
GetTickCount | 0x0 | 0x404038 | 0x4674 | 0x2e74 | 0x293 |
HeapReAlloc | 0x0 | 0x40403c | 0x4678 | 0x2e78 | 0x2d2 |
HeapAlloc | 0x0 | 0x404040 | 0x467c | 0x2e7c | 0x2cb |
HeapFree | 0x0 | 0x404044 | 0x4680 | 0x2e80 | 0x2cf |
GetProcessHeap | 0x0 | 0x404048 | 0x4684 | 0x2e84 | 0x24a |
FindResourceW | 0x0 | 0x40404c | 0x4688 | 0x2e88 | 0x14e |
LoadResource | 0x0 | 0x404050 | 0x468c | 0x2e8c | 0x341 |
SizeofResource | 0x0 | 0x404054 | 0x4690 | 0x2e90 | 0x4b1 |
GetModuleHandleA | 0x0 | 0x404058 | 0x4694 | 0x2e94 | 0x215 |
WideCharToMultiByte | 0x0 | 0x40405c | 0x4698 | 0x2e98 | 0x511 |
LoadLibraryA | 0x0 | 0x404060 | 0x469c | 0x2e9c | 0x33c |
lstrcpyA | 0x0 | 0x404064 | 0x46a0 | 0x2ea0 | 0x547 |
ExitProcess | 0x0 | 0x404068 | 0x46a4 | 0x2ea4 | 0x119 |
FindFirstFileW | 0x0 | 0x40406c | 0x46a8 | 0x2ea8 | 0x139 |
SetFilePointerEx | 0x0 | 0x404070 | 0x46ac | 0x2eac | 0x467 |
GetUserDefaultLangID | 0x0 | 0x404074 | 0x46b0 | 0x2eb0 | 0x29c |
InitializeCriticalSection | 0x0 | 0x404078 | 0x46b4 | 0x2eb4 | 0x2e2 |
OpenProcess | 0x0 | 0x40407c | 0x46b8 | 0x2eb8 | 0x380 |
CopyFileW | 0x0 | 0x404080 | 0x46bc | 0x2ebc | 0x75 |
LeaveCriticalSection | 0x0 | 0x404084 | 0x46c0 | 0x2ec0 | 0x339 |
TerminateProcess | 0x0 | 0x404088 | 0x46c4 | 0x2ec4 | 0x4c0 |
GetModuleFileNameW | 0x0 | 0x40408c | 0x46c8 | 0x2ec8 | 0x214 |
lstrcmpW | 0x0 | 0x404090 | 0x46cc | 0x2ecc | 0x542 |
lstrlenW | 0x0 | 0x404094 | 0x46d0 | 0x2ed0 | 0x54e |
GetLastError | 0x0 | 0x404098 | 0x46d4 | 0x2ed4 | 0x202 |
MoveFileW | 0x0 | 0x40409c | 0x46d8 | 0x2ed8 | 0x363 |
EnterCriticalSection | 0x0 | 0x4040a0 | 0x46dc | 0x2edc | 0xee |
FindClose | 0x0 | 0x4040a4 | 0x46e0 | 0x2ee0 | 0x12e |
WaitForMultipleObjects | 0x0 | 0x4040a8 | 0x46e4 | 0x2ee4 | 0x4f7 |
Process32NextW | 0x0 | 0x4040ac | 0x46e8 | 0x2ee8 | 0x398 |
ADVAPI32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CryptDestroyKey | 0x0 | 0x404000 | 0x463c | 0x2e3c | 0xb7 |
CryptGenKey | 0x0 | 0x404004 | 0x4640 | 0x2e40 | 0xc0 |
CryptExportKey | 0x0 | 0x404008 | 0x4644 | 0x2e44 | 0xbf |
Memory Dumps (2)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Points | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
1.exe.quarantine.exe | 1 | 0x00180000 | 0x0018AFFF | Relevant Image | - | 32-bit | - |
...
|
||
1.exe.quarantine.exe | 1 | 0x00180000 | 0x0018AFFF | Final Dump | - | 32-bit | - |
...
|
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
Gen:Trojan.Heur.FU.buW@aSdXKPni |
Malicious
|
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
OlympicDestroyer_Gen1 | Olympic Destroyer destructive malware | Worm |
5/5
|
...
|
\\?\C:\Boot\BCD.LOG1_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab_forv_{KNUJ5K}.for | Dropped File | Binary |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab_forv_{KNUJ5K}.for | Dropped File | Stream |
Unknown
|
...
|
»
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\taridd | Dropped File | Text |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\---==%$$$OPEN_ME_UP$$$==---.txt | Dropped File | Text |
Unknown
|
...
|
»