bdf36127...268f

VTI SCORE: 94/100

Dynamic Analysis Report

Classification: Ransomware

bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f (SHA256)

svch0st.11077.exe

Windows Exe (x86-32)

Created at 2019-01-24 09:45:00

Notifications (1/1)

Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.

Severity	Category	Operation	Classification
4/5	File System	Renames user files	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to function call
3/5	Process	Creates an unusally large number of processes	-
Above average number of processes were monitored. ... VTI Actions Go to function call
3/5	Browser	Reads data related to saved browser credentials	-
Reads saved credentials for "Google Chrome". ... VTI Actions
Reads saved credentials for "Mozilla Firefox". ... VTI Actions
2/5	Browser	Reads data related to browser cookies	-
Accesses Cookies for "Google Chrome". ... VTI Actions
Accesses Cookies for "Microsoft Internet Explorer". ... VTI Actions
Accesses Cookies for "Mozilla Firefox". ... VTI Actions
1/5	Anti Analysis	Resolves APIs dynamically	-
Resolves an unusually high number of APIs. ... VTI Actions Go to function call
1/5	Process	Creates process with hidden window	-
The process "C:\Users\5P5NRG~1\AppData\Local\Temp\svch0st.30099.exe" starts with hidden window. ... VTI Actions Go to function call
1/5	Persistence	Installs system startup script or application	-
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup" to Windows startup folder. ... VTI Actions

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Before

After