c40ba66f...dbe2

VMRay Threat Indicators (18 rules, 41 matches)

Severity	Category	Operation	Classification
4/5	File System	Modifies content of user files	Ransomware
Modifies the content of multiple user files. This is an indicator for an encryption attempt. ... VTI Actions
4/5	File System	Renames user files	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	OS	Modifies Windows automatic backups	-
Deletes Windows volume shadow copies. ... VTI Actions Go to process
3/5	Anti Analysis	Tries to detect application sandbox	-
Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_version". ... VTI Actions Go to Behavior
3/5	Browser	Reads data related to browser cookies	-
Reads Cookies for "Microsoft Edge". ... VTI Actions Go to Behavior
Accesses Cookies for "Microsoft Edge". ... VTI Actions
3/5	File System	Possibly drops ransom note files	Ransomware
Possibly drops ransom note files (creates 131 instances of the file "# instructions-HKJIL #.txt" in different locations). ... VTI Actions Go to file details
2/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Behavior
2/5	Network	Sets up server that accepts incoming connections	Backdoor
UDP server listens on port "49680". ... VTI Actions Go to Behavior
UDP server listens on port "49681". ... VTI Actions Go to Behavior
UDP server listens on port "49682". ... VTI Actions Go to Behavior
UDP server listens on port "49700". ... VTI Actions Go to Behavior
UDP server listens on port "49701". ... VTI Actions Go to Behavior
UDP server listens on port "49702". ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive browser data	-
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file. ... VTI Actions
2/5	File System	Known suspicious file	Exploit
File "C:\Users\FD1HVy\Desktop\Flash_Player.exe" is a known suspicious file. ... VTI Actions Go to file details
1/5	Network	Performs DNS request	-
Resolves host name "iplogger.org". ... VTI Actions Go to Behavior
Resolves host name "www.kremlin.ru". ... VTI Actions Go to Behavior
Resolves host name "ipapi.co". ... VTI Actions Go to Behavior
Resolves host name "google.com". ... VTI Actions Go to Behavior
Resolves host name "www.google.com". ... VTI Actions Go to Behavior
Resolves host name "127.0.0.1". ... VTI Actions Go to Behavior
Resolves local IP "127.0.0.1". ... VTI Actions Go to Behavior
1/5	Information Stealing	Reads system data	-
Reads the cryptographic machine GUID from registry. ... VTI Actions Go to Behavior
1/5	Process	Creates process with hidden window	-
The process "C:\WINDOWS\system32\cmd.exe" starts with hidden window. ... VTI Actions Go to Behavior
1/5	Information Stealing	Possibly does reconnaissance	-
Possibly trying to gather information about application "Skype" by file. ... VTI Actions
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to file details
1/5	Network	Connects to remote host	-
Incoming TCP connection from host "88.99.66.31:443". ... VTI Actions Go to Behavior
Incoming TCP connection from host "95.173.136.71:80". ... VTI Actions Go to Behavior
Incoming TCP connection from host "216.58.206.14:80". ... VTI Actions Go to Behavior
Incoming TCP connection from host "104.25.210.99:443". ... VTI Actions Go to Behavior
Incoming TCP connection from host "216.58.206.4:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "88.99.66.31:443". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "95.173.136.71:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "216.58.206.14:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "104.25.210.99:443". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "216.58.206.4:80". ... VTI Actions Go to Behavior
1/5	Network	Connects to HTTP server	-
URL "www.kremlin.ru/". ... VTI Actions Go to Behavior
URL "google.com/". ... VTI Actions Go to Behavior
URL "www.google.com/". ... VTI Actions Go to Behavior
1/5	PE	The PE file was created with a packer	-
File "C:\Users\FD1HVy\Desktop\Flash_Player.exe" is packed with "UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser". ... VTI Actions Go to file details

Screenshots

Monitored Processes

Sample Information

ID	#519923
MD5	3520dec68c0a8b28e7cf7b49e90a706e
SHA1	9c2ad3d2983ce8a3cf49ab40cd539e94f9faf229
SHA256	c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2
SSDeep	49152:33hTo6mOhe/doE5WXzx1KPL7QxTg0RvQxt+S/n:nhTo6/EazeTE5g0Roxt/f
ImpHash	406f4cbdf82bde91761650ca44a3831a
Filename	Flash_Player.exe
File Size	1.61 MB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-03-17 21:36 (UTC+1)
Analysis Duration	00:04:36
Number of Monitored Processes	23
Execution Successful
Reputation Enabled
WHOIS Enabled
YARA Enabled
Number of YARA Matches	0
Termination Reason	Timeout
Tags

VMRay Threat Indicators (18 rules, 41 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After