d77378dc...c8d0 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Downloader, Ransomware

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0 (SHA256)

o.exe

Windows Exe (x86-32)

Created at 2018-09-24 10:34:00

...

Notifications (2/3)

Due to a reputation service error, no query could be made to determine the reputation status of file hashes.

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Severity Category Operation Classification
5/5
File System Encrypts content of user files Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
    ...
5/5
Device Writes to Master Boot Record (MBR) -
3/5
Persistence Adds file to open the next time Excel is launched -
  • Adds "c:\users\eebsym5\appdata\roaming\microsoft\excel\xlstart\ibagx-decrypt.html" to a default Excel XLStart folder
    ...
  • Adds "c:\users\eebsym5\appdata\roaming\microsoft\excel\xlstart\90c08d8190c08a69610.lock" to a default Excel XLStart folder
    ...
3/5
OS Modifies certificate store -
  • Adds a certificate to the local "my" ibagx-decrypt.html list by file.
    ...
  • Adds a certificate to the local "my" certificate trust list by file.
    ...
3/5
Persistence Adds file to open the next time Word is launched -
  • Adds "c:\users\eebsym5\appdata\roaming\microsoft\word\startup\ibagx-decrypt.html" to a default Word Startup folder
    ...
  • Adds "c:\users\eebsym5\appdata\roaming\microsoft\word\startup\90c08d8190c08a69610.lock" to a default Word Startup folder
    ...
3/5
Browser Reads data related to browser cookies -
3/5
Browser Reads data related to saved browser credentials -
2/5
Anti Analysis Tries to detect virtual machine -
  • Reads out system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection -
2/5
Browser Reads data related to browsing history -
  • Reads browsing history and related data, such as bookmarks, for "Mozilla Firefox".
    ...
2/5
Network Associated with known malicious/suspicious URLs -
  • URL "HTTP://pp-panda74.ru/data/assets/dameth.png" is known as malicious URL.
    ...
  • URL "HTTP://dna-cp.com/wp-content/tmp/dahehe.gif" is known as malicious URL.
    ...
  • URL "HTTP://www.cakav.hu/news/pictures/heimammomees.bmp" is known as malicious URL.
    ...
1/5
Process Creates system object -
1/5
Hide Tracks Writes an unually large amount of data to the registry -
  • Hides 1688 byte in "HKEY_CURRENT_USER\SOFTWARE\keys_data\data\private".
    ...
1/5
File System Modifies application directory -
  • Modifies "c:\program files\microsoft sql server compact edition\ibagx-decrypt.html".
    ...
  • Modifies "c:\program files\microsoft sql server compact edition\v3.5\ibagx-decrypt.html".
    ...
  • Modifies "c:\program files\microsoft sql server compact edition\v3.5\desktop\ibagx-decrypt.html".
    ...
1/5
Process Creates process with hidden window -
  • The process "C:\Windows\system32\wbem\wmic.exe" starts with hidden window.
    ...
1/5
File System Creates an unusually large number of files -
1/5
Network Downloads data Downloader
  • URL "HTTP://www.perfectfunnelblueprint.com/static/image/medethke.png".
    ...
  • URL "HTTP://bellytobabyphotographyseattle.com/uploads/images/moruesdese.gif".
    ...
1/5
Network Connects to HTTP server -
  • URL "bellytobabyphotographyseattle.com/uploads/images/moruesdese.gif".
    ...
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image