VMRay Analyzer Report for Sample #1412073
VMRay Analyzer
3.2.2
Process
1
4460
iibj7c5gir0xgukk.exe
1376
iibj7c5gir0xgukk.exe
"C:\Users\FD1HVy\Desktop\iIbj7C5GiR0xGUkk.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\iibj7c5gir0xgukk.exe
Child_Of
Child_Of
Opened
Opened
Opened
Opened
Process
2
3348
iibj7c5gir0xgukk.exe
4460
iibj7c5gir0xgukk.exe
"C:\Users\FD1HVy\Desktop\iIbj7C5GiR0xGUkk.exe"
C:\WINDOWS\
c:\users\fd1hvy\desktop\iibj7c5gir0xgukk.exe
Process
3
3816
werfault.exe
4460
werfault.exe
C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4460 -s 1316
C:\WINDOWS\system32\
c:\windows\syswow64\werfault.exe
Opened
Opened
Opened
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE
DbgJITDebugLaunchSetting
DbgManagedDebugger
WinRegistryKey
Software\microsoft\Windows\currentversion\Policies\System
HKEY_CURRENT_USER
WinRegistryKey
Software\microsoft\Windows\currentversion\Policies\System
HKEY_CURRENT_USER
Disable Taskmgr
Disable Taskmgr
1
REG_SZ
WinRegistryKey
Software\Microsoft\.NETFramework
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE
DbgDACSkipVerifyDlls
WinRegistryKey
Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE
DbgDACSkipVerifyDlls
Analyzed Sample #1412073
Malware Artifacts
1412073
Sample-ID: #1412073
Job-ID: #4166097
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 10 Redstone 2 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #1412073
Submission-ID: #5153856
e0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576fexe
MD5
49d9d587a88074016a2042bdb42b9441
SHA1
5659837b54f1c48318025051c8541aa915b80aac
SHA256
e0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576f
Opened_By
Metadata of Analysis for Job-ID #4166097
True
Sample crashed
True
240.073
NQDPDE
win10_64_rs2
x86 64-bit
Windows 10 Redstone 2
10.0.15063.540 (f6f48955-5489-4b24-b4df-942361f0730d)
FD1HVy
NQDPDE
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Tries to gather information about application "Skype" by file.
Possibly does reconnaissance
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_file
Adds "c:\programdata\microsoft\windows\start menu\programs\startup" to Windows startup folder.
Installs system startup script or application
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_delete_user_files
Deletes multiple user files. This is an indicator for ransomware or wiper malware.
Deletes user files
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates above average number of files.
Creates an unusually large number of files
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Generic.Ransom.CloudSword.05CC35B1".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "iibj7c5gir0xgukk.exe" as "Generic.Ransom.CloudSword.387B4D82".
Malicious content was detected by heuristic scan
Crash
VTI rule match with VTI rule score 1/5
vmray_crashed_process
Process "c:\users\fd1hvy\desktop\iibj7c5gir0xgukk.exe" crashed.
Process crashed
Network Connection
VTI rule match with VTI rule score 2/5
vmray_install_tcp_server
TCP server listens on port "49683".
Sets up server that accepts incoming connections