e8a091a8...c684

VMRay Threat Indicators (16 rules, 45 matches)

Severity	Category	Operation	Count	Classification
5/5	File System	Encrypts content of user files	1	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Behavior
3/5	Hide Tracks	Hides data in extended file attributes	1	-
Sets extended file attributes for "c:\programdata\foo.db" to possibly hide the file. ... VTI Actions Go to Behavior
3/5	File System	Possibly drops ransom note files	1	Ransomware
Possibly drops ransom note files (creates 81 instances of the file "DECRYPT-FILES.html" in different locations). ... VTI Actions Go to file details
3/5	YARA	YARA match	1	-
Rule "Shellcode_Find_kernel32_PEB" from ruleset "Generic" has matched on a memory dump for process "zprxqb.exe". ... VTI Actions Go to YARA match Go to process Go to file details
2/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	1	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Tries to detect debugger	1	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive browser data	2	-
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file. ... VTI Actions Go to Behavior
Trying to read sensitive data of web browser "Google Chrome" by file. ... VTI Actions Go to Behavior
2/5	Local AV	Suspicious content was detected by heuristic scan	1	-
Local AV detected the sample itself as "Gen:Variant.Adware.Kazy.734873". ... VTI Actions Go to AV match Go to file details
2/5	Reputation	Known suspicious file	1	Trojan
File "C:\Users\FD1HVy\Desktop\zprxqb.exe" is a known suspicious file. ... VTI Actions Go to file details
1/5	Process	Creates system object	1	-
Creates mutex with name "621c08e0b4197730". ... VTI Actions Go to Behavior
1/5	Persistence	Installs system startup script or application	2	-
Adds "c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\startup\55qv7r.dat" to Windows startup folder. ... VTI Actions Go to Behavior
Adds "c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\startup\decrypt-files.html" to Windows startup folder. ... VTI Actions Go to Behavior
1/5	File System	Creates an unusually large number of files	1	-
Creates an unusually large number of files. ... VTI Actions Go to file details
1/5	Process	Overwrites code	1	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to Hook Information
1/5	Network	Connects to remote host	14	-
Outgoing TCP connection to host "92.63.15.8:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.194.20:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.17.245:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.32.57:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.32.55:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.15.56:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.29.137:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.15.6:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.11.151:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.32.2:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.8.47:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.194.3:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.37.100:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "92.63.32.52:80". ... VTI Actions Go to Behavior
1/5	Network	Connects to HTTP server	15	-
URL "92.63.8.47/login/support/t.phtml?ippg=2p788r6". ... VTI Actions Go to Behavior
URL "92.63.32.2/signin/pcusfvhm.jspx?vgsg=7td&vddb=t2l&qq=kf37io0&ooc=jl7k2j1". ... VTI Actions Go to Behavior
URL "92.63.37.100/ticket/cr.jspx". ... VTI Actions Go to Behavior
URL "92.63.194.20/k.php". ... VTI Actions Go to Behavior
URL "92.63.17.245/view/private/ppvfydjfvy.phtml?gs=3d5". ... VTI Actions Go to Behavior
URL "92.63.32.55/tracker/payout/lwppltkxn.html?t=0555fp&vhk=4i2p&pdb=vd4&nhnl=ls352b55k0". ... VTI Actions Go to Behavior
URL "92.63.11.151/register/webaccess/oejixl.phtml?lb=6&b=gs6d". ... VTI Actions Go to Behavior
URL "92.63.15.8/login/yhinenlh.do?rth=3". ... VTI Actions Go to Behavior
URL "92.63.29.137/webauth/r.asp?dxx=mu77". ... VTI Actions Go to Behavior
URL "92.63.32.57/fk.jspx?owr=2u". ... VTI Actions Go to Behavior
URL "92.63.15.56/forum/login/m.shtml?vl=t&e=1u7&n=80f51nx8a". ... VTI Actions Go to Behavior
URL "92.63.11.151/checkout/logout/dffbho.html". ... VTI Actions Go to Behavior
URL "92.63.32.52/tracker/signin/tskwoecacc.jsp". ... VTI Actions Go to Behavior
URL "92.63.15.6/tracker/mpayf.aspx". ... VTI Actions Go to Behavior
URL "92.63.194.3/archive/forum/xsc.cgi?qqhx=sg5x6bg3e&ue=ib8&h=p". ... VTI Actions Go to Behavior
0/5	Process	Enumerates running processes	1	-
Enumerates running processes. ... VTI Actions Go to Behavior

Screenshots

Monitored Processes

Sample Information

ID	#666586
MD5	f83fb9ce6a83da58b20685c1d7e1e546
SHA1	01c459b549c1c2a68208d38d4ba5e36d29212a4f
SHA256	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
SSDeep	12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
ImpHash	1f97faaf5d0b752f37d1b1b225d14964
Filename	zprxqb.exe
File Size	473.00 KB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-05-29 18:19 (UTC+2)
Analysis Duration	00:04:40
Number of Monitored Processes	1
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	1
Number of YARA Matches	1
Termination Reason	Maximum binlog size reached
Tags

VMRay Threat Indicators (16 rules, 45 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After