e98aa03c...269a

VTI SCORE: 94/100

Dynamic Analysis Report

Classification: Trojan, Wiper, Ransomware

e98aa03c2cd88baf04e00079197c64b4bde922101a5407f306245cdff5b4269a (SHA256)

Tron.exe

Windows Exe (x86-32)

Created at 2018-11-17 23:01:00

Notifications (2/2)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

Severity	Category	Operation	Classification
4/5	File System	Modifies content of user files	Ransomware
Modifies the content of multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to function call
4/5	File System	Deletes user files	Wiper
Deletes multiple user files. This is an indicator for ransomware or wiper malware. ... VTI Actions Go to function call
3/5	Persistence	Adds file to open the next time Excel is launched	-
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\xlstart\hack.txt" to a default Excel XLStart folder ... VTI Actions
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\xlstart\hack.png" to a default Excel XLStart folder ... VTI Actions
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\xlstart\hack.vbs" to a default Excel XLStart folder ... VTI Actions
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\xlstart\uniquekeyfor5p5nrgjn0js halpmcxz.horsuke.information" to a default Excel XLStart folder ... VTI Actions
3/5	OS	Modifies certificate store	-
Adds a certificate to the local "my" certificate list by file. ... VTI Actions
Adds a certificate to the local "my" revocation list by file. ... VTI Actions
Adds a certificate to the local "my" certificate trust list by file. ... VTI Actions
Adds a certificate to the local "my" hack.png list by file. ... VTI Actions
Adds a certificate to the local "hack.png" by file. ... VTI Actions
3/5	Persistence	Adds file to open the next time Word is launched	-
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\startup\hack.txt" to a default Word Startup folder ... VTI Actions
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\startup\hack.png" to a default Word Startup folder ... VTI Actions
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\startup\hack.vbs" to a default Word Startup folder ... VTI Actions
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\startup\uniquekeyfor5p5nrgjn0js halpmcxz.horsuke.information" to a default Word Startup folder ... VTI Actions
2/5	File System	Known suspicious file	Trojan
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Tron.exe" is a known suspicious file. ... VTI Actions Go to file details
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to file details Go to function call
1/5	Static	Unparsable sections in file	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Tron.exe. ... VTI Actions Go to file details

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (2/2)

Before

After