f5e98f53...1485 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Downloader, Ransomware

f5e98f5380e46cbae5d8019cf61db164213b5b63b0c056adae445eea08551485 (SHA256)

11111.exe

Windows Exe (x86-32)

Created at 2019-02-22 08:26:00

...

Notifications (2/2)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

Severity Category Operation Classification
5/5
File System Encrypts content of user files Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
    ...
3/5
Persistence Adds file to open the next time Excel is launched -
  • Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\xlstart\jdxyuwelwx-decrypt.txt" to a default Excel XLStart folder
    ...
  • Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\excel\xlstart\9c354ca49c354b4621e.lock" to a default Excel XLStart folder
    ...
3/5
OS Modifies certificate store -
  • Adds a certificate to the local "my" jdxyuwelwx-decrypt.txt list by file.
    ...
  • Adds a certificate to the local "my" certificate trust list by file.
    ...
3/5
Persistence Adds file to open the next time Word is launched -
  • Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\startup\jdxyuwelwx-decrypt.txt" to a default Word Startup folder
    ...
  • Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\word\startup\9c354ca49c354b4621e.lock" to a default Word Startup folder
    ...
3/5
Browser Reads data related to browser cookies -
3/5
Browser Reads data related to saved browser credentials -
2/5
Anti Analysis Tries to detect virtual machine -
  • Reads out system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
    ...
2/5
Browser Reads data related to browsing history -
  • Reads browsing history and related data, such as bookmarks, for "Mozilla Firefox".
    ...
2/5
File System Known suspicious file Trojan
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\11111.exe" is a known suspicious file.
    ...
2/5
Injection Writes into the memory of a process running from a created or modified executable -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\11111.exe" modifies memory of "c:\users\5p5nrgjn0js halpmcxz\desktop\11111.exe"
    ...
2/5
Injection Modifies control flow of a process running from a created or modified executable -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\11111.exe" alters context of "c:\users\5p5nrgjn0js halpmcxz\desktop\11111.exe"
    ...
2/5
Network Associated with known malicious/suspicious URLs -
1/5
Anti Analysis Resolves APIs dynamically -
1/5
Process Creates process with hidden window -
  • The process "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\11111.exe" starts with hidden window.
    ...
  • The process "C:\Windows\system32\wbem\wmic.exe" starts with hidden window.
    ...
1/5
Process Reads from memory of another process -
  • "c:\users\5p5nrgjn0js halpmcxz\desktop\11111.exe" reads from "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\11111.exe".
    ...
1/5
Process Creates a page with write and execute permissions -
  • Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
    ...
1/5
Process Creates system object -
1/5
Hide Tracks Writes an unually large amount of data to the registry -
  • Hides 1688 byte in "HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data\private".
    ...
1/5
File System Modifies application directory -
  • Modifies "c:\program files\microsoft sql server compact edition\jdxyuwelwx-decrypt.txt".
    ...
  • Modifies "c:\program files\microsoft sql server compact edition\v3.5\jdxyuwelwx-decrypt.txt".
    ...
  • Modifies "c:\program files\microsoft sql server compact edition\v3.5\desktop\jdxyuwelwx-decrypt.txt".
    ...
1/5
File System Creates an unusually large number of files -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\11111.exe.
    ...
1/5
Network Downloads data Downloader
1/5
Network Connects to HTTP server -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image