f94814ac...df0c

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Ransomware, Trojan, Worm

mdsqvy.exe

Windows Exe (x86-32)

Created at 2019-05-29T00:51:00

Remarks (1/1)

Auto Reboot Triggered (0x2000007): The operating system was rebooted during the analysis because the sample modified the master boot record (MBR).

VMRay Threat Indicators (10 rules, 12 matches)

Severity	Category	Operation	Count	Classification
5/5	Local AV	Malicious content was detected by heuristic scan	2	-
Local AV detected the sample itself as "Generic.Ransom.Outsider.BB2D3DDE". ... VTI Actions Go to AV match Go to file details
Local AV detected a memory dump of process "mdsqvy.exe" as "DeepScan:Generic.Ransom.Outsider.210E5BAD". ... VTI Actions Go to AV match Go to process Go to file details
5/5	Device	Writes to Master Boot Record (MBR)	1	-
Writes 512 bytes to master boot record (MBR). ... VTI Actions Go to MBR modification
5/5	Reputation	Known malicious file	1	Trojan
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\mdsqvy.exe" is a known malicious file. ... VTI Actions Go to file details
5/5	YARA	YARA match	2	Worm
Rule "OlympicDestroyer_Gen1" from ruleset "Malware" has matched on the sample itself. ... VTI Actions Go to YARA match Go to file details
Rule "OlympicDestroyer_Gen1" from ruleset "Malware" has matched on a memory dump for process "mdsqvy.exe". ... VTI Actions Go to YARA match Go to process Go to file details
4/5	File System	Modifies content of user files	1	Ransomware
Modifies the content of multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	File System	Renames user files	1	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	OS	Modifies Windows automatic backups	1	-
Deletes Windows volume shadow copies. ... VTI Actions Go to process
3/5	File System	Possibly drops ransom note files	1	Ransomware
Possibly drops ransom note files (creates 27 instances of the file "# DECRYPT MY FILES #.txt" in different locations). ... VTI Actions Go to file details
3/5	Kernel	Executes code with kernel privileges	1	-
Executes code with kernel privileges to perform system level actions. This can sometimes be used to perform malicious actions and to avoid detection. ... VTI Actions Go to kernel tab
1/5	File System	Creates an unusually large number of files	1	-
Creates an unusually large number of files. ... VTI Actions Go to file details

Screenshots

Monitored Processes

Sample Information

ID	#665760
MD5	be2d892667464c9f34d4f3dddf7f0165
SHA1	dd9aac5c4d7dbcd6650dbd38291f72144a8cb486
SHA256	f94814acaa06d4c006bf5f5f5c2f18ccc02e6859a927b6f4250f4c5b0985df0c
SSDeep	384:eD6vLQRz85r118AVuKTOm3Hr/T74mxIOgJqk9Vh+QKgV/t35Tcmp:eDULQ9arPzsm3Hr/T74IIr9bV/t35Tp
ImpHash	562209bc194bb4050e946ee2d381e792
Filename	mdsqvy.exe
File Size	19.00 KB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-05-29 02:51 (UTC+2)
Analysis Duration	00:04:42
Number of Monitored Processes	5
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	2
Number of YARA Matches	2
Termination Reason	Timeout
Tags

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".