UNNAM3D Ransomware | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 94/100
Dynamic Analysis Report
Classification: Ransomware, Wiper, Dropper

gblyrzexggw.exe

Windows Exe (x86-32)

Created at 2019-04-02T12:03:00

...

Remarks (2/2)

(0x200000e): The overall sleep time of all monitored processes was truncated from "31 minutes, 2 seconds" to "40 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

VMRay Threat Indicators (16 rules, 21 matches)

Severity Category Operation Classification
4/5
File System Modifies content of user files Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
File System Deletes user files Wiper
  • Deletes multiple user files. This is an indicator for ransomware or wiper malware.
    ...
3/5
Anti Analysis Tries to evade debugger -
3/5
OS Creates new desktop -
2/5
Anti Analysis Tries to detect debugger -
2/5
Anti Analysis Tries to detect virtual machine -
  • Reads out system information, commonly used to detect "VirtualBox" via registry. (Key is "HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__").
    ...
  • Possibly trying to detect VM via rdtsc.
    ...
    • VTI Actions
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection -
2/5
Anti Analysis Delays execution -
1/5
Persistence Installs system startup script or application -
  • Adds "C:\Users\WhuOXYsD\AppData\Local\Temp\UNNAM3D.EXE" to Windows startup via registry.
    ...
1/5
Process Creates process with hidden window -
  • The process "cmd.exe" starts with hidden window.
    ...
1/5
Process Creates system object -
1/5
Masquerade Changes folder appearance -
  • Folder "c:\users\whuoxysd\desktop" has a changed appearance.
    ...
  • Folder "c:\users\whuoxysd\pictures" has a changed appearance.
    ...
  • Folder "c:\users\whuoxysd\documents" has a changed appearance.
    ...
1/5
Process Overwrites code -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\WhuOXYsD\Desktop\gblyrzexggw.exe.
    ...
1/5
PE Drops PE file Dropper
1/5
PE Executes dropped PE file Dropper

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #3663148
MD5 6ed8c24732529fccf847927c68fc0174 Copy to Clipboard
SHA1 c7155a3d2dd0ff0ff2f746b79998a5aabe79735f Copy to Clipboard
SHA256 567bdc9330d3ff2dfc138fa9f284ebb17a83a5ec0305d846474d7b30cbc36247 Copy to Clipboard
SSDeep 196608:BWvq6ulMDaZkjYTGa44XFcxzkOGXDjD/E:IvXKDk8Sa44XFcxz3GXg Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
Filename gblyrzexggw.exe
File Size 7.71 MB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-04-02 14:03 (UTC+2)
Analysis Duration 00:05:25
Number of Monitored Processes 9
Execution Successful True
Reputation Enabled False
WHOIS Enabled False
YARA Enabled True
Number of YARA Matches 0
Termination Reason Timeout
Tags
#ransomware
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image