16015c33...65b0 | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 98/100
Dynamic Analysis Report
Classification: Wiper, Ransomware, Spyware, Backdoor

e5.exe

Windows Exe (x86-32)

Created at 2019-04-10T10:02:00

...

VMRay Threat Indicators (16 rules, 23 matches)

Severity Category Operation Classification
4/5
File System Deletes user files Wiper
  • Deletes multiple user files. This is an indicator for ransomware or wiper malware.
    ...
4/5
File System Modifies content of user files Ransomware
  • Modifies the content of multiple user files. This is an indicator for an encryption attempt.
    ...
4/5
Information Stealing Exhibits Spyware behavior Spyware
  • Tries to read sensitive data of multiple applications.
    ...
    • VTI Actions
3/5
Anti Analysis Tries to detect application sandbox -
  • Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_version".
    ...
3/5
File System Possibly drops ransom note files Ransomware
  • Possibly drops ransom note files (creates 29 instances of the file "README.html" in different locations).
    ...
2/5
Information Stealing Reads sensitive browser data -
  • Trying to read sensitive data of web browser "Google Chrome" by file.
    ...
    • VTI Actions
  • Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
    ...
    • VTI Actions
  • Trying to read sensitive data of web browser "Mozilla Firefox" by file.
    ...
    • VTI Actions
2/5
Information Stealing Reads sensitive mail data -
  • Trying to read sensitive data of mail application "Windows Mail" by file.
    ...
    • VTI Actions
2/5
Network Sets up server that accepts incoming connections Backdoor
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection -
1/5
Information Stealing Possibly does reconnaissance -
  • Possibly trying to gather information about application "Mozilla Firefox" by file.
    ...
1/5
Persistence Installs system startup script or application -
  • Adds "c:\programdata\microsoft\windows\start menu\programs\startup" to Windows startup folder.
    ...
    • VTI Actions
  • Adds "c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini" to Windows startup folder.
    ...
    • VTI Actions
  • Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup" to Windows startup folder.
    ...
    • VTI Actions
  • Adds "c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\startup" to Windows startup folder.
    ...
    • VTI Actions
  • Adds "c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini" to Windows startup folder.
    ...
    • VTI Actions
1/5
Process Creates process with hidden window -
  • The process "C:\Windows\system32\cmd.exe" starts with hidden window.
    ...
1/5
File System Creates an unusually large number of files -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: C:\README.html.
    ...
1/5
Network Connects to remote host -
  • Incoming TCP connection from host "193.56.28.203:80".
    ...
  • Outgoing TCP connection to host "193.56.28.203:80".
    ...
1/5
Network Connects to HTTP server -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #563714
MD5 3a92b81cf885e960e1449ef9afaa0534 Copy to Clipboard
SHA1 4a44220eef6874036c0413be132bb5a21d71d2ff Copy to Clipboard
SHA256 16015c33b2b39392a2776d1c0e5917d0051483ab0e473679447798e0fc5e65b0 Copy to Clipboard
SSDeep 49152:H9cvAvLnw4SLgt/k8urj2dhBZ2/P44TtxH9iglFPWtW7Tqa+9d61UlMXf3Q7D8kC:HzL2gJbu+dp2/PZXILtk7 Copy to Clipboard
ImpHash 96c44fa1eee2c4e9b9e77d7bf42d59e6 Copy to Clipboard
Filename e5.exe
File Size 5.11 MB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-04-10 12:02 (UTC+2)
Analysis Duration 00:04:43
Number of Monitored Processes 3
Execution Successful True
Reputation Enabled True
WHOIS Enabled True
Local AV Enabled False
YARA Enabled True
Number of YARA Matches 0
Termination Reason Timeout
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image