1e751530...58d7 | Files

1e751530...58d7 | Files

Try VMRay Analyzer

VTI SCORE: 100/100

Dynamic Analysis Report

Classification:

Dropper

Threat Names:

Gen:Heur.Ransom.MSIL.1

Trojan.GenericKD.33668805

Mal/Generic-S

Creepy Ransomware.exe

Windows Exe (x86-32)

Created at 2020-04-16T17:55:00

Filters:

Filename	Category	Type	Severity	Actions

C:\Users\FD1HVy\Desktop\Creepy Ransomware.exe

Sample File

Binary

Malicious

»

Mime Type	application/vnd.microsoft.portable-executable
File Size	71.00 KB
MD5	4ee61d7f7480583c3552296597b1f160
SHA1	13aee3c6a19022d0fbd0c5f3d768f4db848a10d4
SHA256	1e751530eccc5c6424c1e5611d2b17b2fe3e8879ef01395aa9809ef6472b58d7
SSDeep	1536:sq9dtmb8FK9leDN5qAiIAUWTy+UCKmnYJp47+A9NWCWBXz:s2dtm6KHeDN5qAiIVWWHtmYJp47+A9N8
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

»

Severity	Blacklisted

PE Information

»

Image Base	0x400000
Entry Point	0x41305a
Size Of Code	0x11200
Size Of Initialized Data	0x800
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2020-04-10 18:32:58+00:00

Version Information (11)

»

Assembly Version	1.0.0.0
Comments	-
CompanyName	-
FileDescription	Creepy Ransomware
FileVersion	1.0.0.0
InternalName	Creepy Ransomware.exe
LegalCopyright	Copyright © 2020
LegalTrademarks	-
OriginalFilename	Creepy Ransomware.exe
ProductName	Creepy Ransomware
ProductVersion	1.0.0.0

Sections (3)

»

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x402000	0x11060	0x11200	0x200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.09
.rsrc	0x414000	0x5b0	0x600	0x11400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.34
.reloc	0x416000	0xc	0x200	0x11a00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

»

mscoree.dll (1)

»

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	0x0	0x402000	0x13028	0x11228	0x0

Memory Dumps (4)

»

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	AV	YARA	Actions
creepy ransomware.exe	1	0x00E70000	0x00E87FFF	Relevant Image		64-bit	-			... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FFC6A04E000	0x7FFC6A04EFFF	First Execution		64-bit	0x7FFC6A04E040			... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FFC6A04E000	0x7FFC6A04EFFF	Content Changed		64-bit	0x7FFC6A04E740			... Memory Dump Actions Go to Process Download Dump
creepy ransomware.exe	1	0x00E70000	0x00E87FFF	Final Dump		64-bit	-			... Memory Dump Actions Go to Process Download Dump

Local AV Matches (1)

»

Threat Name	Severity
Gen:Heur.Ransom.MSIL.1	Malicious

C:\Users\FD1HVy\AppData\Roaming\guard.exe

Dropped File

Binary

Malicious

»

Mime Type	application/vnd.microsoft.portable-executable
File Size	13.00 KB
MD5	bcf68fc7b257c2d255dc2d398884d0cd
SHA1	970df639d3d4b32123e461b66fd3b46d033270bc
SHA256	7a29cd4e548323a74f28854ce4115dabb874334025abac084fed50f7902d54b3
SSDeep	192:KFaQ090n4k/hX0hK8Q5fbFPcQInE5YrY/gi45OCE53x7jIrfmOG:6alTk+hKV5zFpIE5h/gv5OpLjqft
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

»

Severity	Blacklisted
Names	Mal/Generic-S

PE Information

»

Image Base	0x400000
Entry Point	0x4049de
Size Of Code	0x2a00
Size Of Initialized Data	0x800
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2092-03-20 01:09:17+00:00

Version Information (11)

»

Assembly Version	1.0.0.0
Comments	-
CompanyName	-
FileDescription	speachruntime
FileVersion	1.0.0.0
InternalName	speachruntime.exe
LegalCopyright	Copyright © 2020
LegalTrademarks	-
OriginalFilename	speachruntime.exe
ProductName	speachruntime
ProductVersion	1.0.0.0

Sections (3)

»

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x402000	0x29e4	0x2a00	0x200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.52
.rsrc	0x406000	0x5cc	0x600	0x2c00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.1
.reloc	0x408000	0xc	0x200	0x3200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.08

Imports (1)

»

mscoree.dll (1)

»

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	0x0	0x402000	0x49b2	0x2bb2	0x0

Memory Dumps (2)

»

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	AV	YARA	Actions
guard.exe	5	0x23141460000	0x23141469FFF	Relevant Image		64-bit	-			... Memory Dump Actions Go to Process Download Dump
buffer	5	0x7FFC6A05E000	0x7FFC6A05EFFF	First Execution		64-bit	0x7FFC6A05E040			... Memory Dump Actions Go to Process Download Dump

Local AV Matches (1)

»

Threat Name	Severity
Trojan.GenericKD.33668805	Malicious

WHOIS Domain Information

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Screenshot