3e4f8a15...7f8a

VMRay Threat Indicators (16 rules, 19 matches)

Severity	Category	Operation	Classification
5/5	Local AV	Malicious content was detected by heuristic scan	-
Local AV match on Memory Dump File for "osk.exe". ... VTI Actions Go to AV match Go to file details
Local AV match on Memory Dump File for "singleupdate.exe". ... VTI Actions Go to AV match Go to file details
4/5	File System	Renames user files	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	OS	Modifies Windows automatic backups	-
Deletes Windows volume shadow copies. ... VTI Actions Go to process
3/5	File System	Possibly drops ransom note files	Ransomware
Possibly drops ransom note files (creates 30 instances of the file "HOW TO RECOVER ENCRYPTED FILES.TXT" in different locations). ... VTI Actions Go to file details
2/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Behavior
2/5	Device	Sends control codes to connected devices	-
Controls device "System Paging File" through API DeviceIOControl. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Tries to detect debugger	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to Behavior
2/5	Anti Analysis	Tries to detect virtual machine	-
Possibly trying to detect VM via rdtsc. ... VTI Actions
2/5	File System	Known suspicious file	Trojan
File "C:\Users\FD1HVy\Desktop\singleupdate.exe" is a known suspicious file. ... VTI Actions Go to file details Go to Behavior
1/5	Process	Creates process with hidden window	-
The process "C:\WINDOWS\system32\cmd.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "mshta.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "cmd.exe" starts with hidden window. ... VTI Actions Go to Behavior
1/5	Device	Monitors keyboard input	Keylogger
Frequently reads the state of a keyboard key by API. ... VTI Actions Go to Behavior
1/5	Process	Creates system object	-
Creates mutex with name "shwlwook". ... VTI Actions Go to Behavior
1/5	Persistence	Installs system startup script or application	-
Adds "C:\Users\FD1HVy\AppData\Roaming\osk.exe" to Windows startup via registry. ... VTI Actions Go to Behavior
1/5	Hide Tracks	Writes an unusually large amount of data to the registry	-
Hides 1100 byte in "HKEY_CURRENT_USER\Software\shwlwook\temp". ... VTI Actions Go to Behavior
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to file details
0/5	Process	Enumerates running processes	-
Enumerates running processes. ... VTI Actions Go to Behavior

Screenshots

Monitored Processes

Sample Information

ID	#592967
MD5	545c7d2d0c5b7686dd4a2012399148a9
SHA1	a481c02f8cb988279431aae959b2cbc2638443cb
SHA256	3e4f8a1598f9dd834766d5184c3347947a201ff9a559fa275f048b14267d7f8a
SSDeep	12288:S9CZOU8dEgeDiSrnR32F8RB1laLv6GcxJ5Wj/o9ZPlThRqdbMSz+NHH+gD1axZF8:jZOU8dEgeDDrnR3losxyU9ZNThSwNHHr
ImpHash	7b0897ba013cd1473311ad371e7e3ad9
Filename	singleupdate.exe
File Size	746.00 KB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-04-12 11:14 (UTC+2)
Analysis Duration	00:05:48
Number of Monitored Processes	15
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	6
Number of YARA Matches	0
Termination Reason	Timeout
Tags

Remarks (1/1)

VMRay Threat Indicators (16 rules, 19 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After