77c392b6...5390

VMRay Threat Indicators (16 rules, 19 matches)

Severity	Category	Operation	Count	Classification
5/5	Local AV	Malicious content was detected by heuristic scan	1	-
Local AV detected the sample itself as "Gen:Variant.Ransom.Koje.1". ... VTI Actions Go to AV match Go to file details
5/5	Reputation	Known malicious file	1	Trojan
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\w.exe" is a known malicious file. ... VTI Actions Go to file details
4/5	File System	Deletes user files	1	Wiper
Deletes multiple user files. This is an indicator for ransomware or wiper malware. ... VTI Actions Go to Behavior
4/5	File System	Modifies content of user files	1	Ransomware
Modifies the content of multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	Information Stealing	Exhibits Spyware behavior	1	Spyware
Tries to read sensitive data of: Windows Mail, Google Chrome, Internet Explorer / Edge. ... VTI Actions
3/5	Anti Analysis	Tries to detect application sandbox	1	-
Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_version". ... VTI Actions Go to Behavior
3/5	Process	Creates an unusually large number of processes	1	-
Above average number of processes were monitored. ... VTI Actions Go to Behavior
3/5	File System	Possibly drops ransom note files	1	Ransomware
Possibly drops ransom note files (creates 33 instances of the file "README.html" in different locations). ... VTI Actions Go to file details
2/5	Information Stealing	Reads sensitive browser data	2	-
Trying to read sensitive data of web browser "Google Chrome" by file. ... VTI Actions
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file. ... VTI Actions
2/5	Information Stealing	Reads sensitive mail data	1	-
Trying to read sensitive data of mail application "Windows Mail" by file. ... VTI Actions
2/5	Network	Attempts to connect to unavailable TCP servers	1	-
Every TCP connection attempt failed. ... VTI Actions Go to Behavior
1/5	Process	Creates process with hidden window	1	-
The process "C:\Windows\system32\cmd.exe" starts with hidden window. ... VTI Actions Go to Behavior
1/5	Information Stealing	Possibly does reconnaissance	1	-
Possibly trying to gather information about application "Mozilla Firefox" by file. ... VTI Actions
1/5	Persistence	Installs system startup script or application	2	-
Adds "c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\startup" to Windows startup folder. ... VTI Actions
Adds "c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini" to Windows startup folder. ... VTI Actions
1/5	File System	Creates an unusually large number of files	1	-
Creates an unusually large number of files. ... VTI Actions Go to file details
1/5	Network	Connects to remote host	2	-
Incoming TCP connection from host "193.56.28.231:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "193.56.28.231:80". ... VTI Actions Go to Behavior

Screenshots

Monitored Processes

Sample Information

ID	#92215
MD5	13d6a2b3c0ede884a6630da857159899
SHA1	002ba83cc1dfa9d686410ad4e806269e06b22f2b
SHA256	77c392b691374adaf0f5b3c0cdc407d4a76b2154cdda81ed3516670c18ba5390
SSDeep	24576:kyTaGGJ2Eqligs8nVULPlJCJRiSkYJCVx0NjyrOCR4sFKcsUzWwQ4P3SGeYGVsRR:VaGGJSl3VadJC+Fy9uAN02UlCqPfg
ImpHash	96c44fa1eee2c4e9b9e77d7bf42d59e6
Filename	w.exe
File Size	3.12 MB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-06-28 17:19 (UTC+2)
Analysis Duration	00:04:27
Number of Monitored Processes	81
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	1
Number of YARA Matches	0
Termination Reason	Timeout
Tags

Remarks (1/1)

VMRay Threat Indicators (16 rules, 19 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After