Globeimposter Ransomware Delivered via Necurs Botnet | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-12-05 16:56 (UTC+1) |
| VM Analysis Duration Time | 00:05:24 |
| Execution Successful |
|
| Sample Filename | MSC000000981631.vbs |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 14 |
| Termination Reason | Timeout |
| Reputation Enabled |
|
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 40 |
| VTI Rule Type | Scripts |
|
The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration. |
|
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
|
|
The operating system was rebooted during the analysis. |
|
|
The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0xe98 | Analysis Target | High (Elevated) | cscript.exe | "C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS" | - |
| #3 | 0xf8c | Child Process | High (Elevated) | cmd.exe | "C:\Windows\System32\cmd.exe" /c call "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe" | #1 |
| #5 | 0xfac | Child Process | High (Elevated) | vworbzlbc.exe | "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe" | #3 |
| #6 | 0xfe0 | Child Process | High (Elevated) | vworbzlbc.exe | "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe" | #5 |
| #7 | 0xff4 | Child Process | High (Elevated) | taskkill.exe | taskkill /F /T /PID 2784 | #6 |
| #11 | 0xd40 | Autostart | Medium | vworbzlbc.exe | "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe" | - |
| #12 | 0xd94 | Child Process | Medium | vworbzlbc.exe | "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe" | #11 |
| #13 | 0xe40 | Child Process | Medium | cmd.exe | C:\Windows\system32\cmd.exe /c C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat | #12 |
| #15 | 0xe68 | Child Process | Medium | cmd.exe | "C:\Windows\system32\cmd.exe" /c del C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe > nul | #12 |
| #16 | 0xe74 | Child Process | Medium | vssadmin.exe | vssadmin.exe Delete Shadows /All /Quiet | #13 |
| #17 | 0xe8c | Child Process | Medium | reg.exe | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f | #13 |
| #18 | 0xe98 | Child Process | Medium | reg.exe | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f | #13 |
| #19 | 0xea4 | Child Process | Medium | reg.exe | reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" | #13 |
| #20 | 0xeb0 | Child Process | Medium | attrib.exe | attrib Default.rdp -s -h | #13 |
| ID | #20392 |
| MD5 Hash Value | 22f0830e8954547036afb0df08283b18 |
| SHA1 Hash Value | d18a0df0bd2393221f0bbd17e48d6c4ac1ea28f6 |
| SHA256 Hash Value | 7a18bffd01eeab08a3f88d35ba5d09106690ea62d01e43d950b6b842ab6c4e76 |
| Filename | MSC000000981631.vbs |
| File Size | 4.71 KB (4818 bytes) |
| File Type | VBScript |
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2017-12-05 14:47 |
| Internet Explorer Version | 11.0.10240.16384 |
| Chrome Version | 58.0.3029.110 |
| Firefox Version | 53.0.3 |
| Flash Version | 25.0.0.148 |
| Java Version | 8.0.1310.11 |
| VM Name | win10_64 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 10 Threshold 1 |
| VM Kernel Version | 10.0.10240.16384 (c68ee22f-dcf6-4778-95c5-4a862be16567) |
