XZZX Cryptomix Ransomware Variant

Analysis Information

Creation Time	2017-11-14 20:01 (UTC+1)
VM Analysis Duration Time	00:04:22
Execution Successful
Sample Filename	xzzx_cryptMix.vir.exe
Command Line Parameters
Prescript
Number of Processes	23
Termination Reason	Timeout
Reputation Enabled
Download	Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	54
VTI Rule Type	Default (PE, ...)

Tags

#cryptomix #ransomware

Remarks

	The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
	The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
	The operating system was rebooted during the analysis.
	The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration.

Screenshots

Monitored Processes

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x9c4	Analysis Target	High (Elevated)	xzzx_cryptmix.vir.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe"	-
#2	0xa1c	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C sc stop VVS	#1
#3	0xa28	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C sc stop wscsvc	#1
#4	0xa44	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C sc stop WinDefend	#1
#5	0xa64	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C sc stop wuauserv	#1
#6	0xa78	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C sc stop BITS	#1
#7	0xa94	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C sc stop ERSvc	#1
#8	0xaa8	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C sc stop WerSvc	#1
#9	0xad4	Child Process	High (Elevated)	sc.exe	sc stop wuauserv	#5
#10	0xadc	Child Process	High (Elevated)	sc.exe	sc stop BITS	#6
#11	0xae4	Child Process	High (Elevated)	sc.exe	sc stop wscsvc	#3
#12	0xaec	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet	#1
#13	0xb04	Child Process	High (Elevated)	sc.exe	sc stop VVS	#2
#14	0xb14	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No	#1
#15	0xb28	Child Process	High (Elevated)	sc.exe	sc stop WinDefend	#4
#16	0xb34	Child Process	High (Elevated)	sc.exe	sc stop ERSvc	#7
#17	0xb50	Child Process	High (Elevated)	sc.exe	sc stop WerSvc	#8
#18	0xb68	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures	#1
#19	0xb98	Child Process	High (Elevated)	vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet	#12
#22	0x544	Autostart	Medium	xzzx_cryptmix.vir.exe	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe"	-
#23	0x54c	Autostart	Medium	bce1010314.exe	"C:\ProgramData\BCE1010314.exe"	-
#24	0x560	Autostart	Medium	bce1010314.exe	"C:\ProgramData\BCE1010314.exe"	-
#25	0x1030	Child Process	Medium	notepad.exe	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_HELP_INSTRUCTION.TXT	#23

Sample Information

ID	#20159
MD5 Hash Value	17f54288695fc46d11078ea493eb6626
SHA1 Hash Value	548058b2233b75cdfd964c1d7be5d2b80818131a
SHA256 Hash Value	33a60a16e50b8df2a731023951475ff0f973fc66334d2cfa6ce30aa36bb36414
Filename	xzzx_cryptMix.vir.exe
File Size	218.00 KB (223232 bytes)
File Type	Windows Exe (x86-32)

Analyzer and Virtual Machine Information

Analyzer Version	2.2.0
Analyzer Build Date	2017-10-17 16:08
Internet Explorer Version	8.0.7601.17514
Chrome Version	58.0.3029.110
Firefox Version	25.0
Flash Version	11.2.202.233
Java Version	7.0.450
VM Name	win7_64_sp1
VM Architecture	x86 64-bit
VM OS	Windows 7
VM Kernel Version	6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)