XZZX Cryptomix Ransomware Variant | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-11-14 20:01 (UTC+1)
VM Analysis Duration Time 00:04:22
Execution Successful True
Sample Filename xzzx_cryptMix.vir.exe
Command Line Parameters False
Prescript False
Number of Processes 23
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 54
VTI Rule Type Default (PE, ...)
Tags
#cryptomix #ransomware
Remarks
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The operating system was rebooted during the analysis.
Critical The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration.
Screenshots
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x9c4 Analysis Target High (Elevated) xzzx_cryptmix.vir.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe" -
#2 0xa1c Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C sc stop VVS #1
#3 0xa28 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C sc stop wscsvc #1
#4 0xa44 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C sc stop WinDefend #1
#5 0xa64 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C sc stop wuauserv #1
#6 0xa78 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C sc stop BITS #1
#7 0xa94 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C sc stop ERSvc #1
#8 0xaa8 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C sc stop WerSvc #1
#9 0xad4 Child Process High (Elevated) sc.exe sc stop wuauserv #5
#10 0xadc Child Process High (Elevated) sc.exe sc stop BITS #6
#11 0xae4 Child Process High (Elevated) sc.exe sc stop wscsvc #3
#12 0xaec Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet #1
#13 0xb04 Child Process High (Elevated) sc.exe sc stop VVS #2
#14 0xb14 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No #1
#15 0xb28 Child Process High (Elevated) sc.exe sc stop WinDefend #4
#16 0xb34 Child Process High (Elevated) sc.exe sc stop ERSvc #7
#17 0xb50 Child Process High (Elevated) sc.exe sc stop WerSvc #8
#18 0xb68 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures #1
#19 0xb98 Child Process High (Elevated) vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet #12
#22 0x544 Autostart Medium xzzx_cryptmix.vir.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe" -
#23 0x54c Autostart Medium bce1010314.exe "C:\ProgramData\BCE1010314.exe" -
#24 0x560 Autostart Medium bce1010314.exe "C:\ProgramData\BCE1010314.exe" -
#25 0x1030 Child Process Medium notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_HELP_INSTRUCTION.TXT #23
Sample Information
ID #20159
MD5 Hash Value 17f54288695fc46d11078ea493eb6626
SHA1 Hash Value 548058b2233b75cdfd964c1d7be5d2b80818131a
SHA256 Hash Value 33a60a16e50b8df2a731023951475ff0f973fc66334d2cfa6ce30aa36bb36414
Filename xzzx_cryptMix.vir.exe
File Size 218.00 KB (223232 bytes)
File Type Windows Exe (x86-32)
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-10-17 16:08
Internet Explorer Version 8.0.7601.17514
Chrome Version 58.0.3029.110
Firefox Version 25.0
Flash Version 11.2.202.233
Java Version 7.0.450
VM Name win7_64_sp1
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image