XZZX Cryptomix Ransomware Variant | VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 54 |
| VTI Rule Type | Default (PE, ...) |
|
Anti Analysis |
|
|
|
Dynamic API usage
|
|
|
Resolve above average number of APIs.
|
||
|
|
OS |
|
|
|
Disable crucial system service
|
|
|
Stop "Windows Security Center Service" by ControlService.
|
||
|
Stop "Windows Defender Service" by ControlService.
|
||
|
Stop "Windows Update Service" by ControlService.
|
||
|
|
File System |
|
|
|
Encrypt content of user files
|
|
|
Encrypt the content of multiple user files. This is an indicator for ransomware.
|
||
|
|
Delete user files
|
|
|
Delete multiple user files. This is an indicator for wiper malware.
|
||
|
|
Modify application directory
|
|
|
Modify "c:\program files\_help_instruction.txt".
|
||
|
Modify "c:\program files (x86)\_help_instruction.txt".
|
||
|
|
Modify operating system directory
|
|
|
Create file "C:\Windows\_HELP_INSTRUCTION.TXT" in the OS directory.
|
||
|
|
Create many files
|
|
|
Create above average number of files.
|
||
|
|
Hide Tracks |
|
|
|
Use alternate data stream (ADS)
|
|
|
Use alternate data stream in "bce1010314.exe:zone.identifier".
|
||
|
|
Masquerade |
|
|
|
Change folder appearance
|
|
|
Folder "c:\users" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\contacts" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\documents" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\documents\my shapes" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\downloads" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\favorites" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\favorites\links" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\links" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\music" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\pictures" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\saved games" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\searches" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\videos" has a changed appearance.
|
||
|
Folder "c:\users\default\contacts" has a changed appearance.
|
||
|
Folder "c:\users\default\documents" has a changed appearance.
|
||
|
Folder "c:\users\default\downloads" has a changed appearance.
|
||
|
Folder "c:\users\default\favorites" has a changed appearance.
|
||
|
Folder "c:\users\default\favorites\links" has a changed appearance.
|
||
|
Folder "c:\users\default\links" has a changed appearance.
|
||
|
Folder "c:\users\default\music" has a changed appearance.
|
||
|
Folder "c:\users\default\pictures" has a changed appearance.
|
||
|
Folder "c:\users\default\saved games" has a changed appearance.
|
||
|
Folder "c:\users\default\searches" has a changed appearance.
|
||
|
Folder "c:\users\default\videos" has a changed appearance.
|
||
|
Folder "c:\users\public" has a changed appearance.
|
||
|
Folder "c:\users\public\documents" has a changed appearance.
|
||
|
Folder "c:\users\public\downloads" has a changed appearance.
|
||
|
Folder "c:\users\public\libraries" has a changed appearance.
|
||
|
Folder "c:\users\public\music" has a changed appearance.
|
||
|
Folder "c:\users\public\music\sample music" has a changed appearance.
|
||
|
Folder "c:\users\public\pictures" has a changed appearance.
|
||
|
Folder "c:\users\public\pictures\sample pictures" has a changed appearance.
|
||
|
Folder "c:\users\public\recorded tv" has a changed appearance.
|
||
|
Folder "c:\users\public\recorded tv\sample media" has a changed appearance.
|
||
|
Folder "c:\users\public\videos" has a changed appearance.
|
||
|
Folder "c:\users\public\videos\sample videos" has a changed appearance.
|
||
|
Folder "c:\users\5p5nrgjn0js halpmcxz\desktop" has a changed appearance.
|
||
|
Folder "c:\users\default\desktop" has a changed appearance.
|
||
|
Folder "c:\users\public\desktop" has a changed appearance.
|
||
|
|
Persistence |
|
|
|
Install system startup script or application
|
|
|
Add ""C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe"" to windows startup via registry.
|
||
|
Add ""C:\ProgramData\BCE1010314.exe"" to windows startup via registry.
|
||
|
|
Process |
|
|
|
Create process with hidden window
|
|
|
The process "cmd" starts with hidden window.
|
||
|
|
Create system object
|
|
|
Create mutex with name "E1010314_offset".
|
||
| - | Browser | |
| - | Device | |
| - | Information Stealing | |
| - | Injection | |
| - | Kernel | |
| - | Network | |
| - | PE | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
