cb0b411c...cd35

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Ransomware

local.exe

Windows Exe (x86-32)

Created at 2019-07-11T16:09:00

VMRay Threat Indicators (10 rules, 15 matches)

Severity	Category	Operation	Count	Classification
5/5	Local AV	Malicious content was detected by heuristic scan	1	-
Local AV detected the sample itself as "Gen:Heur.Ransom.REntS.Gen.1". ... VTI Actions Go to AV match Go to file details
4/5	File System	Modifies content of user files	1	Ransomware
Modifies the content of multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	File System	Renames user files	1	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	Reputation	Known malicious URL	3	-
Contacted URL "kingswagy.ru/Decrypter.exe" is a known malicious URL. ... VTI Actions Go to Behavior
Contacted URL "kingswagy.ru/ransom.jpg" is a known malicious URL. ... VTI Actions Go to Behavior
Contacted URL "kingswagy.ru" is a known malicious URL. ... VTI Actions
3/5	Network	Reads network adapter information	1	-
Reads the network adapters' addresses by API. ... VTI Actions Go to Behavior
1/5	Network	Performs DNS request	2	-
Resolves host name "maper.info". ... VTI Actions Go to Behavior
Resolves host name "kingswagy.ru". ... VTI Actions Go to Behavior
1/5	File System	Creates an unusually large number of files	1	-
Creates an unusually large number of files. ... VTI Actions Go to file details
1/5	Network	Connects to remote host	2	-
Outgoing TCP connection to host "88.99.66.31:443". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "81.177.141.81:80". ... VTI Actions Go to Behavior
1/5	Network	Connects to HTTP server	2	-
URL "kingswagy.ru/Decrypter.exe". ... VTI Actions Go to Behavior
URL "kingswagy.ru/ransom.jpg". ... VTI Actions Go to Behavior
1/5	Static	Unparsable sections in file	1	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\local.exe. ... VTI Actions Go to file details

Screenshots

Monitored Processes

Sample Information

ID	#105805
MD5	cb1c660658312dd77c68a8ce9102b8a0
SHA1	7e4fbbad202835954d10f113ed6774757d8c0398
SHA256	cb0b411cc1f6704c16f3a50aadc6384275ba5b2e17be0a69c632883d83d9cd35
SSDeep	1536:J4ctAMwflmsolaTIrRuw+mqbz9j1MWLQsgZdO:dqM+lmsolAIrRuw+mqv9j1MWLQFZd
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744
Filename	local.exe
File Size	117.50 KB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-07-11 18:09 (UTC+2)
Analysis Duration	00:04:27
Number of Monitored Processes	1
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	1
Number of YARA Matches	0
Termination Reason	Timeout
Tags

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

VMRay Threat Indicators (10 rules, 15 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After