Loading ...

Play interactive tourEdit tour

Analysis Report uVKGpf8T33

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:205233
Start date:03.02.2020
Start time:14:30:09
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 38s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:uVKGpf8T33 (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.winEXE@3/48@0/0
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 28.2% (good quality ratio 9.3%)
  • Quality average: 16.9%
  • Quality standard deviation: 27.4%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 21
  • Number of non-executed functions: 2
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Execution Graph export aborted for target Info.exe, PID 5300 because there are no executed function
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
DRV
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading11Credential DumpingVirtualization/Sandbox Evasion2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion2Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesSystem Information Discovery12Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Info.exeAvira: detection malicious, Label: HEUR/AGEN.1001382
Antivirus detection for sampleShow sources
Source: uVKGpf8T33.exeAvira: detection malicious, Label: HEUR/AGEN.1001382
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Info.exeVirustotal: Detection: 70%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: uVKGpf8T33.exeVirustotal: Detection: 70%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Info.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: uVKGpf8T33.exeJoe Sandbox ML: detected

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: uVKGpf8T33.exe, 00000000.00000002.4308583972.0000000005EC6000.00000002.00000001.sdmp, Info.exe, 00000002.00000002.4320630786.0000000005526000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected DRV ransomwareShow sources
Source: Yara matchFile source: uVKGpf8T33.exe, type: SAMPLE
Source: Yara matchFile source: .text, type: SAMPLE
Source: Yara matchFile source: 00000000.00000000.4280906071.0000000000B92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.4302174598.0000000000B92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000000.4300472614.00000000001F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.4313845476.00000000001F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: uVKGpf8T33.exe PID: 6096, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Info.exe PID: 5300, type: MEMORY
Source: Yara matchFile source: C:\Users\user\AppData\Local\Info.exe, type: DROPPED
Source: Yara matchFile source: 2.0.Info.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.0.uVKGpf8T33.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.uVKGpf8T33.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.Info.exe.1f0000.0.unpack, type: UNPACKEDPE
Modifies existing user documents (likely ransomware behavior)Show sources
Source: C:\Users\user\AppData\Local\Info.exeFile moved: C:\Users\user\Desktop\EEGWXUHVUG.docxJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeFile deleted: C:\Users\user\Desktop\EEGWXUHVUG.docxJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeFile moved: C:\Users\user\Desktop\GRXZDKKVDB.xlsxJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeFile deleted: C:\Users\user\Desktop\GRXZDKKVDB.xlsxJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeFile moved: C:\Users\user\Desktop\NVWZAPQSQL.docxJump to behavior

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeCode function: 0_2_014DC1440_2_014DC144
Source: C:\Users\user\Desktop\uVKGpf8T33.exeCode function: 0_2_014DE5800_2_014DE580
Source: C:\Users\user\Desktop\uVKGpf8T33.exeCode function: 0_2_014DE5900_2_014DE590
PE file contains strange resourcesShow sources
Source: uVKGpf8T33.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Info.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: uVKGpf8T33.exe, 00000000.00000002.4312989197.0000000006FD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs uVKGpf8T33.exe
Source: uVKGpf8T33.exe, 00000000.00000002.4302242105.0000000000BAE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDRV.exe( vs uVKGpf8T33.exe
Source: uVKGpf8T33.exe, 00000000.00000002.4314529142.00000000070D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs uVKGpf8T33.exe
Source: uVKGpf8T33.exe, 00000000.00000002.4314529142.00000000070D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs uVKGpf8T33.exe
Source: uVKGpf8T33.exe, 00000000.00000002.4314767397.0000000008710000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs uVKGpf8T33.exe
Source: uVKGpf8T33.exeBinary or memory string: OriginalFilenameDRV.exe( vs uVKGpf8T33.exe
Binary contains paths to development resourcesShow sources
Source: uVKGpf8T33.exeBinary or memory string: .pptx.odt.jpg.png.csv.sql.mdb.sln.php.asp
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.winEXE@3/48@0/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeFile created: C:\Users\user\Desktop\Password.txtJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: uVKGpf8T33.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: uVKGpf8T33.exeVirustotal: Detection: 70%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeFile read: C:\Users\user\Desktop\uVKGpf8T33.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\uVKGpf8T33.exe 'C:\Users\user\Desktop\uVKGpf8T33.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Info.exe 'C:\Users\user\AppData\Local\Info.exe'
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess created: C:\Users\user\AppData\Local\Info.exe 'C:\Users\user\AppData\Local\Info.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: uVKGpf8T33.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: uVKGpf8T33.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: uVKGpf8T33.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\My World\Desktop\DRV\hidden-tear-offline\hidden-tear-offline\obj\Release\DRV.pdb source: uVKGpf8T33.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeCode function: 0_2_00B94992 push cs; ret 0_2_00B94995
Source: C:\Users\user\AppData\Local\Info.exeCode function: 2_2_001F4992 push cs; ret 2_2_001F4995

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeFile created: C:\Users\user\AppData\Local\Info.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Info.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exe TID: 6116Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Info.exe TID: 5248Thread sleep time: -922337203685477s >= -30000sJump to behavior

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeMemory allocated: page read and write | page guardJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeQueries volume information: C:\Users\user\Desktop\uVKGpf8T33.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\uVKGpf8T33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeQueries volume information: C:\Users\user\AppData\Local\Info.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Info.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\uVKGpf8T33.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
14:31:39API Interceptor1x Sleep call for process: Info.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
uVKGpf8T33.exe71%VirustotalBrowse
uVKGpf8T33.exe100%AviraHEUR/AGEN.1001382
uVKGpf8T33.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Info.exe100%AviraHEUR/AGEN.1001382
C:\Users\user\AppData\Local\Info.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Info.exe71%VirustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.uVKGpf8T33.exe.b90000.0.unpack100%AviraHEUR/AGEN.1001382Download File
0.2.uVKGpf8T33.exe.b90000.0.unpack100%AviraHEUR/AGEN.1001382Download File
2.0.Info.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1001382Download File
2.2.Info.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1001382Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%VirustotalBrowse
http://www.sakkal.com0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
uVKGpf8T33.exeJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
    .textJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security

      PCAP (Network Traffic)

      No yara matches

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Info.exeJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.4280906071.0000000000B92000.00000002.00020000.sdmpJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
          00000000.00000002.4302174598.0000000000B92000.00000002.00020000.sdmpJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
            00000002.00000000.4300472614.00000000001F2000.00000002.00020000.sdmpJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
              00000002.00000002.4313845476.00000000001F2000.00000002.00020000.sdmpJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
                Process Memory Space: uVKGpf8T33.exe PID: 6096JoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
                  Process Memory Space: Info.exe PID: 5300JoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    2.0.Info.exe.1f0000.0.unpackJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
                      0.0.uVKGpf8T33.exe.b90000.0.unpackJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
                        0.2.uVKGpf8T33.exe.b90000.0.unpackJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security
                          2.2.Info.exe.1f0000.0.unpackJoeSecurity_DRV_ransomwareYara detected DRV ransomwareJoe Security

                            Sigma Overview

                            No Sigma rule has matched

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.