Loading ...

Play interactive tourEdit tour

Analysis Report qP4cdRoVBi

Overview

General Information

Sample Name:qP4cdRoVBi (renamed file extension from none to exe)
MD5:7ddb09db3fb9b01fa931c2a1a41e13e1
SHA1:8941f55d8f9842cb4cbd5215adf3345afd16e6cb
SHA256:edef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a

Most interesting Screenshot:

Detection

Gocoder
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Gocoder ransomware
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • qP4cdRoVBi.exe (PID: 5232 cmdline: 'C:\Users\user\Desktop\qP4cdRoVBi.exe' MD5: 7DDB09DB3FB9B01FA931C2A1A41E13E1)
    • conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: qP4cdRoVBi.exe PID: 5232JoeSecurity_GocoderYara detected Gocoder ransomwareJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: qP4cdRoVBi.exeVirustotal: Detection: 47%Perma Link
    Source: qP4cdRoVBi.exeMetadefender: Detection: 15%Perma Link
    Source: qP4cdRoVBi.exeReversingLabs: Detection: 46%

    Source: unknownDNS traffic detected: queries for: ENELINT.GLOBAL

    Spam, unwanted Advertisements and Ransom Demands:

    barindex
    Yara detected Gocoder ransomwareShow sources
    Source: Yara matchFile source: Process Memory Space: qP4cdRoVBi.exe PID: 5232, type: MEMORY

    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_004378400_2_00437840
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0044A8300_2_0044A830
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_004339600_2_00433960
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0040F3C00_2_0040F3C0
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_00406CD00_2_00406CD0
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0040FCD00_2_0040FCD0
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0041ECA00_2_0041ECA0
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0040D5200_2_0040D520
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_004056900_2_00405690
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: String function: 00426390 appears 101 times
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: String function: 004273E0 appears 62 times
    Source: classification engineClassification label: mal56.rans.winEXE@2/0@1/0
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
    Source: qP4cdRoVBi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: qP4cdRoVBi.exeVirustotal: Detection: 47%
    Source: qP4cdRoVBi.exeMetadefender: Detection: 15%
    Source: qP4cdRoVBi.exeReversingLabs: Detection: 46%
    Source: unknownProcess created: C:\Users\user\Desktop\qP4cdRoVBi.exe 'C:\Users\user\Desktop\qP4cdRoVBi.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: qP4cdRoVBi.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: qP4cdRoVBi.exeStatic file information: File size 3965440 > 1048576
    Source: qP4cdRoVBi.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3b1c00

    Source: qP4cdRoVBi.exeStatic PE information: section name: .symtab
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0041E049 push eax; retn 007Dh0_2_0041E04A
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0041E052 push esp; retn 007Dh0_2_0041E053
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0041E031 push eax; retn 007Dh0_2_0041E032
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0041E03E push esp; retn 007Dh0_2_0041E044
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0040D125 push ebp; retn 0003h0_2_0040D128
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_00441C53 push edi; ret 0_2_00441C55

    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_0042386E GetSystemInfo,0_2_0042386E

    Source: C:\Users\user\Desktop\qP4cdRoVBi.exeCode function: 0_2_00436AC0 AddVectoredExceptionHandler,SetUnhandledExceptionFilter,0_2_00436AC0

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Process Injection1Credential DumpingSystem Information Discovery2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information1Network SniffingRemote System Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 236619 Sample: qP4cdRoVBi Startdate: 08/06/2020 Architecture: WINDOWS Score: 56 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected Gocoder ransomware 2->15 6 qP4cdRoVBi.exe 1 2->6         started        process3 dnsIp4 11 ENELINT.GLOBAL 6->11 9 conhost.exe 6->9         started        process5

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.