Play interactive tour

Edit tour

Analysis Report p2h.exe

Overview

General Information

Sample Name:	p2h.exe
Analysis ID:	251146
MD5:	6006725a2daa0b01a4af2fddf58db57b
SHA1:	2e9c40f5bc4f7d8c543cf5a93123fc2794f26a6a
SHA256:	448f9d5980c6e327d5cf3e3286381df157876c7f4a748a31038d5bee5479c901
Most interesting Screenshot:

Detection

Netwalker

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found ransom note / readme

Yara detected Netwalker ransomware

Deletes shadow drive data (may be related to ransomware)

Machine Learning detection for sample

May disable shadow drive data (uses vssadmin)

Writes a notice file (html or txt) to demand a ransom

Creates COM task schedule object (often to register a task for autostart)

Enables debug privileges

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Startup

System is w10x64

p2h.exe (PID: 5004 cmdline: 'C:\Users\user\Desktop\p2h.exe' MD5: 6006725A2DAA0B01A4AF2FDDF58DB57B)

vssadmin.exe (PID: 1496 cmdline: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)

conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: p2h.exe PID: 5004	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for sample

Show sources

Source: p2h.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: p2h.exe, 00000000.00000003.823645278.000000003C37F000.00000004.00000001.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: p2h.exe, 00000000.00000003.825900969.000000003A15C000.00000004.00000001.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://corz.org/ip
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: p2h.exe, 00000000.00000003.918284526.000000003C3F2000.00000004.00000001.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
Source: p2h.exe, 00000000.00000003.918284526.000000003C3F2000.00000004.00000001.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
Source: p2h.exe, 00000000.00000003.833206566.000000003A0E0000.00000004.00000001.sdmp	String found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://ip.appspot.com
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://ip.eprci.net/text
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://ip.jsontest.com/
Source: p2h.exe, 00000000.00000003.833215162.000000003A0E3000.00000004.00000001.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://services.packetizer.com/ipaddress/?f=text
Source: p2h.exe, 00000000.00000003.833233121.000000003A0F2000.00000004.00000001.sdmp, p2h.exe, 00000000.00000003.832988343.000000003A04F000.00000004.00000001.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0W
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://th.symcb.com/th.crl0
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://th.symcb.com/th.crt0
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://th.symcd.com0&
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://whatthehellismyip.com/?ipraw
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://wtfismyip.com/text
Source: p2h.exe, 00000000.00000003.1315206008.000000004FD92000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoit.de/index.php?page=Thread&postID=48393
Source: p2h.exe, 00000000.00000003.1187273056.000000004FB63000.00000004.00000001.sdmp	String found in binary or memory: http://www.bearcave.com/random_hacks/permute.html
Source: p2h.exe, 00000000.00000003.1163172906.000000004FB00000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyrgb.com/math.php?MATH=M19#text19
Source: p2h.exe, 00000000.00000003.823608089.000000003C35F000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: p2h.exe, 00000000.00000003.833215162.000000003A0E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.linuxnet.com
Source: p2h.exe, 00000000.00000003.826957316.000000003A16A000.00000004.00000001.sdmp	String found in binary or memory: http://www.live.com/
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://www.myexternalip.com/raw
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://www.networksecuritytoolkit.org/nst/tools/ip.php
Source: p2h.exe, 00000000.00000003.833206566.000000003A0E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: p2h.exe, 00000000.00000003.833233121.000000003A0F2000.00000004.00000001.sdmp, p2h.exe, 00000000.00000003.832988343.000000003A04F000.00000004.00000001.sdmp	String found in binary or memory: http://www.tagvault.org/tv_extensions.xsd
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.com/ip
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: http://www.trackip.net/ip
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: p2h.exe, 00000000.00000003.834575319.000000003C375000.00000004.00000001.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: p2h.exe, 00000000.00000003.825900969.000000003A15C000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp	String found in binary or memory: https://sourceforge.net/project/?group_id=1519
Source: A5F447-Readme.txt.0.dr	String found in binary or memory: https://torproject.org/
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/appendix/SendKeys.htm#KeysList
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/functions/
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/intro/au3check.htm
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords.htm
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords/
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords/comments-start.htm
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/libfunctions/_
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/docs/macros.htm#
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/scite/docs/AutoIt3Wrapper.html
Source: p2h.exe, 00000000.00000003.1271532915.000000004FC20000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/forum/topic/50254-powerpoint-wrapper
Source: p2h.exe, 00000000.00000003.963873803.000000004F5F2000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/trac/autoit/ticket/3585
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	String found in binary or memory: https://www.thawte.com/repository0W

Source: p2h.exe, 00000000.00000003.968194093.000000004F7C3000.00000004.00000001.sdmp

Binary or memory string: _winapi_registerhotkey _winapi_registerpowersettingnotification _winapi_registerrawinputdevices \

Spam, unwanted Advertisements and Ransom Demands:

Found ransom note / readme

Show sources

Source: C:\ProgramData\A5F447-Readme.txt

Dropped file: Hi!Your files are encrypted.All encrypted files for this computer has extension: .a5f447--If for some reason you read this text before the encryption ended,this can be understood by the fact that the computer slows down,and your heart rate has increased due to the ability to turn it off,then we recommend that you move away from the computer and accept that you have been compromised.Rebooting/shutdown will cause you to lose files without the possibility of recovery.--Our encryption algorithms are very strong and your files are very well protected,the only way to get your files back is to cooperate with us and get the decrypter program.Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.Just open our website, upload the encrypted file and get the decrypted file for free.Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--Steps to get access on our website:1.Download and install tor-browser: https://torproject.org/2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionIf the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.Put your personal code in the input form:{code_a5f447:3PsLNNh3dEaKce47X8zi74gg8lCchhmMh+9YetGhFWsALZzULCTi0Qzwr/kMgSIS6iv/FlfucrLkHHLpDeoWPFQJ+dA3YHw11IeSFtuZC7Edlh5Ep3PA7OF3TmpgrJABXgKvbrXuuc2o/jl/3M+COsVmZD/QAOfscG3sLsrDIU+BB4uIiMVSv/MAWQ0rf3VVQiUwMjUD8Ufvbu55n4WMUNUIyV2IT2/5qR1i653sP22D0rCdgsL2GxRgmTppaVM8WP5SzDGcclDU0NYuGPvEFQc4z5uJN249sw==}

Jump to dropped file

Yara detected Netwalker ransomware

Show sources

Source: Yara match

File source: Process Memory Space: p2h.exe PID: 5004, type: MEMORY

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: unknown	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\p2h.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet	Jump to behavior
Source: p2h.exe, 00000000.00000003.772434472.0000000000E49000.00000004.00000001.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\Prog
Source: p2h.exe, 00000000.00000003.770463328.0000000000220000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quietg
Source: p2h.exe, 00000000.00000003.770463328.0000000000220000.00000004.00000001.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=UMMBDNEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsg
Source: p2h.exe, 00000000.00000003.771892061.0000000000E49000.00000004.00000001.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=UMMBDNEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: vssadmin.exe, 00000002.00000002.780739828.000002C470135000.00000004.00000040.sdmp	Binary or memory string: C:\Windows\system32\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000002.00000002.780628594.000002C46FEF0000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 00000002.00000002.780628594.000002C46FEF0000.00000004.00000020.sdmp	Binary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

May disable shadow drive data (uses vssadmin)

Show sources

Source: unknown	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\p2h.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet			Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Show sources

Source: C:\Users\user\Desktop\p2h.exe	File dropped: C:\ProgramData\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd	Jump to dropped file
Source: C:\Users\user\Desktop\p2h.exe	File dropped: C:\Program Files (x86)\Free Window Registry Repair\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd	Jump to dropped file
Source: C:\Users\user\Desktop\p2h.exe	File dropped: C:\Program Files (x86)\AutoIt3\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd	Jump to dropped file
Source: C:\Users\user\Desktop\p2h.exe	File dropped: C:\Program Files (x86)\Microsoft Office\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd	Jump to dropped file

Source: p2h.exe, 00000000.00000003.1467421354.000000004FED6000.00000004.00000001.sdmp	Binary or memory string: Global Const $FV_ORIGINALFILENAME = "OriginalFilename" vs p2h.exe
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe4 vs p2h.exe

Source: classification engine

Classification label: mal72.rans.winEXE@4/14@0/0

Source: C:\Users\user\Desktop\p2h.exe

File created: C:\Program Files (x86)\free window registry repair\A5F447-Readme.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01

Source: p2h.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\p2h.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\p2h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\p2h.exe 'C:\Users\user\Desktop\p2h.exe'
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\p2h.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet	Jump to behavior

Source: C:\Users\user\Desktop\p2h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: p2h.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\p2h.exe	File created: C:\Documents and Settings\All Users\A5F447-Readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	File created: C:\Program Files (x86)\free window registry repair\A5F447-Readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	File created: C:\Program Files (x86)\autoit3\A5F447-Readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\p2h.exe	File created: C:\Program Files (x86)\microsoft office\A5F447-Readme.txt	Jump to behavior

Source: C:\Users\user\Desktop\p2h.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\p2h.exe TID: 5028

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\p2h.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\p2h.exe

Process token adjusted: Debug

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task1	Scheduled Task1	Process Injection1	Masquerading1	Input Capture11	Virtualization/Sandbox Evasion1	Application Deployment Software	Input Capture11	Data Compressed	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Replication Through Removable Media	Service Execution	Port Monitors	Scheduled Task1	Virtualization/Sandbox Evasion1	Network Sniffing	Process Discovery2	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Fallback Channels	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Windows Management Instrumentation	Accessibility Features	Path Interception	Process Injection1	Input Capture	System Information Discovery2	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	System Firmware	DLL Search Order Hijacking	File Deletion1	Credentials in Files	System Network Configuration Discovery	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication	SIM Card Swap		Premium SMS Toll Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report p2h.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails