Loading ...

Play interactive tourEdit tour

Analysis Report script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe


General Information

Sample Name:script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe
Analysis ID:254449

Most interesting Screenshot:


HTMLPhisher Sodinokibi
Range:0 - 100


Found malware configuration
Found ransom note / readme
Sigma detected: Delete Shadow Copy Via Powershell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HtmlPhish_10
Yara detected Sodinokibi Ransomware
Encrypted powershell cmdline option found
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)