Loading ...

Play interactive tourEdit tour

Analysis Report script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe

Overview

General Information

Sample Name:script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe
Analysis ID:254449
MD5:d5b831131e93aa30512ca34b0085980d
SHA1:0a55c8164e612ff9bf28ba493885ca040e5840ad
SHA256:be5a6314e4c9911fb51c7471c50e900a8645d31111baee36038f8dc0cc891643

Most interesting Screenshot:

Detection

HTMLPhisher Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Found ransom note / readme
Sigma detected: Delete Shadow Copy Via Powershell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HtmlPhish_10
Yara detected Sodinokibi Ransomware
Encrypted powershell cmdline option found
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification