Play interactive tourEdit tour
Windows Analysis Report TpZ10Hfjov.exe
Overview
General Information
Detection
Djvu
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Djvu Ransomware
Contains functionality to inject code into remote processes
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Sample file is different than original file name gathered from version info
Social media urls found in memory data
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
Click to see the 25 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
Click to see the 23 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Spreading: |
---|
Infects executable files (exe, dll, sys, html) | Show sources |
Source: | System file written: | Jump to behavior |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | HTTP traffic detected: |