Loading ...

Play interactive tourEdit tour

Windows Analysis Report NtJd0gjCZE

Overview

General Information

Sample Name:NtJd0gjCZE (renamed file extension from none to exe)
Analysis ID:459108
MD5:4af953b20f3a1f165e7cf31d6156c035
SHA1:b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256:89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
Infos:

Most interesting Screenshot:

Detection

Netwalker Revil Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: WannaCry Ransomware
Yara detected Netwalker ransomware
Yara detected RansomwareGeneric
Yara detected Revil
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Sigma detected: Copying Sensitive Files with Credential Data
Uses bcdedit to modify the Windows boot settings
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops certificate files (DER)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification