Windows Analysis Report
ZunmmW7pe5.exe

Overview

General Information

Sample Name: ZunmmW7pe5.exe
Analysis ID: 626600
MD5: 6d87be9212a1a0e92e58e1ed94c589f9
SHA1: 19ce538b2597da454abf835cff676c28b8eb66f7
SHA256: c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac
Infos:

Detection

Rook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Rook Ransomware
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ZunmmW7pe5.exe Avira: detected
Found malware configuration
Source: 0.0.ZunmmW7pe5.exe.7ff7e3710000.0.unpack Malware Configuration Extractor: Rook Ransomware {"Ransom Note": "-----------Welcome. Again. --------------------\r\n[+]Whats Happen?[+]\r\n\r\nYour files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet.\r\n\r\nBy the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).\r\n\r\n[+] What guarantees?[+]\r\n\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.\r\n\r\nTo check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring.\r\n\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money.\r\n\r\nIf we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services.\r\n\r\nYou have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files.\r\n\r\nPlease use the company email to contact us, otherwise we will not reply.\r\n\r\n[+] How to get access on website?[+] \r\n\r\nYou have two ways:\r\n\r\n1) [Recommended] Using a TOR browser!\r\n\ta) Download and install TOR browser from this site:https://torproject.org/\n\tb) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion\r\n\r\n2) Our mail box:\r\n\ta)rook@onionmail.org\r\n\tb)securityRook@onionmail.org\r\n\tc)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox\r\n------------------------------------------------------------------------------------------------\r\n!!!DANGER!!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.\r\n!!!!!!!\r\n\r\nAGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere.\r\n!!!!!!!\r\n\r\nONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger.\r\n\r\n!!!!!!!\r\n"}
Multi AV Scanner detection for submitted file
Source: ZunmmW7pe5.exe Virustotal: Detection: 79% Perma Link
Source: ZunmmW7pe5.exe Metadefender: Detection: 27% Perma Link
Source: ZunmmW7pe5.exe ReversingLabs: Detection: 88%
Machine Learning detection for sample
Source: ZunmmW7pe5.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E371DBF0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 0_2_00007FF7E371DBF0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ 0_2_00007FF7E3711C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ 0_2_00007FF7E3711C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo 0_2_00007FF7E3711C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY----- 0_2_00007FF7E3711C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo 0_2_00007FF7E3718FB0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN RSA PUBLIC KEY----- 0_2_00007FF7E371CD10
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY----- 0_2_00007FF7E371CD10
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo 0_2_00007FF7E372A450
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo 0_2_00007FF7E372CBB0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo 0_2_00007FF7E3723330
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ 0_2_00007FF7E372A070
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo 0_2_00007FF7E3715720
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo 0_2_00007FF7E372C6A0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ 0_2_00007FF7E371C710
Source: ZunmmW7pe5.exe Binary or memory string: -----BEGIN RSA PUBLIC KEY-----
Source: ZunmmW7pe5.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: c: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3712C00 RtlAllocateHeap,lstrcpyW,lstrcatW,CreateFileW,lstrlen,WriteFile,CloseHandle,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege, 0_2_00007FF7E3712C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37130B0 WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,RtlAllocateHeap,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege, 0_2_00007FF7E37130B0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E374313C FindFirstFileExA, 0_2_00007FF7E374313C
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\3D Objects\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\ Jump to behavior
Source: ZunmmW7pe5.exe, HowToRestoreYourFiles.txt61.0.dr, HowToRestoreYourFiles.txt77.0.dr, HowToRestoreYourFiles.txt73.0.dr, HowToRestoreYourFiles.txt42.0.dr, HowToRestoreYourFiles.txt114.0.dr, HowToRestoreYourFiles.txt108.0.dr, HowToRestoreYourFiles.txt54.0.dr, HowToRestoreYourFiles.txt95.0.dr, HowToRestoreYourFiles.txt5.0.dr, HowToRestoreYourFiles.txt21.0.dr, HowToRestoreYourFiles.txt102.0.dr, HowToRestoreYourFiles.txt69.0.dr, HowToRestoreYourFiles.txt1.0.dr, HowToRestoreYourFiles.txt30.0.dr, HowToRestoreYourFiles.txt66.0.dr, HowToRestoreYourFiles.txt15.0.dr, HowToRestoreYourFiles.txt111.0.dr, HowToRestoreYourFiles.txt22.0.dr, HowToRestoreYourFiles.txt91.0.dr, HowToRestoreYourFiles.txt34.0.dr String found in binary or memory: https://torproject.org/

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Rook Ransomware
Source: Yara match File source: Process Memory Space: ZunmmW7pe5.exe PID: 8072, type: MEMORYSTR
May disable shadow drive data (uses vssadmin)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet Jump to behavior
Deletes shadow drive data (may be related to ransomware)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
Source: ZunmmW7pe5.exe Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: ZunmmW7pe5.exe, 00000000.00000002.2994795597.00007FF7E374D000.00000080.00000001.01000000.00000000.sdmp Binary or memory string: memtasmepocsvsssqlsvc$veeambackupGxVssGxBlrGxFWDGxCVDGxCIMgrDefWatchccEvtMgrccSetMgrSavRoamRTVscanQBFCServiceQBIDPServiceIntuit.QuickBooks.FCSQBCFMonitorServiceAcrSch2SvcAcronisAgentCASAD2DWebSvcCAARCUpdateSvcsql.exeoracle.exeocssd.exedbsnmp.exevisio.exewinword.exewordpad.exenotepad.exeexcel.exeonenote.exeoutlook.exesynctime.exeagntsvc.exeisqlplussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefox.exetbirdconfig.exemydesktopqos.exeocomm.exedbeng50.exesqbcoreservice.exeinfopath.exemsaccess.exemspub.exepowerpnt.exesteam.exethebat.exethunderbird.exeQ:\W:\E:\R:\T:\Y:\U:\I:\O:\P:\A:\S:\D:\F:\G:\H:\J:\K:\L:\Z:\X:\C:\V:\B:\N:\M:\IsWow64Processkernel32.dllWow64DisableWow64FsRedirection/c vssadmin.exe delete shadows /all /quietcmd.exeopenWow64RevertWow64FsRedirection
Source: ZunmmW7pe5.exe, 00000000.00000000.1645153422.00007FF7E3711000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: memtasmepocsvsssqlsvc$veeambackupGxVssGxBlrGxFWDGxCVDGxCIMgrDefWatchccEvtMgrccSetMgrSavRoamRTVscanQBFCServiceQBIDPServiceIntuit.QuickBooks.FCSQBCFMonitorServiceAcrSch2SvcAcronisAgentCASAD2DWebSvcCAARCUpdateSvcsql.exeoracle.exeocssd.exedbsnmp.exevisio.exewinword.exewordpad.exenotepad.exeexcel.exeonenote.exeoutlook.exesynctime.exeagntsvc.exeisqlplussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefox.exetbirdconfig.exemydesktopqos.exeocomm.exedbeng50.exesqbcoreservice.exeinfopath.exemsaccess.exemspub.exepowerpnt.exesteam.exethebat.exethunderbird.exeQ:\W:\E:\R:\T:\Y:\U:\I:\O:\P:\A:\S:\D:\F:\G:\H:\J:\K:\L:\Z:\X:\C:\V:\B:\N:\M:\IsWow64Processkernel32.dllWow64DisableWow64FsRedirection/c vssadmin.exe delete shadows /all /quietcmd.exeopenWow64RevertWow64FsRedirection
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: vssadmin.exe, 00000008.00000002.1705895117.0000027A0F000000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quietvssadmin.exe delete shadows /all /quietWinSta0\Default
Source: vssadmin.exe, 00000008.00000002.1705895117.0000027A0F000000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000008.00000002.1708547648.0000027A0F345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vssadmin.exedeleteshadows/all/quietE
Source: ZunmmW7pe5.exe Binary or memory string: memtasmepocsvsssqlsvc$veeambackupGxVssGxBlrGxFWDGxCVDGxCIMgrDefWatchccEvtMgrccSetMgrSavRoamRTVscanQBFCServiceQBIDPServiceIntuit.QuickBooks.FCSQBCFMonitorServiceAcrSch2SvcAcronisAgentCASAD2DWebSvcCAARCUpdateSvcsql.exeoracle.exeocssd.exedbsnmp.exevisio.exewinword.exewordpad.exenotepad.exeexcel.exeonenote.exeoutlook.exesynctime.exeagntsvc.exeisqlplussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefox.exetbirdconfig.exemydesktopqos.exeocomm.exedbeng50.exesqbcoreservice.exeinfopath.exemsaccess.exemspub.exepowerpnt.exesteam.exethebat.exethunderbird.exeQ:\W:\E:\R:\T:\Y:\U:\I:\O:\P:\A:\S:\D:\F:\G:\H:\J:\K:\L:\Z:\X:\C:\V:\B:\N:\M:\IsWow64Processkernel32.dllWow64DisableWow64FsRedirection/c vssadmin.exe delete shadows /all /quietcmd.exeopenWow64RevertWow64FsRedirection
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File moved: C:\Users\user\Desktop\GNLQNHOLWB\BWETZDQDIB.pdf Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File moved: C:\Users\user\Desktop\GNLQNHOLWB\MOCYNWGDZO.mp3 Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File moved: C:\Users\user\Desktop\PWZOQIFCAN\IZMFBFKMEB.pdf Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File moved: C:\Users\user\Desktop\PWZOQIFCAN\UBVUNTSCZJ.mp3 Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File moved: C:\Users\user\Desktop\GNLQNHOLWB.jpg Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: ZunmmW7pe5.exe, type: SAMPLE Matched rule: Detects Babuk ransomware Author: ditekSHen
Source: 0.2.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPE Matched rule: Detects Babuk ransomware Author: ditekSHen
Source: 0.0.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPE Matched rule: Detects Babuk ransomware Author: ditekSHen
Yara signature match
Source: ZunmmW7pe5.exe, type: SAMPLE Matched rule: MALWARE_Win_Babuk author = ditekSHen, description = Detects Babuk ransomware
Source: 0.2.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Babuk author = ditekSHen, description = Detects Babuk ransomware
Source: 0.0.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Babuk author = ditekSHen, description = Detects Babuk ransomware
Detected potential crypto function
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3711C00 0_2_00007FF7E3711C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3712C00 0_2_00007FF7E3712C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3724300 0_2_00007FF7E3724300
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3713970 0_2_00007FF7E3713970
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37130B0 0_2_00007FF7E37130B0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3712070 0_2_00007FF7E3712070
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37227C0 0_2_00007FF7E37227C0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3737F20 0_2_00007FF7E3737F20
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37234B0 0_2_00007FF7E37234B0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E371ACC0 0_2_00007FF7E371ACC0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37394C0 0_2_00007FF7E37394C0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E371CD10 0_2_00007FF7E371CD10
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3720460 0_2_00007FF7E3720460
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E372EC60 0_2_00007FF7E372EC60
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37313B0 0_2_00007FF7E37313B0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3736340 0_2_00007FF7E3736340
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3720AB0 0_2_00007FF7E3720AB0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E372BAB0 0_2_00007FF7E372BAB0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37472C0 0_2_00007FF7E37472C0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E371BAF0 0_2_00007FF7E371BAF0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E373DAF8 0_2_00007FF7E373DAF8
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3738240 0_2_00007FF7E3738240
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E373F9AC 0_2_00007FF7E373F9AC
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37219F0 0_2_00007FF7E37219F0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E371D120 0_2_00007FF7E371D120
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3716920 0_2_00007FF7E3716920
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3718150 0_2_00007FF7E3718150
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3737980 0_2_00007FF7E3737980
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3736180 0_2_00007FF7E3736180
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37368B0 0_2_00007FF7E37368B0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37388D0 0_2_00007FF7E37388D0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3714900 0_2_00007FF7E3714900
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3737EF0 0_2_00007FF7E3737EF0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E371A820 0_2_00007FF7E371A820
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E373A020 0_2_00007FF7E373A020
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3735840 0_2_00007FF7E3735840
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E372F050 0_2_00007FF7E372F050
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E373D87C 0_2_00007FF7E373D87C
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3717FD0 0_2_00007FF7E3717FD0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3742F30 0_2_00007FF7E3742F30
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3738F60 0_2_00007FF7E3738F60
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E371D780 0_2_00007FF7E371D780
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3716EA0 0_2_00007FF7E3716EA0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E372F6A0 0_2_00007FF7E372F6A0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37306C0 0_2_00007FF7E37306C0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3731F00 0_2_00007FF7E3731F00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3716640 0_2_00007FF7E3716640
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3717650 0_2_00007FF7E3717650
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3735650 0_2_00007FF7E3735650
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3738660 0_2_00007FF7E3738660
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3735E90 0_2_00007FF7E3735E90
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E374A5A8 0_2_00007FF7E374A5A8
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37395D0 0_2_00007FF7E37395D0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3746DF0 0_2_00007FF7E3746DF0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3737520 0_2_00007FF7E3737520
Source: ZunmmW7pe5.exe Virustotal: Detection: 79%
Source: ZunmmW7pe5.exe Metadefender: Detection: 27%
Source: ZunmmW7pe5.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3711660 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,FindCloseChangeNotification, 0_2_00007FF7E3711660
Source: unknown Process created: C:\Users\user\Desktop\ZunmmW7pe5.exe "C:\Users\user\Desktop\ZunmmW7pe5.exe"
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:304:WilStaging_02
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Mutant created: \Sessions\1\BaseNamedObjects\asfgjkl878645165456fa888
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:304:WilStaging_02
Source: classification engine Classification label: mal100.rans.winEXE@7/291@0/0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: ZunmmW7pe5.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ZunmmW7pe5.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3711310 LoadLibraryA,GetProcAddress,ShellExecuteW,LoadLibraryA,GetProcAddress, 0_2_00007FF7E3711310
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File deleted: c:\users\user\desktop\zunmmw7pe5.exe Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Key value created or modified: HKEY_CURRENT_USER\Software RookPrivateKey Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3713970 GetProcessHeap,GetCommandLineW,CommandLineToArgvW,SetProcessShutdownParameters,RtlInitializeCriticalSection,CreateFileW,SHEmptyRecycleBinA,GetSystemInfo,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,RtlAllocateHeap,CreateThread,CreateThread,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,HeapFree,lstrlenW,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrlenW,HeapFree,lstrlenW,OpenMutexA,CreateMutexExA,GetLogicalDrives,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,CloseHandle,CloseHandle,HeapFree,HeapFree,RtlDeleteCriticalSection,CloseHandle,ExitProcess, 0_2_00007FF7E3713970
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3712C00 RtlAllocateHeap,lstrcpyW,lstrcatW,CreateFileW,lstrlen,WriteFile,CloseHandle,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege, 0_2_00007FF7E3712C00
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37130B0 WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,RtlAllocateHeap,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege, 0_2_00007FF7E37130B0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E374313C FindFirstFileExA, 0_2_00007FF7E374313C
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\3D Objects\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\Application Data\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe File opened: C:\Documents and Settings\user\ Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37403F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7E37403F4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3711310 LoadLibraryA,GetProcAddress,ShellExecuteW,LoadLibraryA,GetProcAddress, 0_2_00007FF7E3711310
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E3713970 GetProcessHeap,GetCommandLineW,CommandLineToArgvW,SetProcessShutdownParameters,RtlInitializeCriticalSection,CreateFileW,SHEmptyRecycleBinA,GetSystemInfo,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,RtlAllocateHeap,CreateThread,CreateThread,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,HeapFree,lstrlenW,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrlenW,HeapFree,lstrlenW,OpenMutexA,CreateMutexExA,GetLogicalDrives,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,CloseHandle,CloseHandle,HeapFree,HeapFree,RtlDeleteCriticalSection,CloseHandle,ExitProcess, 0_2_00007FF7E3713970
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E37403F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7E37403F4
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E374AB44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7E374AB44
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E373B340 SetUnhandledExceptionFilter, 0_2_00007FF7E373B340
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E373B1A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7E373B1A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E374A3F0 cpuid 0_2_00007FF7E374A3F0
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\ZunmmW7pe5.exe Code function: 0_2_00007FF7E373B08C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7E373B08C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626600 Sample: ZunmmW7pe5.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 4 other signatures 2->32 7 ZunmmW7pe5.exe 2 503 2->7         started        process3 file4 20 C:\Users\user\...\BQJUWOYRTO.docx.Rook, DOS 7->20 dropped 22 C:\Users\user\Desktop\BWETZDQDIB.pdf.Rook, COM 7->22 dropped 24 C:\Users\user\AppData\...\RecentViews.Rook, DOS 7->24 dropped 34 Deletes itself after installation 7->34 36 Modifies existing user documents (likely ransomware behavior) 7->36 11 cmd.exe 1 7->11         started        14 conhost.exe 7->14         started        signatures5 process6 signatures7 38 May disable shadow drive data (uses vssadmin) 11->38 40 Deletes shadow drive data (may be related to ransomware) 11->40 16 conhost.exe 11->16         started        18 vssadmin.exe 1 11->18         started        process8
No contacted IP infos