Windows Analysis Report
THN6clTA6P.exe

Overview

General Information

Sample Name: THN6clTA6P.exe
Analysis ID: 694554
MD5: 3983f0ebeec88b8005724a203ae27180
SHA1: 9f34d48eae30b6da0a5c5297a873f989a49e10e8
SHA256: ed492db95034ca288dd52df88e3ce3ec7b146ffd854a394ac187f0553ef966d9
Infos:

Detection

Wannacry
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Tries to download HTTP data from a sinkholed server
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Machine Learning detection for sample
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Contains functionality to query network adapater information

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: THN6clTA6P.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: THN6clTA6P.exe Virustotal: Detection: 88% Perma Link
Source: THN6clTA6P.exe Metadefender: Detection: 89% Perma Link
Source: THN6clTA6P.exe ReversingLabs: Detection: 100%
Antivirus detection for URL or domain
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ Avira URL Cloud: Label: malware
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com Virustotal: Detection: 5% Perma Link
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ Virustotal: Detection: 5% Perma Link
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: THN6clTA6P.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack Avira: Label: TR/Ransom.JB
Source: 1.2.THN6clTA6P.exe.400000.0.unpack Avira: Label: TR/Ransom.JB
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack Avira: Label: TR/Ransom.JB
Source: 1.0.THN6clTA6P.exe.400000.0.unpack Avira: Label: TR/Ransom.JB
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407660 rand,EnterCriticalSection,CryptGenRandom,LeaveCriticalSection, 1_2_00407660
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407620 CryptAcquireContextA,CryptAcquireContextA,InitializeCriticalSection, 1_2_00407620
Uses 32bit PE files
Source: THN6clTA6P.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking
barindex
Tries to download HTTP data from a sinkholed server
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 31 Aug 2022 21:46:49 GMTContent-Type: text/html;charset=UTF-8Content-Length: 113Connection: keep-alivex-sinkhole: sinkhole@blacklistthisdomain.comReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BwAJjUBV7QoBfDcQC5xHuwWf6HaSer5urPutgRH%2BIhWdxjAnZxQhv3Lj7wdnu2PPlKacdGr9jV%2FTSwi3vI%2BYOhYgTU0rv1q0jFccnc7tRao14EgvdRHCOJyooOZRF5g5vft43xf7R9Y9%2BZ3RRpCsAmuUjh5Fhtj03GcJjYsFDcilY2Vk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7438f608df147765-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 42 6c 61 63 6b 4c 69 73 74 54 68 69 73 44 6f 6d 61 69 6e 20 2d 20 53 69 6e 6b 68 6f 6c 65 3c 2f 68 31 3e 0a 20 20 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e Data Ascii: <!DOCTYPE html><body> <h1>BlackListThisDomain - Sinkhole</h1> <p>This domain has been sinkholed.</p></body>
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024293 ET TROJAN Possible WannaCry DNS Lookup 2 192.168.2.3:60625 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 104.21.68.165:80 -> 192.168.2.3:49746
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: THN6clTA6P.exe String found in binary or memory: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: unknown DNS traffic detected: queries for: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00406F50 GlobalAlloc,send,recv,htons,send,recv,GlobalFree, 1_2_00406F50
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Wannacry ransomware
Source: Yara match File source: THN6clTA6P.exe, type: SAMPLE
Source: Yara match File source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.262463921.000000000040F000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: THN6clTA6P.exe PID: 2996, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Uses 32bit PE files
Source: THN6clTA6P.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Sample file is different than original file name gathered from version info
Source: THN6clTA6P.exe Binary or memory string: OriginalFilenamediskpart.exej% vs THN6clTA6P.exe
Source: THN6clTA6P.exe Binary or memory string: OriginalFilenamelhdfrgui.exej% vs THN6clTA6P.exe
PE file contains executable resources (Code or Archives)
Source: THN6clTA6P.exe Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: THN6clTA6P.exe Virustotal: Detection: 88%
Source: THN6clTA6P.exe Metadefender: Detection: 89%
Source: THN6clTA6P.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA, 1_2_00408090
Source: THN6clTA6P.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\THN6clTA6P.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 1_2_00407C40
Source: C:\Users\user\Desktop\THN6clTA6P.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA, 1_2_00407CE0
Source: THN6clTA6P.exe Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: classification engine Classification label: mal100.rans.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 1_2_00407C40
Source: C:\Users\user\Desktop\THN6clTA6P.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\THN6clTA6P.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: THN6clTA6P.exe Static file information: File size 3723293 > 1048576
Source: THN6clTA6P.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00409860 push eax; ret 1_2_0040988E
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 1_2_00407C40
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\THN6clTA6P.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\THN6clTA6P.exe API coverage: 9.3 %
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: GetAdaptersInfo,LocalAlloc,GetAdaptersInfo,LocalFree,inet_addr,inet_addr,inet_addr,htonl,htonl,htonl,htonl,GetPerAdapterInfo,LocalAlloc,GetPerAdapterInfo,inet_addr,htonl,htonl,htonl,htonl,LocalFree,LocalFree, 1_2_00409160
Source: C:\Users\user\Desktop\THN6clTA6P.exe API call chain: ExitProcess graph end node
Source: THN6clTA6P.exe, 00000001.00000002.266409095.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, THN6clTA6P.exe, 00000001.00000002.266400087.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 694554 Sample: THN6clTA6P.exe Startdate: 31/08/2022 Architecture: WINDOWS Score: 100 10 Tries to download HTTP data from a sinkholed server 2->10 12 Snort IDS alert for network traffic 2->12 14 Multi AV Scanner detection for domain / URL 2->14 16 6 other signatures 2->16 5 THN6clTA6P.exe 6 2->5         started        process3 dnsIp4 8 www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.21.68.165, 49746, 80 CLOUDFLARENETUS United States 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.68.165
 www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.21.68.165 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown