Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
O8ZHhytWhn.exe

Overview

General Information

Sample Name:O8ZHhytWhn.exe
Analysis ID:694558
MD5:b39febf7440b58a6cd15ae9f01916f98
SHA1:66984e561fc5feead5ef9790f79bffd7778ac1e2
SHA256:9c689986ca8e0b4fd93657ad9ed5c37994ccf591c90d5fba85684f2d0f49e1b9
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Performs many domain queries via nslookup
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Contains functionality to read the PEB
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • O8ZHhytWhn.exe (PID: 5900 cmdline: "C:\Users\user\Desktop\O8ZHhytWhn.exe" MD5: B39FEBF7440B58A6CD15AE9F01916F98)
    • nslookup.exe (PID: 3600 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5496 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 3220 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4404 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5224 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4508 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5732 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4540 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6132 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5896 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 1548 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5864 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 3840 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4412 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4928 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5972 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5164 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5644 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5860 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6052 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 540 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6072 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4324 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 1252 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
  • wjaoab.exe (PID: 5444 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe" MD5: A1E6F4D9E1AF5740E07B86A42C6C430B)
  • wjaoab.exe (PID: 2888 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe" MD5: A1E6F4D9E1AF5740E07B86A42C6C430B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
O8ZHhytWhn.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0xed22:$x1: ReflectiveLoader
O8ZHhytWhn.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xe67e:$: DECRYPT.txt
  • 0xe6e4:$: DECRYPT.txt
O8ZHhytWhn.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    O8ZHhytWhn.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      O8ZHhytWhn.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0xed21:$s1: _ReflectiveLoader@
      • 0xed22:$s2: ReflectiveLoader@
      Click to see the 1 entries

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
      • 0xed22:$x1: ReflectiveLoader
      C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe