Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name: vy3mvlAaCZ.exe
Analysis ID: 694561
MD5: 1873a210d41acdef243e921f3810803a
SHA1: 6fa90a229148759d12c63bee342e55fa887f6976
SHA256: 34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags: exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Machine Learning detection for sample
Found API chain indicative of sandbox detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

AV Detection

barindex
Source: vy3mvlAaCZ.exe Avira: detected
Source: vy3mvlAaCZ.exe Virustotal: Detection: 85% Perma Link
Source: vy3mvlAaCZ.exe Metadefender: Detection: 74% Perma Link
Source: vy3mvlAaCZ.exe ReversingLabs: Detection: 96%
Source: vy3mvlAaCZ.exe Joe Sandbox ML: detected
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: vy3mvlAaCZ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vy3mvlAaCZ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match File source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR

System Summary

barindex
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: vy3mvlAaCZ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: vy3mvlAaCZ.exe, type: SAMPLE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01151E5B 0_2_01151E5B
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01158102 0_2_01158102
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01157B90 0_2_01157B90
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_011569EC 0_2_011569EC
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_0115A84D 0_2_0115A84D
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01158674 0_2_01158674
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_011598E1 0_2_011598E1
Source: vy3mvlAaCZ.exe Virustotal: Detection: 85%
Source: vy3mvlAaCZ.exe Metadefender: Detection: 74%
Source: vy3mvlAaCZ.exe ReversingLabs: Detection: 96%
Source: vy3mvlAaCZ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4876
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmp Jump to behavior
Source: classification engine Classification label: mal88.rans.evad.winEXE@2/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vy3mvlAaCZ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match File source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01152A35 push ecx; ret 0_2_01152A48
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_0115C790 LoadLibraryA,GetProcAddress, 0_2_0115C790
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01151E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01151E5B
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe API coverage: 0.8 %
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01154130 _memset,IsDebuggerPresent, 0_2_01154130
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01154E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_01154E1A
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_0115C790 LoadLibraryA,GetProcAddress, 0_2_0115C790
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01152041 GetProcessHeap, 0_2_01152041
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01153387 SetUnhandledExceptionFilter, 0_2_01153387
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_011533B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_011533B8
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_0115D110 CreateWindowExW,GetWindowLongW,SetWindowLongW,DestroyWindow,DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,CreateWindowExW,GetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,DestroyWindow,DestroyWindow,TerminateThread,DestroyWindow, 0_2_0115D110
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01152D1C cpuid 0_2_01152D1C
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_0115BA30 Sleep,Sleep,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetVersionExW,GetModuleHandleA,IsWow64Process,GetModuleHandleA,GetModuleHandleA,RegisterClassExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateThread,Sleep,TerminateThread,Sleep,keybd_event,keybd_event,keybd_event, 0_2_0115BA30
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe Code function: 0_2_01152881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_01152881
No contacted IP infos