Edit tour

Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name:	vy3mvlAaCZ.exe
Analysis ID:	694561
MD5:	1873a210d41acdef243e921f3810803a
SHA1:	6fa90a229148759d12c63bee342e55fa887f6976
SHA256:	34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Machine Learning detection for sample

Found API chain indicative of sandbox detection

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

Process Tree

System is w10x64

vy3mvlAaCZ.exe (PID: 4876 cmdline: "C:\Users\user\Desktop\vy3mvlAaCZ.exe" MD5: 1873A210D41ACDEF243E921F3810803A)

WerFault.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
vy3mvlAaCZ.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10bb8:$x1: ReflectiveLoader 0x22a82:$x1: ReflectiveLoader
vy3mvlAaCZ.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x22246:$: DECRYPT.txt 0x22298:$: DECRYPT.txt
vy3mvlAaCZ.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
vy3mvlAaCZ.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
vy3mvlAaCZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x22a81:$s1: _ReflectiveLoader@ 0x22a82:$s2: ReflectiveLoader@
vy3mvlAaCZ.exe	Gandcrab	Gandcrab Payload	kevoreilly	0x21f18:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
vy3mvlAaCZ.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x17043:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x197a2:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x17dce:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x1a610:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x15ec0:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: vy3mvlAaCZ.exe PID: 4876	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: vy3mvlAaCZ.exe PID: 4876	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10032:$x1: ReflectiveLoader
0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf7f6:$: DECRYPT.txt 0xf848:$: DECRYPT.txt
0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10031:$s1: _ReflectiveLoader@ 0x10032:$s2: ReflectiveLoader@
0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf4c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10bb8:$x1: ReflectiveLoader 0x22a82:$x1: ReflectiveLoader
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x22246:$: DECRYPT.txt 0x22298:$: DECRYPT.txt
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x22a81:$s1: _ReflectiveLoader@ 0x22a82:$s2: ReflectiveLoader@
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x21f18:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x17043:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x197a2:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x17dce:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x1a610:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x15ec0:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10032:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf7f6:$: DECRYPT.txt 0xf848:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10031:$s1: _ReflectiveLoader@ 0x10032:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf4c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10032:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf7f6:$: DECRYPT.txt 0xf848:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10031:$s1: _ReflectiveLoader@ 0x10032:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf4c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1164250.5.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xe832:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1164250.5.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xdff6:$: DECRYPT.txt 0xe048:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10bb8:$x1: ReflectiveLoader 0x22a82:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x22246:$: DECRYPT.txt 0x22298:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1164250.5.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.5.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x22a81:$s1: _ReflectiveLoader@ 0x22a82:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x21f18:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x17043:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x197a2:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x17dce:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x1a610:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x15ec0:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1164250.5.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe831:$s1: _ReflectiveLoader@ 0xe832:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1164250.5.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xdcc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1164250.5.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x39f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6152:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x477e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x6fc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x2870:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1164250.1.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xe832:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1164250.1.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xdff6:$: DECRYPT.txt 0xe048:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1164250.1.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe831:$s1: _ReflectiveLoader@ 0xe832:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1164250.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xdcc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1164250.1.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x39f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6152:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x477e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x6fc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x2870:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.2.vy3mvlAaCZ.exe.1164250.1.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xe832:$x1: ReflectiveLoader
0.2.vy3mvlAaCZ.exe.1164250.1.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xdff6:$: DECRYPT.txt 0xe048:$: DECRYPT.txt
0.2.vy3mvlAaCZ.exe.1164250.1.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.2.vy3mvlAaCZ.exe.1164250.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.vy3mvlAaCZ.exe.1164250.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe831:$s1: _ReflectiveLoader@ 0xe832:$s2: ReflectiveLoader@
0.2.vy3mvlAaCZ.exe.1164250.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xdcc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.vy3mvlAaCZ.exe.1164250.1.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x39f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6152:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x477e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x6fc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x2870:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10bb8:$x1: ReflectiveLoader 0x22a82:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x22246:$: DECRYPT.txt 0x22298:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x22a81:$s1: _ReflectiveLoader@ 0x22a82:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x21f18:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x17043:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x197a2:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x17dce:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x1a610:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x15ec0:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1164250.3.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xe832:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1164250.3.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xdff6:$: DECRYPT.txt 0xe048:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1164250.3.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.3.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.3.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe831:$s1: _ReflectiveLoader@ 0xe832:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1164250.3.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xdcc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1164250.3.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x39f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6152:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x477e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x6fc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x2870:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10bb8:$x1: ReflectiveLoader 0x22a82:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x22246:$: DECRYPT.txt 0x22298:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x22a81:$s1: _ReflectiveLoader@ 0x22a82:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x21f18:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x17043:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x197a2:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x17dce:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x1a610:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x15ec0:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10032:$x1: ReflectiveLoader
0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf7f6:$: DECRYPT.txt 0xf848:$: DECRYPT.txt
0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10031:$s1: _ReflectiveLoader@ 0x10032:$s2: ReflectiveLoader@
0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf4c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 01 10 C7 44 24 1C 28 05 01 10 C7 44 24 20 44 05 01 10 C7 44 24 24 64 05 01 10 C7 44 24 28 80 05 01 10 C7 44 24 2C 9C 05 01 10 C7 44 24 30 B4 05 01 10 C7 44 24 34 C8 05 01 10 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 00 10 8B 1D 30 B1 00 10 85 C0 74 23 68 60 10 01 10 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 00 10 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 00 10 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 01 10 C7 45 B8 AC 14 01 10 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 00 10 6A 40 68 00 30 00 00 68 01 04 00 ...
Click to see the 79 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vy3mvlAaCZ.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: vy3mvlAaCZ.exe	Virustotal: Detection: 85%	Perma Link
Source: vy3mvlAaCZ.exe	Metadefender: Detection: 74%	Perma Link
Source: vy3mvlAaCZ.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: vy3mvlAaCZ.exe

Joe Sandbox ML: detected

Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2

Source: vy3mvlAaCZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: vy3mvlAaCZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Source: vy3mvlAaCZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_01151E5B
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_01158102
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_01157B90
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_011569EC
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_0115A84D
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_01158674
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_011598E1

Source: vy3mvlAaCZ.exe	Virustotal: Detection: 85%
Source: vy3mvlAaCZ.exe	Metadefender: Detection: 74%
Source: vy3mvlAaCZ.exe	ReversingLabs: Detection: 96%

Source: vy3mvlAaCZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4876

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.rans.evad.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: vy3mvlAaCZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_01152A35 push ecx; ret

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0115C790 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_01151E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

API coverage: 0.8 %

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_01154130 _memset,IsDebuggerPresent,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_01154E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0115C790 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_01152041 GetProcessHeap,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_01153387 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_011533B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0115D110 CreateWindowExW,GetWindowLongW,SetWindowLongW,DestroyWindow,DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,CreateWindowExW,GetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,DestroyWindow,DestroyWindow,TerminateThread,DestroyWindow,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_01152D1C cpuid

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0115BA30 Sleep,Sleep,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetVersionExW,GetModuleHandleA,IsWow64Process,GetModuleHandleA,GetModuleHandleA,RegisterClassExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateThread,Sleep,TerminateThread,Sleep,keybd_event,keybd_event,keybd_event,

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_01152881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	14 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vy3mvlAaCZ.exe	86%	Virustotal		Browse
vy3mvlAaCZ.exe	74%	Metadefender		Browse
vy3mvlAaCZ.exe	96%	ReversingLabs	Win32.Ransomware.GandCrab
vy3mvlAaCZ.exe	100%	Avira	TR/Crypt.EPACK.Gen2
vy3mvlAaCZ.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.vy3mvlAaCZ.exe.1150000.4.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
0.0.vy3mvlAaCZ.exe.1150000.2.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
0.2.vy3mvlAaCZ.exe.1150000.0.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
0.0.vy3mvlAaCZ.exe.1150000.0.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694561
Start date and time:	2022-08-31 23:50:59 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	vy3mvlAaCZ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.rans.evad.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.7% (good quality ratio 91.9%) Quality average: 80.3% Quality standard deviation: 30.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): fs.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
23:52:00	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_15f13808\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6759231119557786
Encrypted:	false
SSDEEP:	96:/0FQKV2fhs1Dg3fDUpXIQcQvc6QcEDMcw3Db+HbHg/8BRTf3OyWZAXGng5FMTPSq:MuKVBHBUZMXYjuq/u7sZS274Itw
MD5:	28BF6D543B57771FB7E9720452B16D63
SHA1:	88E38F939B51683EC4FF3E6FF306049ACD4EA26A
SHA-256:	E2B4CF0953B50650AA791849B329648226AB7EA8A25BB0CB27C2FB4A44669B6E
SHA-512:	467EAE0526964E209D78ACD54E4CE5BD485695D0AE7FC7D147F5BD609D423E369F898750EE193EFCAE8839D137D610A36E9F9C7A059CBB97A7B2598B4ECEEF2C
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.8.8.7.1.7.4.4.8.8.0.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.6.4.8.8.7.1.8.6.5.1.9.2.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.2.1.7.6.2.7.-.b.7.7.3.-.4.d.a.3.-.a.c.1.9.-.b.5.d.2.b.e.6.3.f.6.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.0.c.0.2.7.b.-.7.c.6.f.-.4.e.9.e.-.b.9.c.f.-.3.5.6.4.e.d.3.1.8.6.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.y.3.m.v.l.A.a.C.Z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.0.c.-.0.0.0.1.-.0.0.1.a.-.8.7.4.8.-.a.3.5.2.c.f.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.9.1.d.d.a.7.1.0.3.b.9.8.a.3.c.9.4.4.5.a.1.1.3.8.3.7.c.b.f.e.9.0.0.0.0.f.f.f.f.!.0.0.0.0.6.f.a.9.0.a.2.2.9.1.4.8.7.5.9.d.1.2.c.6.3.b.e.e.3.4.2.e.5.5.f.a.8.8.7.f.6.9.7.6.!.v.y.3.m.v.l.A.a.C.Z...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Sep 1 06:51:57 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	33352
Entropy (8bit):	1.9834403820735447
Encrypted:	false
SSDEEP:	96:5y8b8M/8BXAHF8i7oFRz62llKlyhMD+TD7mD8I8oiq0e8pDmTDyJAZzmxWXpWIR6:zL8BQGOXClBhMD+TI8JO+0yxxewj
MD5:	6BF66556EA40E861750946DA1CA17EB9
SHA1:	770F57565404663EDBAF1FE61B5D7CBF49574CAE
SHA-256:	93D723C9C87E976AE4CCF71B747E3AEB70E1396562107F209836BCA7A480D34D
SHA-512:	C3B3A49007FB67B995D5614B2BBC4EE1A72E037DADD64AE7815F4779FF2998B4418F2DB9208B8BB1FBEE1397F12053C0338A7FD715027E820E74DD98002DE7C6
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........V.c....................................................T.......8...........T...............8x...........................................................................................U...........B......4.......GenuineIntelW...........T............V.c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EB2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.6997139229664695
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiuR6LzgMip6Yq8SUlF0SgmfgdSpCprY89b3asf5vdm:RrlsNiY64Mip6YRSUlbgmfgdSU35f54
MD5:	D0A35EB49E1E47EF725FCD5BCE3EFD35
SHA1:	848EB410587D787F568FC2092F38C75CC6E114F3
SHA-256:	8C32A9103D20BEED8D5A75F215116475954AFBFFB4004978CB1B99ED9D545CBF
SHA-512:	3CE994183DCCD10CC7C9CE33891B693013FE968457D0A52697EE8A3846A08B8A58675261A812C7A67B89F59D105B08B4C7D39E74FD78A72429F91CC6AC0942C9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER300B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	4.44811839040715
Encrypted:	false
SSDEEP:	48:cvIwSD8zs4tJgtWI97zWgc8sqYjC8fm8M4JNWF9+q8Fk0xEATULzd:uITf4H0CgrsqY7JIIOATULzd
MD5:	2EA7B6A30F53398926F2F0EAEAB296DF
SHA1:	853253305B9A5189B4A441BF37AF50A123ED331A
SHA-256:	DF785D764208294D94E6DB8588A742D4E3A8E3B003C53E947A02D910EF71ED07
SHA-512:	B89BB9F629560E08E3A081A17D39A046FD351E769EFC5C9F6834029D64A98A11611B976254D61AF5B882A0F32FCDBF0EAA5FE780EF1C70E91834B0D88C14E802
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672802" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.497360445509992
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vy3mvlAaCZ.exe
File size:	159232
MD5:	1873a210d41acdef243e921f3810803a
SHA1:	6fa90a229148759d12c63bee342e55fa887f6976
SHA256:	34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
SHA512:	2a45638cc994e6e3af3fe3f7ec153235591c5e07893665485a0e564aefce1f9a8d8da9146b1d7eeab45c09f3fb4afa56107467013fe4e490800546827af96676
SSDEEP:	3072:l5K/B0toL6SNJmlZHQsozTS+SMqqDL2/TrKdcG:lcytw/u1yTS+xqqDL6HKL
TLSH:	EAF38C1971D1A0B2E4F30976D5B8AF12446DFC111BB07CDB72E61A9E19320E3AE39B53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..{...(...(...(...(...(..?(...(T.?(...(T..(...(T.>(w..(..M(...(...(...(..:(...(...(...(Rich...(........................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x401612
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5AF0C742 [Mon May 7 21:38:10 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	7848011b763d00cd02658995847dd30b

Entrypoint Preview

Instruction
call 00007FC54071774Fh
jmp 00007FC540716360h
cmp ecx, dword ptr [00413050h]
jne 00007FC5407164E4h
rep ret
jmp 00007FC540717ADBh
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+08h]
mov eax, dword ptr [esp+04h]
push edi
push ebx
push esi
cmp dword ptr [00427E00h], 01h
jc 00007FC5407166B4h
ja 00007FC5407165E3h
movzx edx, byte ptr [ecx]
mov ebx, edx
shl edx, 08h
or edx, ebx
je 00007FC5407165CFh
movd xmm3, edx
pshuflw xmm3, xmm3, 00h
movlhps xmm3, xmm3
pxor xmm0, xmm0
mov esi, ecx
or edi, FFFFFFFFh
movzx ebx, byte ptr [ecx]
add ecx, 01h
test ebx, ebx
je 00007FC5407164FFh
test ecx, 0000000Fh
jne 00007FC5407164D0h
movdqa xmm2, dqword ptr [ecx]
pcmpeqb xmm2, xmm0
pmovmskb ebx, xmm2
test ebx, ebx
jne 00007FC5407164E7h
mov edi, 0000000Fh
movd edx, xmm3
mov ebx, 00000FFFh
and ebx, eax
cmp ebx, 00000FF0h
jnbe 00007FC540716509h
movdqu xmm1, dqword ptr [eax]
pxor xmm2, xmm2
pcmpeqb xmm2, xmm1
pcmpeqb xmm1, xmm3
por xmm1, xmm2
pmovmskb ebx, xmm1
add eax, 10h
test ebx, ebx
je 00007FC5407164B4h
bsf ebx, ebx
sub eax, 10h
add eax, ebx
movzx ebx, byte ptr [eax]
test ebx, ebx

Rich Headers

Programming Language:

[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12164	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0x1120	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11df8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc9c7	0xca00	False	0.5717435024752475	data	6.680188843446378	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x49d4	0x4a00	False	0.4021853885135135	data	4.712898301860252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x13000	0x161c4	0x14400	False	0.47274064429012347	data	6.3863967246134115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2a000	0x1120	0x1200	False	0.7840711805555556	data	6.544131886571421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetCurrentProcess, WaitForSingleObject, OpenProcess, Sleep, GetModuleFileNameW, CreateFileW, ExitThread, GetLastError, GetProcAddress, ExitProcess, GetModuleHandleA, CloseHandle, GetCurrentProcessId, GetVersionExW, LoadLibraryA, lstrlenW, TerminateThread, CreateThread, WriteConsoleW, SetFilePointerEx, VirtualProtect, IsWow64Process, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetCommandLineA, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsDebuggerPresent, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, EnterCriticalSection, LeaveCriticalSection, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, LoadLibraryExW, OutputDebugStringW, HeapAlloc, HeapReAlloc, GetStringTypeW, HeapSize, LCMapStringW
USER32.dll	SetFocus, SendMessageW, CharUpperBuffW, GetForegroundWindow, GetSystemMetrics, GetMessageW, TranslateMessage, DispatchMessageW, SetForegroundWindow, DefWindowProcW, RegisterClassExW, CreateWindowExW, DestroyWindow, ShowWindow, keybd_event, UpdateWindow, SetWindowTextW, GetWindowLongW, SetWindowLongW, SystemParametersInfoW, GetAncestor
ntdll.dll	RtlUnwind

Target ID:	0
Start time:	23:51:55
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\vy3mvlAaCZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vy3mvlAaCZ.exe"
Imagebase:	0x1150000
File size:	159232 bytes
MD5 hash:	1873A210D41ACDEF243E921F3810803A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: WerFault.exePID: 5556, Parent PID: 4876

General

Target ID:	2
Start time:	23:51:56
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
Imagebase:	0xde0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vy3mvlAaCZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_15f13808\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EB2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER300B.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: vy3mvlAaCZ.exePID: 4876, Parent PID: 5488

General

Analysis Process: WerFault.exePID: 5556, Parent PID: 4876

General

Disassembly

Windows Analysis Report
vy3mvlAaCZ.exe