Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
W445hIpF47.exe

Overview

General Information

Sample Name:W445hIpF47.exe
Analysis ID:694562
MD5:379af2536054073f63e7f45d80963bb4
SHA1:ca8717ffb9b80a979116ebbb676dfecd0ec73c8f
SHA256:15bfead5bee24b7c1d0104bb04e72bf5d735ee2a9416ba3ab43ecf296613b391
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Found Tor onion address
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Contains functionality to enumerate device drivers
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • W445hIpF47.exe (PID: 4984 cmdline: "C:\Users\user\Desktop\W445hIpF47.exe" MD5: 379AF2536054073F63E7F45D80963BB4)
  • zrnips.exe (PID: 4940 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 4544 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 5896 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 5612 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 6132 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 5684 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 1792 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 4736 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 856 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 4888 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 5408 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • zrnips.exe (PID: 4724 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
W445hIpF47.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0xef92:$x1: ReflectiveLoader
W445hIpF47.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xe8fe:$: DECRYPT.txt
  • 0xe964:$: DECRYPT.txt
W445hIpF47.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
    W445hIpF47.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
    • 0xef91:$s1: _ReflectiveLoader@
    • 0xef92:$s2: ReflectiveLoader@
    W445hIpF47.exeGandcrabGandcrab Payloadkevoreilly
    • 0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
    Click to see the 1 entries
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\zrnips.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
    • 0xef92:$x1: ReflectiveLoader
    C:\Users\user\AppData\Roaming\Microsoft\zrnips.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
    • 0xe8fe:$: DECRYPT.txt
    • 0xe964:$: DECRYPT.txt
    C:\Users\user\AppData\Roaming\Microsoft\zrnips.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\zrnips.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0xef91:$s1: _ReflectiveLoader@
      • 0xef92:$s2: ReflectiveLoader@
      C:\Users\user\AppData\Roaming\Microsoft\zrnips.exeGandcrabGandcrab Payloadkevoreilly
      • 0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
      Click to see the 1 entries
      SourceRuleDescriptionAuthorStrings
      0000000D.00000002.462969629.000000000FCE2000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000007.00000002.409239995.000000000FCDA000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          00000005.00000002.385384409.000000000FCE2000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000014.00000000.533542900.000000000FCDA000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000011.00000002.488096195.000000000FCDA000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                Click to see the 125 entries
                SourceRuleDescriptionAuthorStrings
                5.3.zrnips.exe.3960000.0.raw.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0xef92:$x1: ReflectiveLoader
                5.3.zrnips.exe.3960000.0.raw.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xe8fe:$: DECRYPT.txt
                • 0xe964:$: DECRYPT.txt
                5.3.zrnips.exe.3960000.0.raw.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                  5.3.zrnips.exe.3960000.0.raw.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                  • 0xef91:$s1: _ReflectiveLoader@
                  • 0xef92:$s2: ReflectiveLoader@
                  5.3.zrnips.exe.3960000.0.raw.unpackGandcrabGandcrab Payloadkevoreilly
                  • 0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&