Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wThN5MTIsw.exe

Overview

General Information

Sample Name:wThN5MTIsw.exe
Analysis ID:694565
MD5:1813521f3884de8427728b54b5c9a391
SHA1:874f4efd9b2ba64fa3bcb6ae87b116bd526b85c3
SHA256:4e705159b6c3a72b2b160486b9d582f05e34cd89a767428ef47ff6562b39619e
Tags:exeGandCrab
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Found Tor onion address
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • wThN5MTIsw.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\wThN5MTIsw.exe" MD5: 1813521F3884DE8427728B54B5C9A391)
  • ssapst.exe (PID: 6592 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 5668 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 4292 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 1416 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 3588 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 3248 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 6228 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 7108 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 204 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 4804 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 5952 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 1784 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 5076 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 5700 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • ssapst.exe (PID: 972 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
wThN5MTIsw.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0xef92:$x1: ReflectiveLoader
wThN5MTIsw.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xe8fe:$: DECRYPT.txt
  • 0xe964:$: DECRYPT.txt
wThN5MTIsw.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
    wThN5MTIsw.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
    • 0xef91:$s1: _ReflectiveLoader@
    • 0xef92:$s2: ReflectiveLoader@
    wThN5MTIsw.exeGandcrabGandcrab Payloadkevoreilly
    • 0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
    Click to see the 1 entries
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\ssapst.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
    • 0xef92:$x1: ReflectiveLoader
    C:\Users\user\AppData\Roaming\Microsoft\ssapst.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
    • 0xe8fe:$: DECRYPT.txt
    • 0xe964:$: DECRYPT.txt
    C:\Users\user\AppData\Roaming\Microsoft\ssapst.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\ssapst.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0xef91:$s1: _ReflectiveLoader@
      • 0xef92:$s2: ReflectiveLoader@
      C:\Users\user\AppData\Roaming\Microsoft\ssapst.exeGandcrabGandcrab Payloadkevoreilly
      • 0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
      Click to see the 1 entries
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
        00000008.00000002.421043250.000000000FE6A000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmpReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
          • 0xef92:$x1: ReflectiveLoader
          00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmpSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
          • 0xe8fe:$: DECRYPT.txt
          • 0xe964:$: DECRYPT.txt
          00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
            Click to see the 199 entries
            SourceRuleDescriptionAuthorStrings
            34.3.ssapst.exe.32a0000.0.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
            • 0xd992:$x1: ReflectiveLoader
            34.3.ssapst.exe.32a0000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
            • 0xd2fe:$: DECRYPT.txt
            • 0xd364:$: DECRYPT.txt
            34.3.ssapst.exe.32a0000.0.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              34.3.ssapst.exe.32a0000.0.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
              • 0xd991:$s1: _ReflectiveLoader@
              • 0xd992:$s2: ReflectiveLoader@
              34.3.ssapst.exe.32a0000.0.unpackGandcrabGandcrab Payloadkevoreilly
              • 0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&