Edit tour

Windows Analysis Report
mPNVrHIpyt.exe

Overview

General Information

Sample Name:	mPNVrHIpyt.exe
Analysis ID:	694572
MD5:	cc7ae6e4c86f605aab66fbd04eef7997
SHA1:	8c7c23c91ccecf548c6f9df30b839b9b24d57095
SHA256:	95427e787bb623ba2d2ec51cb289ae579aea27a674d900f9aa239f6a034b05cc
Tags:	exeGandCrab
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

mPNVrHIpyt.exe (PID: 3592 cmdline: "C:\Users\user\Desktop\mPNVrHIpyt.exe" MD5: CC7AE6E4C86F605AAB66FBD04EEF7997)

wzltxa.exe (PID: 1276 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 1920 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 4616 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 6136 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 1356 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 2996 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 6016 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5520 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 2228 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 6128 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5752 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 2156 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5248 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 4920 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 1200 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

wzltxa.exe (PID: 5280 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe" MD5: EAC223A7EC1CF2E33BE569DB14A87A63)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mPNVrHIpyt.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
mPNVrHIpyt.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
mPNVrHIpyt.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
mPNVrHIpyt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
mPNVrHIpyt.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
mPNVrHIpyt.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000000.523518226.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000B.00000000.302743243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000022.00000000.561698093.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000027.00000002.606192732.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000014.00000000.401188568.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000000.485070318.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000000.363985954.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000F.00000002.385026266.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.471324197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.264971762.000000000F69A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000002.357323149.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000014.00000002.405226267.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000022.00000002.565428063.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001B.00000000.467592821.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000028.00000000.597821532.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000021.00000000.547433699.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.449352573.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000012.00000000.383675616.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000016.00000000.422070871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000002.567428078.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdm

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
mPNVrHIpyt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mPNVrHIpyt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Windows Analysis Report
mPNVrHIpyt.exe