1.exe
This report is generated from a file or URL submitted to this webservice on April 1st 2017 00:47:18 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Ransomware
- Detected indicator that file is ransomware
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 30/61 Antivirus vendors marked sample as malicious (49% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 30/61 Antivirus vendors marked sample as malicious (49% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 30/61 Antivirus vendors marked spawned process "<Input Sample>" (PID: 3884) as malicious (classified as "Trojan.Generic" with 49% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 9
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00060564-00003884-00000105-140827902
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
Installation/Persistance
-
Monitors specific registry key for changes
- details
-
"<Input Sample>" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
"<Input Sample>" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0) - source
- API Call
- relevance
- 4/10
-
Monitors specific registry key for changes
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "ActivePython 2.7.2.5 (ActiveState Software Inc.) based on"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Ransomware/Banking
-
Detected indicator that file is ransomware
- details
-
"! ! ! W AR N I N G ! ! !
All your files are encrypted by s" (Source: 5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe.bin, Indicator: "files are encrypted") - source
- File/Memory
- relevance
- 7/10
-
Detected indicator that file is ransomware
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe.bin" claimed CRC 78644 while the actual is CRC 6300103
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
IsDebuggerPresent
GetTickCount
VirtualProtect
GetModuleFileNameA
LoadLibraryA
LockResource
UnhandledExceptionFilter
GetProcAddress
MapViewOfFile
GetModuleHandleA
GetStartupInfoA
CreateFileMappingA
OutputDebugStringA
TerminateProcess
Sleep
CreateFileA
FindResourceA
VirtualAlloc
GetFileSize - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Informative 10
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from 5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe (PID: 3884) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Queries volume information
- details
- "<Input Sample>" queries volume information of "C:\5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe.log" at 00060564-00003884-0000010C-141512718
- source
- API Call
- relevance
- 2/10
-
Queries volume information
-
General
-
Contains PDB pathways
- details
- "F:\as\apy-trunk\build\py2_7_2-win32-x86-apy27-rrun\python\PCbuild\python27.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex" - source
- Created Mutant
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
- "5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe.log" has type "ASCII text with CRLF line terminators"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\system32\tzres.dll"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\tzres.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\rsaenh.dll"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "parser.st"
Heuristic match: "command.com"
Heuristic match: "__init__.py"
Pattern match: "aEa6a2a.aFa/aOa"
Heuristic match: "x.__delattr__('name') <==> del x.name"
Heuristic match: "x.__getattribute__('name') <==> x.name"
Pattern match: "http://www.python.org/peps/pep-0263.html"
Heuristic match: "lib\os.py"
Heuristic match: "Not importing directory '%.*s': missing __init__.py"
Heuristic match: "/__init__.py"
Pattern match: "myimport.zip/mydirectory"
Pattern match: "https://www.lilywho.ie/js/xaxep/s" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe.bin" was detected as "Visual C++ 2005 Release -> Microsoft"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
1.exe
- Filename
- 1.exe
- Size
- 6MiB (6293969 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c
- MD5
- 22b66d1928db181ac6e6d6af7ea6bd8f
- SHA1
- ba83f37d0b7973d023b0f20ea2b334695963c1bc
- ssdeep
-
98304:gKArHESq9v29PYHOwMbX9hVXm9iQue2c31tr8uPb6AY0eMP+Ibt2CTkCqn:gJHELv2RxJWYQscF18u2qZbPTgn
- imphash
-
7af2fe87a3ab930007d141d21c36ceda
- authentihash
-
b5af1a2f80db3ab03cad80c270b490eb319bf7a1c12da40f9d402b54fed6cfc0
- Compiler/Packer
- Visual C++ 2005 Release -> Microsoft
- PDB Pathway
Classification (TrID)
- 53.7% (.PYD) Python Dynamic module
- 21.8% (.EXE) Win32 EXE PECompact compressed (generic)
- 16.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 3.4% (.DLL) Win32 Dynamic Link Library (generic)
- 2.3% (.EXE) Win32 Executable (generic)
File Sections
| Details | ||||||
|---|---|---|---|---|---|---|
File Resources
| Details | ||||
|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
-
Input Sample (PID: 3884) 30/61
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 1
-
-
5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe.log
- Size
- 137B (137 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c.exe (PID: 3884)
- MD5
-
bd8dc75ce43e08857d6091b5fb35c15d
- SHA1
-
4106b18b66b15aaf867b63402aebeb4c535ab8fe
- SHA256
-
7e1297245c34f8fc645d07cc5080e29f33e8d96f2d492e7fc8a8a09f1dc437f5
-
Amigo commented 6 years ago updated