Loading ...

Play interactive tourEdit tour

Analysis Report tS9P6wPz9x

Overview

General Information

Sample Name:tS9P6wPz9x (renamed file extension from none to exe)
Analysis ID:353325
MD5:39d22b8f3da4a83cd957f324f2423309
SHA1:70baae39f80e8917a71353110bb85e797e23524a
SHA256:c8c169ad2628ff3860c4d0bd04afeb81262051f664f9d5a334c32c78e791a7f8

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found Tor onion address
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification