Edit tour
Windows
Analysis Report
ROh2ijuEpr.exe
Overview
General Information
| Sample name: | ROh2ijuEpr.exerenamed because original name is a hash value |
| Original sample name: | 7b54b8972d8f870cb5cf66a4f9a92c78b56395ac802fb3d4bf05b18bbab9d5a4.exe |
| Analysis ID: | 1569042 |
| MD5: | 37c4774a4906c4344c5f55d019033718 |
| SHA1: | 7a8603814259adfd4934ffdfde0a7fd78e1ac42c |
| SHA256: | 7b54b8972d8f870cb5cf66a4f9a92c78b56395ac802fb3d4bf05b18bbab9d5a4 |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
Babuk, Conti
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Babuk Ransomware
Yara detected Conti ransomware
Yara detected Python Ransomware
AI detected suspicious sample
Deletes shadow drive data (may be related to ransomware)
Uses the Telegram API (likely for C&C communication)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SGDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
ROh2ijuEpr.exe (PID: 3684 cmdline: "C:\Users\ user\Deskt op\ROh2iju Epr.exe" MD5: 37C4774A4906C4344C5F55D019033718) 
conhost.exe (PID: 2916 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ROh2ijuEpr.exe (PID: 6436 cmdline:
"C:\Users\ user\Deskt op\ROh2iju Epr.exe" MD5: 37C4774A4906C4344C5F55D019033718)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Babuk | Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Conti, Conti Lock | Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
| JoeSecurity_babuk | Yara detected Babuk Ransomware | Joe Security | ||
| JoeSecurity_PythonRansomware | Yara detected Python Ransomware | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 3_2_00007FFDFA8F2410 | |
| Source: | Code function: | 3_2_00007FFDFA8D23DD | |
| Source: | Code function: | 3_2_00007FFDFA8EE427 | |
| Source: | Code function: | 3_2_00007FFDFA8D198D | |
| Source: | Code function: | 3_2_00007FFDFA928390 | |
| Source: | Code function: | 3_2_00007FFDFA8E2360 | |
| Source: | Code function: | 3_2_00007FFDFA9343C0 | |
| Source: | Code function: | 3_2_00007FFDFA93A3D0 | |
| Source: | Code function: | 3_2_00007FFDFA8D1D93 | |
| Source: | Code function: | 3_2_00007FFDFA8D1361 | |
| Source: | Code function: | 3_2_00007FFDFA8D4100 | |
| Source: | Code function: | 3_2_00007FFDFA8D19DD | |
| Source: | Code function: | 3_2_00007FFDFA8D2527 | |
| Source: | Code function: | 3_2_00007FFDFA8EC080 | |
| Source: | Code function: | 3_2_00007FFDFA9280C0 | |
| Source: | Code function: | 3_2_00007FFDFA8DE0AD | |
| Source: | Code function: | 3_2_00007FFDFA8F20A0 | |
| Source: | Code function: | 3_2_00007FFDFA9300A0 | |
| Source: | Code function: | 3_2_00007FFDFA91E200 | |
| Source: | Code function: | 3_2_00007FFDFA8D1389 | |
| Source: | Code function: | 3_2_00007FFDFA8D1F55 | |
| Source: | Code function: | 3_2_00007FFDFA91E190 | |
| Source: | Code function: | 3_2_00007FFDFA8D15E6 | |
| Source: | Code function: | 3_2_00007FFDFA8D103C | |
| Source: | Code function: | 3_2_00007FFDFA91E700 | |
| Source: | Code function: | 3_2_00007FFDFA8D120D | |
| Source: | Code function: | 3_2_00007FFDFA8D16A4 | |
| Source: | Code function: | 3_2_00007FFDFA914660 | |
| Source: | Code function: | 3_2_00007FFDFA8D162C | |
| Source: | Code function: | 3_2_00007FFDFA8EA6D0 | |
| Source: | Code function: | 3_2_00007FFDFA9126B0 | |
| Source: | Code function: | 3_2_00007FFDFA8D25F4 | |
| Source: | Code function: | 3_2_00007FFDFA8D1F3C | |
| Source: | Code function: | 3_2_00007FFDFA8D1CA3 | |
| Source: | Code function: | 3_2_00007FFDFA8D2423 | |
| Source: | Code function: | 3_2_00007FFDFA91E781 | |
| Source: | Code function: | 3_2_00007FFDFA8D1401 | |
| Source: | Code function: | 3_2_00007FFDFA8D1F28 | |
| Source: | Code function: | 3_2_00007FFDFA8D1ACD | |
| Source: | Code function: | 3_2_00007FFDFA8E4530 | |
| Source: | Code function: | 3_2_00007FFDFA946550 | |
| Source: | Code function: | 3_2_00007FFDFA8D1AC3 | |
| Source: | Code function: | 3_2_00007FFDFA904490 | |
| Source: | Code function: | 3_2_00007FFDFA8D18B6 | |
| Source: | Code function: | 3_2_00007FFDFA8D26E4 | |
| Source: | Code function: | 3_2_00007FFDFA8F05E0 | |
| Source: | Code function: | 3_2_00007FFDFA8D13D9 | |
| Source: | Code function: | 3_2_00007FFDFA936650 | |
| Source: | Code function: | 3_2_00007FFDFA8D24CD | |
| Source: | Code function: | 3_2_00007FFDFA928620 | |
| Source: | Code function: | 3_2_00007FFDFA8D1212 | |
| Source: | Code function: | 3_2_00007FFDFA8D1488 | |
| Source: | Code function: | 3_2_00007FFDFA8D85A0 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||