Play interactive tourEdit tour
Analysis Report safecrypt.exe
Overview
General Information
Detection
TeslaCrypt
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected TeslaCrypt Ransomware
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious names
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TeslaCrypt | Yara detected TeslaCrypt Ransomware | Joe Security | ||
Win32_Ransomware_Teslacrypt | unknown | ReversingLabs |
| |
Win32_Ransomware_Teslacrypt | unknown | ReversingLabs |
| |
JoeSecurity_TeslaCrypt | Yara detected TeslaCrypt Ransomware | Joe Security | ||
Win32_Ransomware_Teslacrypt | unknown | ReversingLabs |
| |
Click to see the 16 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TeslaCrypt | Yara detected TeslaCrypt Ransomware | Joe Security | ||
Win32_Ransomware_Teslacrypt | unknown | ReversingLabs |
| |
JoeSecurity_TeslaCrypt | Yara detected TeslaCrypt Ransomware | Joe Security | ||
Win32_Ransomware_Teslacrypt | unknown | ReversingLabs |
| |
JoeSecurity_TeslaCrypt | Yara detected TeslaCrypt Ransomware | Joe Security | ||
Click to see the 27 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | 1_2_00413AD0 | |
Source: | Code function: | 1_1_00413AD0 | |
Source: | Code function: | 4_1_00413AD0 | |
Source: | Code function: | 20_2_00413AD0 |
Source: | Code function: | 1_2_00413860 |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Found Tor onion address | Show sources |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: |