Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name:	vy3mvlAaCZ.exe
Analysis ID:	694561
MD5:	1873a210d41acdef243e921f3810803a
SHA1:	6fa90a229148759d12c63bee342e55fa887f6976
SHA256:	34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Machine Learning detection for sample

Found API chain indicative of sandbox detection

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vy3mvlAaCZ.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: vy3mvlAaCZ.exe	Virustotal: Detection: 85%	Perma Link
Source: vy3mvlAaCZ.exe	Metadefender: Detection: 74%	Perma Link
Source: vy3mvlAaCZ.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: vy3mvlAaCZ.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack	Avira: Label: TR/Crypt.EPACK.Gen2

Uses 32bit PE files

Source: vy3mvlAaCZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: vy3mvlAaCZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: vy3mvlAaCZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

One or more processes crash

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244

Detected potential crypto function

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00931E5B	0_2_00931E5B
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_009398E1	0_2_009398E1
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_0093A84D	0_2_0093A84D
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00938674	0_2_00938674
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00937B90	0_2_00937B90
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_009369EC	0_2_009369EC
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00938102	0_2_00938102

Source: vy3mvlAaCZ.exe	Virustotal: Detection: 85%
Source: vy3mvlAaCZ.exe	Metadefender: Detection: 74%
Source: vy3mvlAaCZ.exe	ReversingLabs: Detection: 96%

Source: vy3mvlAaCZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4268

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.rans.evad.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: vy3mvlAaCZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932A35 push ecx; ret

0_2_00932A48

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0093C790 LoadLibraryA,GetProcAddress,

0_2_0093C790

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00931E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00931E5B

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

API coverage: 0.8 %

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00934E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00934E1A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

0_2_00934E1A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0093C790 LoadLibraryA,GetProcAddress,

0_2_0093C790

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932041 GetProcessHeap,

0_2_00932041

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00933387 SetUnhandledExceptionFilter,		0_2_00933387
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_009333B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_009333B8

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0093C090 DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,DestroyWindow,DestroyWindow,TerminateThread,CreateWindowExW,GetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,

0_2_0093C090

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932D1C cpuid

0_2_00932D1C

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0093BA30 Sleep,Sleep,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetVersionExW,GetModuleHandleA,IsWow64Process,GetModuleHandleA,GetModuleHandleA,RegisterClassExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateThread,Sleep,TerminateThread,Sleep,keybd_event,keybd_event,keybd_event,

0_2_0093BA30

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00932881

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vy3mvlAaCZ.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: vy3mvlAaCZ.exe	Virustotal: Detection: 85%	Perma Link
Source: vy3mvlAaCZ.exe	Metadefender: Detection: 74%	Perma Link
Source: vy3mvlAaCZ.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: vy3mvlAaCZ.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack	Avira: Label: TR/Crypt.EPACK.Gen2

Uses 32bit PE files

Source: vy3mvlAaCZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: vy3mvlAaCZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: vy3mvlAaCZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: vy3mvlAaCZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

One or more processes crash

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244

Detected potential crypto function

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00931E5B	0_2_00931E5B
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_009398E1	0_2_009398E1
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_0093A84D	0_2_0093A84D
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00938674	0_2_00938674
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00937B90	0_2_00937B90
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_009369EC	0_2_009369EC
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00938102	0_2_00938102

Source: vy3mvlAaCZ.exe	Virustotal: Detection: 85%
Source: vy3mvlAaCZ.exe	Metadefender: Detection: 74%
Source: vy3mvlAaCZ.exe	ReversingLabs: Detection: 96%

Source: vy3mvlAaCZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4268

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.rans.evad.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: vy3mvlAaCZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: vy3mvlAaCZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932A35 push ecx; ret

0_2_00932A48

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0093C790 LoadLibraryA,GetProcAddress,

0_2_0093C790

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

0_2_00931E5B

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

API coverage: 0.8 %

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

0_2_00934E1A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

0_2_00934E1A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_0093C790 LoadLibraryA,GetProcAddress,

0_2_0093C790

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932041 GetProcessHeap,

0_2_00932041

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_00933387 SetUnhandledExceptionFilter,		0_2_00933387
Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe	Code function: 0_2_009333B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_009333B8

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

0_2_0093C090

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932D1C cpuid

0_2_00932D1C

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

0_2_0093BA30

Source: C:\Users\user\Desktop\vy3mvlAaCZ.exe

Code function: 0_2_00932881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00932881

ID:	694561
Product:	CloudBasic
Start time:	23:58:21
Start date:	31.08.2022
Sample:	vy3mvlAaCZ.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1873a210d41acdef243e921f3810803a
SHA1:	6fa90a229148759d12c63bee342e55fa887f6976
SHA256:	34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_1326a322\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	3BB61DDF965463EDB0AA60D2950DC834	94BB88E8277D67F9261EFDA7122B5063FAD1C3AD	7887FD561BF713404541B56AB5EF8BC9FA9A5F10F72A15C245B2559DE5EBC544
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Sep 1 06:59:26 2022, 0x1205a4 type	8041C81145A8C17D64471E698F53B7E0	CB951C6F726CCC535AA77568B26EB0E4AF325116	853815B51624678FA302216392D8377C0DEA180C2C2F7590C599123E3297A7C2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A1A.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	0E50780F5CD7ECADA812B9172438386E	CA9FAE7738916E845C90B37DA95C2B06BAB3B294	8E4496A05D4373E8EFC1358AA278C11A2639CECF86AD744F8A492B6CBBD9C630
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B44.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	CAF0E5DE2CF8BA7461786631E7875A69	02194DB299C7DF9D3E170E694DA2DCB9EDE3FB5E	333617884EFEDD0428071F30423AB1BE7EBA23F46EE7B32C922B87F79258F534

Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report vy3mvlAaCZ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
vy3mvlAaCZ.exe