Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1501455
MD5: 8ef3231a2184f8e55fe3656d01f21075
SHA1: 0dba37c84d8a65d3cce20548ef68663c3a498008
SHA256: 0cd7337379f60570ecc65298ffddb43bb5a0eb93300b83906c38b741725c974d
Infos:

Detection

BlackSuit
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected BlackSuit Ransomware
Deletes shadow drive data (may be related to ransomware)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Program does not show much activity (idle)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Source: C:\Users\user\Desktop\file.exe Code function: -----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy 0_2_0100AB60
Source: C:\Users\user\Desktop\file.exe Code function: -----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy 0_2_0100AB60
Source: file.exe Binary or memory string: -----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected BlackSuit Ransomware
Source: Yara match File source: Process Memory Space: file.exe PID: 6592, type: MEMORYSTR
Deletes shadow drive data (may be related to ransomware)
Source: file.exe, 00000000.00000002.1661517890.0000000002D4D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quietD
Source: file.exe, 00000000.00000002.1661517890.0000000002D4D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quietX
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01007030 0_2_01007030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01007FC0 0_2_01007FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010018C0 0_2_010018C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01008BD0 0_2_01008BD0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal60.rans.winEXE@1/0@0/0
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0100B110 GetProcessHeap,HeapFree, 0_2_0100B110
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501455 Sample: file.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 60 8 Antivirus / Scanner detection for submitted sample 2->8 10 Yara detected BlackSuit Ransomware 2->10 5 file.exe 2->5         started        process3 signatures4 12 Deletes shadow drive data (may be related to ransomware) 5->12
No contacted IP infos