Click to jump to signature section
Source: RanSomWarek.exe | ReversingLabs: Detection: 60% |
Source: RanSomWarek.exe | Virustotal: Detection: 59% | Perma Link |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 99.9% probability |
Source: RanSomWarek.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Code function: 4x nop then mov ecx, dword ptr [ebp-38h] | 0_2_07484B10 |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Code function: 4x nop then mov ecx, dword ptr [ebp-38h] | 0_2_07484B08 |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh | 0_2_07484C15 |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh | 0_2_07484C20 |
Source: unknown | DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3) |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Code function: 0_2_016B94B8 | 0_2_016B94B8 |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Code function: 0_2_07481A18 | 0_2_07481A18 |
Source: RanSomWarek.exe, 00000000.00000002.2047829606.000000000117E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs RanSomWarek.exe |
Source: RanSomWarek.exe, 00000000.00000000.1996362797.0000000000D5E000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameRanSomWare.exe6 vs RanSomWarek.exe |
Source: RanSomWarek.exe | Binary or memory string: OriginalFilenameRanSomWare.exe6 vs RanSomWarek.exe |
Source: classification engine | Classification label: mal68.evad.winEXE@1/1@1/0 |
Source: C:\Users\user\Desktop\RanSomWarek.exe | File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RanSomWarek.exe.log | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Mutant created: NULL |
Source: RanSomWarek.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: RanSomWarek.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: RanSomWarek.exe | ReversingLabs: Detection: 60% |
Source: RanSomWarek.exe | Virustotal: Detection: 59% |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: windowscodecs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: dwrite.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Users\user\Desktop\RanSomWarek.exe | File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: RanSomWarek.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: RanSomWarek.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: RanSomWarek.exe, -.cs | .Net Code: _0001 System.Reflection.Assembly.Load(byte[]) |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Memory allocated: 16B0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Memory allocated: 3000000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Memory allocated: 5000000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe TID: 6564 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Queries volume information: C:\Users\user\Desktop\RanSomWarek.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\RanSomWarek.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |