ransomware.bin
This report is generated from a file or URL submitted to this webservice on April 22nd 2020 09:56:56 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Ransomware
- Detected indicator that file is ransomware
- Fingerprint
-
Queries kernel debugger information
Reads the cryptographic machine GUID
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 23/72 Antivirus vendors marked sample as malicious (31% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 23/72 Antivirus vendors marked sample as malicious (31% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 8
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "ransomware.bin.exe" at 562564829-00002080-00000105-3891179617
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
- "ransomware.bin.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "qkmcbg@g5.d"
Pattern match: "1@c.kepkz"
Pattern match: "n@jppexlw6e.q"
Pattern match: "n@w.q"
Pattern match: "fz@r.f0m1z"
Pattern match: "h@jtz.4durshu8vu"
Pattern match: "bvoh@ai.ofr"
Pattern match: "vb@h.d"
Pattern match: "wkyyl@-.o"
Pattern match: "gtvs@w.m"
Pattern match: "__@kb.fz"
Pattern match: "74ei@2pmvfjh.hk"
Pattern match: "l0ry@o.axtu_"
Pattern match: "t@zjiotcla3dreve..lq"
Pattern match: "o@n1kqeu.vodhm"
Pattern match: "mtp6ugq@zf-.l"
Pattern match: "r@y.h_w"
Pattern match: "2_z-nrtahd_t.46@qd.ea"
Pattern match: "ua@y.th"
Pattern match: "emcqpqmhrf@g2.9" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Network Related
-
Detected increased number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "192.168.241.133/32, 192.168.241.140/32, 192.168.241.144/31, 192.168.241.147/32, 192.168.241.195/32, 192.168.241.199/32, 192.168.241.225/32, ..."
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1046 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected increased number of ARP broadcast requests (network device lookup)
-
Ransomware/Banking
-
Detected indicator that file is ransomware
- details
-
"Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups, replications were either encrypted or wiped. Shadow copies also removed.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE *.sfile2 files.
This may lead to the impossibility of recovery of the certain files.
To get info how to decrypt your files, contact us at:
vinilblind@protonmail.com
blefbeef@elude.in
To confirm our honest intentions we will decrypt few files for free.
Send 2 different files with extension *.sfile2. Files should not contain essential information.
Files should be inside ZIP archive and mailed to us (SUBJ : your domain or network name).
It can be from different computers on your network to be sure we decrypts everything.
The procedure to decrypt the rest is simple:
After payment we will send you decryption software.
Don't waste time, send email with files attached as soo" (Source: d3bf17ac4db4f367cfed8f40f92670066ca97e98d210b043e4d3b89a4971bbdf.bin, Indicator: "decrypt your files") - source
- File/Memory
- relevance
- 7/10
-
The input sample dropped very many files
- details
- The input sample dropped 2000 files (often an indicator for ransomware)
- source
- Binary File
- relevance
- 5/10
-
Detected indicator that file is ransomware
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
OpenProcessToken
GetDriveTypeW
GetComputerNameW
GetFileAttributesW
LoadLibraryA
GetStartupInfoW
DeleteFileW
GetProcAddress
CreateFileMappingW
GetFileSizeEx
CreateThread
MapViewOfFile
WriteFile
CreateFileMappingA
ExitThread
OutputDebugStringA
CreateFileW
Sleep
GetTickCount
GetFileSize
GetCursorPos - source
- Static Parser
- relevance
- 1/10
-
Input file contains API references not part of its Import Address Table (IAT)
- details
-
Found string "RtlCompressBuffer" (Source: d3bf17ac4db4f367cfed8f40f92670066ca97e98d210b043e4d3b89a4971bbdf.bin, API is part of module: NTDLL.DLL)
Found string "RtlGetCompressionWorkSpaceSize" (Source: d3bf17ac4db4f367cfed8f40f92670066ca97e98d210b043e4d3b89a4971bbdf.bin, API is part of module: NTDLL.DLL) - source
- File/Memory
- relevance
- 10/10
-
Imports suspicious APIs
-
Informative 6
-
General
-
Contains PDB pathways
- details
- "D:\code\ransomware_win\bin\ransomware.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex" - source
- Created Mutant
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
".eclipseproduct.sfile2" has type "PGP\011Secret Key -"
"config-keys.def.sfile2" has type "data"
"appstore.png.sfile2" has type "data"
"APPLETALK-MIB.sfile2" has type "data"
"AppStore_icon.svg.sfile2" has type "data"
"Fiji.sfile2" has type "data"
"core_icons_hiContrast_wob.png.sfile2" has type "data"
"C06.jpg.sfile2" has type "data"
"AssemblyList_4_extended.xml.sfile2" has type "data"
"arrow-down.png.sfile2" has type "data"
"C14.hsdt.sfile2" has type "data"
"24 Month Sales Forecast.xlsx.sfile2" has type "data"
"Bordered President_s Award.hwt.sfile2" has type "data"
"Bold Red Black Annual Report.hwt.sfile2" has type "data"
"401K Reallocation.hcdt.sfile2" has type "8086 relocatable (Microsoft)"
"core_icons_retina.png.sfile2" has type "data"
"Bold Hanging Tab.docx.sfile2" has type "data"
"autoit_v3.tcl.sfile2" has type "data"
"com.jrockit.mc.components.ui_5.5.1.172852.jar.sfile2" has type "data"
"Contrasting bevel multi product.hwt.sfile2" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"ransomware.bin.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"ransomware.bin.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "vYt-DZH?hEDyGv|wK6V[-rD!a.IN"
Pattern match: "T.FFo/@s=gGfRvh&,]7u12]#O;Z.dKN"
Pattern match: "Q.iy/kW}?eM,9HZ"
Pattern match: "F-.UU/ztR-ICP,pg#f"
Heuristic match: "D1e1N(K]y.AD"
Heuristic match: "0D~>|N[gi?_Y?h4$>o*E_;[4$$A^<Ctq-1h#:OvEa;RT;5ndbOr}/t;z0=!.Ni"
Pattern match: "l1OyV.Lg/pom1z3jryBc0.SRw%SLfrzcb"
Pattern match: "ai.Ofr/|5A:?pU"
Pattern match: "69Mn.Gg/g#c#0l~N}h1ad6c"
Heuristic match: "lt).CL"
Pattern match: "V.as/p#"
Pattern match: "zJiotcLa3dREve..lQ/exM6\GS\HskY-GH~m+"
Pattern match: "ieMB.Ojs/eGP*~8p!%-*'[AW~`,CdS^L\L-+"
Pattern match: "IDy.xQW/Wye#HAb-b7LD[:cV45q3xyY/&$Th^CGX}giUO"
Pattern match: "Q.GR/'P*ObZZL4Q$7E'f_"
Heuristic match: ",q1H9[!~)7jq<&#:|l7]!O;#r8@w\EI-R};y3*AMvr@7annXH_KkF1h.:u|66H,ycG?#e32`qd6fdn=++/>jZYNApoY+$sOj&4?bYDD[Zyh%F$%Mt|he88<r)?Oi0p#;xUzPnqz0?oQJT1dPKFH)1M#U#X<CsF}hs`9sn0kE3Mj'bNmu;SZqTau1t]$&Q8=hf.Jo"
Pattern match: "s.Znc/R_IQ=Qq!8M" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "ransomware.bin.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
ransomware.bin
- Filename
- ransomware.bin
- Size
- 256KiB (261632 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- d3bf17ac4db4f367cfed8f40f92670066ca97e98d210b043e4d3b89a4971bbdf
- MD5
- 49e600928f341599650c3c6d7e1bdc79
- SHA1
- 52475b8bc39e6ee4bb16c0946d3ca83bccb752ab
- ssdeep
- 6144:d7sjQlPbPhEYWDfmZO8QyGlSDDo2/TvgqvPWCIfGogOMb+81v4jX1Y:dAjm0eZmy24o2tID
- imphash
- 14bc0225130d406e1fac7881a0aa35ee
- authentihash
- 1c6b9042d8f47add741fc16073c76267bd8ee2e0ff7cf10a403edd2102dcf200
- PDB Timestamp
- 04/17/2020 04:39:05 (UTC)
- PDB Pathway
- D:\code\ransomware_win\bin\ransomware.pdb
- PDB GUID
- A749325D3AC24704AF7F9DC4BFBB04BE
Classification (TrID)
- 61.7% (.EXE) Win64 Executable (generic)
- 14.7% (.DLL) Win32 Dynamic Link Library (generic)
- 10.0% (.EXE) Win32 Executable (generic)
- 4.5% (.EXE) OS/2 Executable (generic)
- 4.4% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 27034)
- 1 Unknown Objects (build: 27034)
- 1 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 27034)
- 12 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 27034)
- 1 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 27034)
- 9 .LIB Files generated with LIB.EXE 9.00 (Visual Studio 2008) (build: 30729)
- 2 .ASM Files assembled with MASM 7.10 (Visual Studio .NET 2002) (build: 4035)
- 1 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 42 .C Files compiled with CL.EXE 10.00 (Visual Studio 5) (build: 27034)
- File appears to contain raw COFF/OMF content
- File is the product of a small codebase (0 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Exports
Name | Ordinal | Address |
---|---|---|
_ReflectiveLoader@4 | #1 | 0x432350 |
_aes_hw_cpu_decrypt@8 | #2 | 0x40100b |
_aes_hw_cpu_decrypt_32_blocks@8 | #3 | 0x4010c7 |
_aes_hw_cpu_enable_sse@0 | #4 | 0x401000 |
_aes_hw_cpu_encrypt@8 | #5 | 0x401537 |
_aes_hw_cpu_encrypt_32_blocks@8 | #6 | 0x4015f3 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- ransomware.bin.exe (PID: 2080) 23/72
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 1980 file(s) are available in the full version and XML/JSON reports.
-
Informative 20
-
-
.eclipseproduct.sfile2
- Size
- 322B (322 bytes)
- Type
- unknown
- Description
- PGP\011Secret Key -
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 64678b30862485885e326eeb67b7aa81
- SHA1
- 2eac46b7822663b7b8bc0b1baee0c5d9c434e3e6
- SHA256
- 4629f8d59c95057dd9b0837ba0e0b6788064fa4a78f333445bb9a93d52b2f52f
-
config-keys.def.sfile2
- Size
- 11KiB (11335 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 67d8b776192176d07102d956049fcdcd
- SHA1
- 078c6dac3ddb3b9612649e638a360bb77ce8e098
- SHA256
- a435763483aa583271451ea4688f107e1096d55a744a1821330faa15c903e4c2
-
appstore.png.sfile2
- Size
- 77KiB (78946 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 95ad3b19e45134ff46225094e2a70c54
- SHA1
- df8e019eb4a7c91a27a51d2c532e4fd79273d390
- SHA256
- 9d78ed5a8654f90e1a63028c5afe8403c726832252f0dd93f07d671b9788e539
-
APPLETALK-MIB.sfile2
- Size
- 100KiB (102785 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- bf8f21663415a28a0b3f3bce167c37d7
- SHA1
- 1f9deb6953c57f39a4a7194f41c4821310b77d2f
- SHA256
- 5c61f45d0acb07bbbb10e4f54b8572212b7ce6599b9b2cd86c237fb36fb034e1
-
AppStore_icon.svg.sfile2
- Size
- 20KiB (20338 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 83b204c5ceb057c8b5c36871f1e98407
- SHA1
- 5fa698ba26767fdd670bdc27423507986c624e04
- SHA256
- c0f165f942e7f62e5375c39eee39442d69a2f8fbaa50b38932dc30f375b393ba
-
Fiji.sfile2
- Size
- 5.7KiB (5854 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 75d6637661ad0cd4af93524b6b2429c8
- SHA1
- 8139bf573dd513c4829f52823ea424217d68302e
- SHA256
- 66fd5606ba3e1e048a29e76ff77d02cae1bde4185bc6246e2bd4228e080a38b4
-
core_icons_hiContrast_wob.png.sfile2
- Size
- 7.8KiB (7954 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 32d19ae26bac5ad2fe9379cb517d59e6
- SHA1
- 2ac2cb43721de94eab8e3ed66184525242c2bbe7
- SHA256
- fcfc9496accdb2fda8b3b91cc4b475a2ead6d92a8e48422b7d25aaeeb585106d
-
C06.jpg.sfile2
- Size
- 2.7KiB (2743 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 7860511d4aa714980e79118fd5cdf74f
- SHA1
- 655366a349a2671fd23a72e6703c0a2f8142fbcd
- SHA256
- 4de8def1201ac5e036a06a8135397a993541479c068ef4cbc140de5e9fab74fc
-
AssemblyList_4_extended.xml.sfile2
- Size
- 8.3KiB (8476 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 198af47a083bc67f1612780b6b8b196e
- SHA1
- 14be80ce6998f871f8c954ba380987351351cc4e
- SHA256
- 431b3454224a1f0e5ee86fc138e721a27f9409547b8c40e30c42abc1730b21e2
-
arrow-down.png.sfile2
- Size
- 553B (553 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 33bc81d37d86cdcae2c5ab2303785c5e
- SHA1
- 3d69847ce58c7d4d1b9a8093cff4a08f6eb3ceb5
- SHA256
- 26caeb6ba8730d239281a1477e1af379cf057bbb4c50b30490e6fa8559c31ae0
-
C14.hsdt.sfile2
- Size
- 116KiB (119243 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- e02c99f88a7b33af42ac2223510dcf23
- SHA1
- 7c01343a26fab491411fcd629a3019d52aeca62b
- SHA256
- dc88f79485dcebde77b8978d823bdd8ff7ceaafa2078d936dcf057e7b15132d2
-
24 Month Sales Forecast.xlsx.sfile2
- Size
- 18KiB (18879 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- ce8a3909a299dbced41a598baa8c6e55
- SHA1
- dc8a55c6e5cc4f11db4314812aa79f9261caa8dc
- SHA256
- 8f1acecf6e660537685e3a6fd8247de34ff3d01d256f87d9ae32132242ddc15a
-
Bordered President_s Award.hwt.sfile2
- Size
- 42KiB (42752 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 943a70a9e87c887b33712efbd83104c1
- SHA1
- 029ef175bbaca0c86e0e90a17bce62fe23340db1
- SHA256
- 9b6b4bf20e0201112b385ecfd85c2bd9c3a60122eb5ec567fb382b13c24ed299
-
Bold Red Black Annual Report.hwt.sfile2
- Size
- 1019KiB (1043200 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 4f9704a7d02155d0f1fc9293a45009ed
- SHA1
- 92b28a798c0211164bb38241866b502ab699a29f
- SHA256
- eed69b61bc945f5b690b15f72d9ce5ffd2a2870f9344d5f8617f00ae5b4117a6
-
401K Reallocation.hcdt.sfile2
- Size
- 26KiB (26880 bytes)
- Type
- unknown
- Description
- 8086 relocatable (Microsoft)
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 25423434d1b26e2b72356f81d0200006
- SHA1
- e7fdefa4d22ee91189560ce7a546f6dec2770a04
- SHA256
- ec415192f2940b1c45747547d4bd8c1320f2479ae1f85263c29cf86ab9e14096
-
core_icons_retina.png.sfile2
- Size
- 20KiB (20362 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 624e3b189aa255ec9c12768c16b16f54
- SHA1
- e55f22aa3def60ce02649ba07b34fd3078985b38
- SHA256
- eb66c61e702569aab704a93859a54e86ff1e4ded87901e98149229c2324406be
-
Bold Hanging Tab.docx.sfile2
- Size
- 1.9MiB (2037199 bytes)
- Type
- docx office
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 8776acbb5670451bccc0919db2b865bd
- SHA1
- 60780a003ca64c7c76ff99a4a8765d0513bf8eba
- SHA256
- eb74cb2ec28802bc65902834c0f3a6bcefb3da969566ad7fc43182d418541d54
-
autoit_v3.tcl.sfile2
- Size
- 17KiB (17437 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 702d73aed9e523d8f47699eb1fa6abb5
- SHA1
- 49c687cc9194076ac76e0cc0e7f5cccb39b588ea
- SHA256
- 2be77045a48b44c7470cc8a1d91050aaa33beb6469127bf7b4234b5c76fa7c59
-
com.jrockit.mc.components.ui_5.5.1.172852.jar.sfile2
- Size
- 410KiB (419630 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- f199c32f2fcd8903a4846e3f7a8f5329
- SHA1
- a78eff013468ad79ad610ded1f9007a8bec6aff6
- SHA256
- 2b4d6243d576a163bc75851bce8f02d89475bd4021b1ae48c04beb8f06285494
-
Contrasting bevel multi product.hwt.sfile2
- Size
- 59KiB (60160 bytes)
- Type
- data
- Runtime Process
- ransomware.bin.exe (PID: 2080)
- MD5
- 5de54baec080fff53af29034fe3f6e5a
- SHA1
- 87ac4055ad381107013aa1580c12219e0749603a
- SHA256
- 5d2ba1e24197d83ba5d6c82d28fd63277ddf5bffecdaa32c1f64c0a364b79254
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-10" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Touched the maximum number of extracted files (2000), report might not contain information about some extracted files