File name:	Sage Ransomware
Full analysis:	https://app.any.run/tasks/e0e9e281-bd4e-4e04-9def-a3a4dd0a243a
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 22, 2019, 11:15:17
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trojan ransomware sage
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	F912741E9979C034ABE1BEEE443EC767
SHA1:	C49B3547096BDD6ED23C146A1CD320B45AC69437
SHA256:	4CD2F040B676D4B3613595D5AC2E3F99FE87ECA2492A6455FE4D69F557B448CE
SSDEEP:	12288:nN1aeD61Vw4TEfAmbFa0vfWHvCaL8fnI1803u9C1fGae1f:nN1avzENJtvfWHvZAfn18u81reh

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0xa56a
UninitializedDataSize:	-
InitializedDataSize:	461824
CodeSize:	149504
LinkerVersion:	14
PEType:	PE32
TimeStamp:	2017:10:08 03:50:09+02:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	08-Oct-2017 01:50:09
Detected languages:	Danish - Denmark

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000108

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	7
Time date stamp:	08-Oct-2017 01:50:09
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00036000	0x000015B2	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.66747
.rdata	0x00026000	0x0000CCE8	0x0000CE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.65631
.data	0x00033000	0x00001C9C	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	1.8796
.gfids	0x00035000	0x00000154	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	2.81359
.rsrc	0x00038000	0x0005F2E0	0x0005F400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.82276
.reloc	0x00098000	0x00001FE0	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.71509

Title	Entropy	Size	Codepage	Language	Type
1	5.02361	756	Latin 1 / Western European	Danish - Denmark	RT_MANIFEST
2	6.43462	9640	Latin 1 / Western European	Danish - Denmark	RT_ICON
3	6.54048	4264	Latin 1 / Western European	Danish - Denmark	RT_ICON
4	6.54048	4264	Latin 1 / Western European	Danish - Denmark	RT_ICON
5	6.54048	4264	Latin 1 / Western European	Danish - Denmark	RT_ICON
6	4.83525	744	Latin 1 / Western European	Danish - Denmark	RT_ICON
7	6.63567	2440	Latin 1 / Western European	Danish - Denmark	RT_ICON
8	6.25285	1128	Latin 1 / Western European	Danish - Denmark	RT_ICON
101	2.83889	118	Latin 1 / Western European	Danish - Denmark	RT_GROUP_ICON
261	7.9827	98708	Latin 1 / Western European	Danish - Denmark	TEMPLATES


(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Sage Ransomware_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Sage Ransomware_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Sage Ransomware_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Sage Ransomware_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Sage Ransomware_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Sage Ransomware_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_CURRENT_USER\Software\AppDataLow\BogapgLi
Operation:	write	Name:	jFQnp5VP
Value: 87DC32EC28FBAA8A5FE061FCA1ADB75E35833765089C6533B9E6DA941222C63C84AE6B7BEC0BD3AF7DDBF81CC7FCBC7539E5526B0902AF5E45F47603517FFC3B0100000000000000
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_CURRENT_USER\Software\BogapgLi
Operation:	write	Name:	jFQnp5VP
Value: 87DC32EC28FBAA8A5FE061FCA1ADB75E35833765089C6533B9E6DA941222C63C84AE6B7BEC0BD3AF7DDBF81CC7FCBC7539E5526B0902AF5E45F47603517FFC3B0100000000000000
(PID) Process:	(988) Sage Ransomware.exe	Key:	HKEY_CLASSES_ROOT\Software\AppDataLow\BogapgLi
Operation:	write	Name:	jFQnp5VP
Value: 87DC32EC28FBAA8A5FE061FCA1ADB75E35833765089C6533B9E6DA941222C63C84AE6B7BEC0BD3AF7DDBF81CC7FCBC7539E5526B0902AF5E45F47603517FFC3B0100000000000000

PID	Process	Filename		Type
2464	explorer.exe	C:\Users\admin\Documents\Outlook Files\[email protected]...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\AppData\Local\CEF\User Data\CrashpadMetrics-active.pma...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\Documents\Outlook Files\Outlook.pst...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\AppData\Roaming\Opera\Opera x64\bookmarks.adr...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\Contacts\admin.contact...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage-ecs.data...		—
		MD5:—	SHA256:—
2464	explorer.exe	C:\Users\admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc...		—
		MD5:—	SHA256:—


ADVAPI32.dll
AVICAP32.dll
GDI32.dll
KERNEL32.dll
NETAPI32.dll
OLEAUT32.dll
OPENGL32.dll
RASAPI32.dll
RASDLG.dll
SHELL32.dll

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	211.114.128.4:13655	—	Korea Telecom	KR	unknown
988	Sage Ransomware.exe	211.114.4.45:13655	—	Korea Telecom	KR	unknown
—	—	138.197.249.221:13655	—	—	US	unknown
—	—	138.197.69.39:13655	—	Digital Ocean, Inc.	US	unknown
—	—	211.114.186.119:13655	—	Korea Telecom	KR	unknown
—	—	5.45.173.171:13655	—	Vodafone Ono, S.A.	ES	unknown
—	—	5.45.86.15:13655	—	Serverius Holding B.V.	NL	unknown
—	—	5.45.111.91:13655	—	netcup GmbH	DE	unknown
—	—	5.45.199.75:13655	—	YANDEX LLC	RU	whitelisted
—	—	138.197.92.93:13655	—	Digital Ocean, Inc.	US	unknown

Domain	IP	Reputation
mbfce24rgn65bx3g.hp8ewo.net	—	unknown
mbfce24rgn65bx3g.0ny42p.com	—	malicious

Process	Message
Sage Ransomware.exe	hb xwfqbbu ??????????????????
Sage Ransomware.exe	sodi qf mbs jvbf uiuuos tsuuiof hbbu lfo tuw uttuu?????
Sage Ransomware.exe	ebifpj bjgoveftefhpspmcpeg6A
Sage Ransomware.exe	obtjhjhj qe bosfssuftfjj fbfxpdvpstbcupte ibe 6?6??A?=
Sage Ransomware.exe	fss usdqhu vstspj qvjuobefo vbp tqo????????????????????????
Sage Ransomware.exe	bdz x efoq g
Sage Ransomware.exe	ve ipfdfimottfbpsutowe tbf obojfjs jbfes ??6=
Sage Ransomware.exe	cbit bd htu v oofoih vbs cdpii sfihhcf
Sage Ransomware.exe	cbit bd htu v oofoih vbs cdpii sfihhcf

General Info

Sage Ransomware

F912741E9979C034ABE1BEEE443EC767

C49B3547096BDD6ED23C146A1CD320B45AC69437

4CD2F040B676D4B3613595D5AC2E3F99FE87ECA2492A6455FE4D69F557B448CE

12288:nN1aeD61Vw4TEfAmbFa0vfWHvCaL8fnI1803u9C1fGae1f:nN1avzENJtvfWHvZAfn18u81reh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Writes to a start menu file

Dropped file may contain instructions of ransomware

SUSPICIOUS

Application launched itself

Modifies the open verb of a shell class

Starts MSHTA.EXE for opening HTA or HTMLS files

Creates files like Ransomware instruction

Creates files in the user directory

Changes the desktop background image

Creates files in the program directory

Executes scripts

INFO

Reads internet explorer settings

Dropped object may contain URL to Tor Browser

Dropped object may contain TOR URL's

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings