ID: 373541 Sample Name: hwi_700.exe Cookbook: default.jbs Time: 01:19:32 Date: 23/03/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report hwi_700.exe 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Analysis Advice 5 Startup 5 Malware Configuration 5 Yara Overview 6 Sigma Overview 6 Signature Overview 6 Data Obfuscation: 6 Lowering of HIPS / PFW / Operating System Security Settings: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 15 Public 15 Private 15 General Information 15 Simulations 16 Behavior and APIs 16 Joe Sandbox View / Context 17 IPs 17 Domains 17 ASN 17 JA3 Fingerprints 17 Dropped Files 17 Created / dropped Files 17 Static File Info 23 General 24 File Icon 24 Static PE Info 24 General 24 Authenticode Signature 24 Entrypoint Preview 24 Data Directories 25 Sections 26 Resources 26 Imports 27 Version Infos 27 Possible Origin 27 Network Behavior 28 UDP Packets 28 Copyright Joe Security LLC 2021 Page 2 of 48 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 29 Analysis Process: hwi_700.exe PID: 5524 Parent PID: 5656 29 General 29 File Activities 29 File Created 29 File Deleted 30 File Written 30 File Read 30 Analysis Process: hwi_700.tmp PID: 3176 Parent PID: 5524 31 General 31 File Activities 31 File Created 31 File Deleted 32 File Moved 32 File Written 32 File Read 35 Registry Activities 36 Key Created 36 Key Value Created 36 Analysis Process: svchost.exe PID: 68 Parent PID: 568 39 General 39 File Activities 39 Analysis Process: svchost.exe PID: 4456 Parent PID: 568 39 General 39 File Activities 39 Registry Activities 40 Analysis Process: svchost.exe PID: 6048 Parent PID: 568 40 General 40 File Activities 40 Analysis Process: svchost.exe PID: 4604 Parent PID: 568 40 General 40 Analysis Process: svchost.exe PID: 2344 Parent PID: 568 40 General 40 File Activities 41 Analysis Process: svchost.exe PID: 1320 Parent PID: 568 41 General 41 File Activities 41 Analysis Process: svchost.exe PID: 5540 Parent PID: 568 41 General 41 Registry Activities 41 Analysis Process: svchost.exe PID: 6160 Parent PID: 568 42 General 42 Analysis Process: SgrmBroker.exe PID: 6240 Parent PID: 568 42 General 42 Analysis Process: svchost.exe PID: 6252 Parent PID: 568 42 General 42 File Activities 42 Analysis Process: svchost.exe PID: 6276 Parent PID: 568 43 General 43 Registry Activities 43 Analysis Process: HWiNFO64.EXE PID: 6404 Parent PID: 3176 43 General 43 File Activities 43 File Created 43 File Deleted 43 File Written 44 Registry Activities 45 Key Created 45 Analysis Process: svchost.exe PID: 6592 Parent PID: 568 45 General 45 File Activities 45 Analysis Process: MpCmdRun.exe PID: 6256 Parent PID: 6276 46 General 46 File Activities 46 File Written 46 Analysis Process: conhost.exe PID: 5720 Parent PID: 6256 47 General 47 Disassembly 48 Code Analysis 48 Copyright Joe Security LLC 2021 Page 3 of 48 Copyright Joe Security LLC 2021 Page 4 of 48 Analysis Report hwi_700.exe Overview General Information Detection Signatures Classification Sample hwi_700.exe Name: DDeettteeccttteedd uunnppaacckkiiinngg (((cchhaannggeess PPEE ssee… Analysis ID: 373541 CDChehataenncggteesds susenecpcuuarrrciiittktyyi n ccgee n(ncttteherrar snsegettettttiisinn gPgssE (( (nsnoeo… MD5: f332037f0b58957… ACAVhV a ppnrrrgooeccese sssse scstuttrrrriiinintgyg ssc efffoonuutennrdd s (((eootfffttttienengn s uu s(sneeo… SHA1: 31dcf1615b32730… Ransomware AAnVnttt iiipvviriirroruucsse osorsrr Mstaraicnchhgiiisnn eefo LLueenaadrrr n(noiiinnftgge ndd eeutttseeecc… Miner Spreading SHA256: c42c2a82438dc7… CAChnheteivccikkrsus s iiif ff o AArn nMtttiiivaviicirrruhusisn///AeA nnLttteiiissapprynywwinaagrrr eed///eFFtiieirrrece… mmaallliiiccciiioouusss Infos: malicious Evader Phishing CCohonentctaakiinsn ssif ccAaanpptaiavbbiriiluliittsiiee/Ass n ttotoi s ddpeeyttweecactrt evv/iirFrttuiuraea sssuusssppiiiccciiioouusss CCoonntttaaiiinnss ccaappaabbiiillliiitttiiieess tttoo ddeettteeccttt vviiirrrtttuuaa… suspicious Most interesting Screenshot: cccllleeaann CCoonntttaaiiinnss ffcfuuannpccatttiibiooinlnitaaiellliiitsttyy t tottoo d aaecctcececests svs i lrllootuaaadd… clean Exploiter Banker CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cacacallcllll e nnsaasttti iivlvoeea ffdf… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae w wf… Spyware Trojan / Bot Adware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccohomecmk uuifnn aiiicc awa… Score: 26 Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyoynmnaammuiiicncaaiclllllalyy… Whitelisted: false CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo lldlaayuunnnaccmhh i aca a ppllrrry… Confidence: 60% CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qlqauuueenrrrcyyh lllo oacc apallrlee… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo sqshuhueuttrtddyo olwowcnna //l/ e … CCrroreenaattatteeinss s aa f uppnrrroocctcieoesnsssa liiinnty s stuuoss sppheeunntddeeoddw mn o/o … Analysis Advice CCrrreeaattteess dadrr ripiivvreeorrrc ffefiiillsleesss in suspended mo CCrrreeaattteess ffdfiiillrleeivsse iiirnn sfsiiliidedese ttthhee ssyyssttteem ddiiirrreecc… Sample drops PE files which have not been started, submit dropped PE samples for a secondCCarreeyaa atteenssa flfiyilleesssis iin ntsosii ddJeeo tethh eSe a ssnyysdstbteeomx ddiirreecc… Creates files inside the system direc Sample tries to load a library which is not present or installed on the analysis machine, addinDCDge retetthteaeectce tttleesibd df r i plapeorosyttt ee inmnstttiiiagdallhel cc ttr rrhyryeppv tttsooey affsfuult nenmcmctottii iorodennir ebcehavior DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function EDEnrnoaapbbslllee Pss E dd rrrfiiivlveeesrrr pprrriiivviiillleeggeess EExnxttateebnnlsesiisivv eed ruuivsseer oopfffr GivieeletttPgPrerroosccAAddddrrreessss (((oo… FEFoxoutuennndds didvrrreoo puppspeed do PfP GEE e fffiitillPlee r wowchhAiiiccdhhd hrheaassss n n(oo… Startup FFoouunndd edevrvoaapsspiiivveeed A APPPEIII cfcihlheaa iwiinnh (((idcdahat ttehe a ccshh enecockk))) FFoouunndd pepovotatteesnnivtttiieiaa lllA ssPtttrrrIiii nncggh addienec c(rrrdyyappttteiiioo ncnh ///e aac…k) System is w10x64 hwi_700.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\hwi_700.exe' MD5: F332037F0BMF5oa8auy9yn 5 ssd7llle eDpeeo2ppt4 e ((F(nee6tvviDaalsEs siiiCvvtere2i n 7lllogoEo od9ppe1ssc2))) r 2 tytto8op 7 hthi)oiiinnndd e/e rarr … hwi_700.tmp (PID: 3176 cmdline: 'C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp' /SL5='$11021C,8777995,123392,C:\Users\user\Desktop\hwi_700.exe' Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur… MD5: 751D4F1D0F96F1DF71F778391555E52B) HWiNFO64.EXE (PID: 6404 cmdline: 'C:\Program Files\HWiNFO64\HWiNFO64.EPXMPEEo ' n fff iiiMlltleeo D rccs5oo c:nn e5tttaar9tiiinaFnsi9sn Ba arAnen g1 iiininDsvvt2araDylllii idCdk e 4ccyh9hse0e cA/c kvk5sas1uulEum3779EB26D8F9A3) svchost.exe (PID: 68 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusurrurccmee… svchost.exe (PID: 4456 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 6048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32PP5E6E9 fffEiiilllee4 0cc3oo2nn7tttaa9iiinBns3s FsestDtxtrrrae2ancEnuggDteeaB brrr7eeleEss oBoreuuDsrrrc0oce3eus6src2e73FA) svchost.exe (PID: 4604 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA) QPEuue efrrirliiiee ssc oddniiisstkak i iniinnsfffo osrrrtmraaantttigiiooenn r ((e(oosffftotteeunnr c uuessseedd… svchost.exe (PID: 2344 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1320 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDQPuuSeevrrrciiiee Mss Dttdthhi5ese:k v3v io2onll5lfuuo6mr9meeE a i4iintni0foffo3onrr2r m(7oa9aftBttieiioo3nnnF u D(((nsn2eaaEdmD…B7EBD036273FA) svchost.exe (PID: 5540 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… svchost.exe (PID: 6160 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA) SgrmBroker.exe (PID: 6240 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170ASS3aaFm3ppAllle9e 6 ffefii2illxlee6e 5iiciss9u d7dtiiEioiffffffnEee rErrseet1non8ttpt 8 ttsth8h aw6an8nh 6 ioloeErrri i3igpgEiirinnoAaac6llel )… svchost.exe (PID: 6252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) SSttatoomrrreepssl e fffi iillfleielses tittoso dttthhifeefe Wreiinintdd toohwwasns sosttrtaaigrrrtitt n maele … svchost.exe (PID: 6276 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrSeStstootrrieecstse ffdiille e-sps t-toos twthhseec Wsviicnn ddMooDww5ss: ss3tta2ar5rtt 6 m9eEe…403279B3FD2EDB7EBD036273FA) MpCmdRun.exe (PID: 6256 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.TSTerrtrxiioieers'se - stttwoo f d illloeoasnad adt ob m lteiihis seMss iiinWDngg5i