Automated Malware Analysis Report for Wiyqq.Exe

ID: 214929 Sample Name: wiyqq.exe Cookbook: default.jbs Time: 12:12:41 Date: 12/03/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report wiyqq.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification Spiderchart 5 Mitre Att&ck Matrix 5 Signature Overview 6 Spreading: 6 System Summary: 6 Malware Analysis System Evasion: 7 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Remote Access Functionality: 7 Malware Configuration 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 10 Contacted Domains 10 Contacted IPs 11 Static File Info 11 General 11 File Icon 11 Static PE Info 11 General 11 Entrypoint Preview 11 Rich Headers 13 Data Directories 13 Sections 13 Resources 13 Imports 14 Version Infos 14 Possible Origin 15

Copyright Joe Security LLC 2020 Page 2 of 15 Network Behavior 15 Code Manipulations 15 Statistics 15 System Behavior 15 Analysis Process: wiyqq.exe PID: 3300 Parent PID: 3264 15 General 15 File Activities 15 Disassembly 15 Code Analysis 15

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 214929 Start date: 12.03.2020 Start time: 12:12:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 52s Hypervisor based Inspection enabled: false Report type: light Sample file name: wiyqq.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean4.winEXE@1/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 35.9%) Quality average: 26% Quality standard deviation: 39% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Timeout during Intezer genetic analysis for /opt/package/joesandbox/database/analysis/21492 9/sample/wiyqq.exe Timeout during Intezer genetic analysis for unpackpe/0.2.wiyqq.exe.7ff69c740000.1.unpack

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 4 0 - 100 false

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification Spiderchart

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Copyright Joe Security LLC 2020 Page 5 of 15 Remote Privilege Defense Credential Lateral Command Network Service Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Windows Winlogon Port File System Credential System Time Application Data from Data Standard Eavesdrop on Remotely Accounts Remote Helper DLL Monitors Logical Dumping Discovery 1 Deployment Local Encrypted 1 Cryptographic Insecure Track Device Management Offsets Software System Protocol 1 Network Without Communication Authorization Replication Service Port Accessibility Binary Network Account Remote Data from Exfiltration Commonly Exploit SS7 to Remotely Through Execution Monitors Features Padding Sniffing Discovery 1 Services Removable Over Other Used Port 1 Redirect Phone Wipe Data Removable Media Network Calls/SMS Without Media Medium Authorization External Windows Accessibility Path Rootkit Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Capture Owner/User Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 1 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search Obfuscated Credentials Security Logon Input Data Multiband SIM Card Compromise Task Firmware Order Files or in Files Software Scripts Capture Encrypted Communication Swap Hijacking Information Discovery 1 Exploit Public- Command-Line Shortcut File System Masquerading Account File and Shared Data Scheduled Standard Manipulate Facing Interface Modification Permissions Manipulation Directory Webroot Staged Transfer Cryptographic Device Application Weakness Discovery 1 Protocol Communication

Spearphishing Graphical User Modify New DLL Search Brute Force System Third-party Screen Data Commonly Jamming or Link Interface Existing Service Order Information Software Capture Transfer Used Port Denial of Service Hijacking Discovery 1 3 Size Limits Service

Signature Overview

• Spreading • System Summary • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection • Remote Access Functionality

Click to jump to signature section

Spreading:

Contains functionality to enumerate / list files inside a directory

System Summary:

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Classification label

Contains functionality for error logging

Contains functionality to instantiate COM classes

Contains functionality to load and extract PE file embedded resources

PE file has an executable .text section and no other executable section

Reads software policies

Uses an in-process (OLE) Automation server

Executable creates window controls seldom found in malware

PE file has a high image base, often used for DLLs

PE file contains a mix of data directories often seen in goodware

PE file contains a debug data directory

Binary contains paths to debug symbols

PE file contains a valid data directory to section mapping

Malware Analysis System Evasion:

Found large amount of non-executed APIs

Program does not show much activity (idle)

Contains functionality to enumerate / list files inside a directory

Anti Debugging:

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains functionality to register its own exception handler

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Contains functionality to query local / system time

Contains functionality to query the account / user name

Contains functionality to query windows version

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Malware Configuration

No configs have been found

Behavior Graph

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 214929 Visual Basic Sample: wiyqq.exe Startdate: 12/03/2020 Delphi Architecture: WINDOWS Java Score: 4 .Net C# or VB.NET

C, C++ or other language

started Is malicious

Internet wiyqq.exe

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link wiyqq.exe 0% Virustotal Browse wiyqq.exe 0% Metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2020 Page 9 of 15 Startup

System is w10x64 wiyqq.exe (PID: 3300 cmdline: 'C:\Users\user\Desktop\wiyqq.exe' MD5: F5E5DF6C9D62F4E940B334954A2046FC) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

No contacted IP infos

Static File Info

General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 5.725622622439139 TrID: Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: wiyqq.exe File size: 165888 MD5: f5e5df6c9d62f4e940b334954a2046fc SHA1: 267d05ce8d10d97620be1c7773757668baeb19ee SHA256: 47cacd60d91441137d055184614b1a418c045799297785 7a76ca05c75bbc1b56 SHA512: f9a0425ab09706ff070a82b214eabe3f396c427f3ee486dd 729b65af370112dde10d2bfe8d4670e44e72607bd5881fd eceabef74b9d79709b007d5eff82726a5 SSDEEP: 3072:JmpjcDrUzmyV5p5zeV3BNUVM1duWUZxtt:Jmxc DrU+XzXunZh File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... +...... p...... Ri ch...... PE..d..

File Icon

Icon Hash: 2e8e10e8a8a87800

Static PE Info

General Entrypoint: 0x140002ba0 Entrypoint Section: .text Digitally signed: false Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x3AEDD64C [Mon Apr 30 21:17:00 2001 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 10 OS Version Minor: 0 File Version Major: 10 File Version Minor: 0 Subsystem Version Major: 10 Subsystem Version Minor: 0 Import Hash: 0f71d5f6f4cbb935ce1b09754102419c

Entrypoint Preview

Instruction inc eax push ebx dec eax

Copyright Joe Security LLC 2020 Page 11 of 15 Instruction sub esp, 00000090h call 00007FF740F38BABh dec eax lea edx, dword ptr [000162CBh] dec eax lea ecx, dword ptr [000162BCh] call 00007FF740F27330h dec eax lea edx, dword ptr [000162A8h] dec eax lea ecx, dword ptr [00016299h] call 00007FF740F2731Dh and dword ptr [esp+5Ch], 00000000h dec eax lea ecx, dword ptr [esp+20h] call dword ptr [00015CD4h] xor ecx, ecx call dword ptr [00015CC4h] xor ecx, ecx dec eax mov ebx, eax call dword ptr [00015CB9h] dec eax mov ecx, eax call 00007FF740F35C36h test eax, eax jne 00007FF740F273C7h lea ebx, dword ptr [eax+01h] jmp 00007FF740F273CCh dec eax mov ecx, ebx call 00007FF740F28B15h mov ebx, eax dec eax lea edx, dword ptr [00016277h] dec eax lea ecx, dword ptr [00016268h] call 00007FF740F272CCh dec eax lea edx, dword ptr [00016274h] dec eax lea ecx, dword ptr [00016265h] call 00007FF740F272B9h mov ecx, ebx call dword ptr [00015C80h] int3 int3 int3 int3 int3 int3 int3 int3 dec eax mov dword ptr [esp+08h], ebx push edi dec eax sub esp, 20h xor edi, edi dec eax lea eax, dword ptr [00012575h] dec eax mov dword ptr [ecx], eax dec eax

Copyright Joe Security LLC 2020 Page 12 of 15 Instruction mov ebx, ecx mov dword ptr [ecx+08h], edi dec eax mov dword ptr [ecx+10h], edi

Rich Headers

Programming Language: [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x1cc00 0x38 .rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0x1cc38 0xa0 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x21000 0x9bb0 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x20000 0xd08 .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x2b000 0xa54 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x1bcc0 0x54 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x186d0 0x108 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x187d8 0x680 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x13912 0x13a00 False 0.501268909236 data 6.16952237972 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x15000 0x9046 0x9200 False 0.378344392123 data 4.4244392294 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x1f000 0x804 0x200 False 0.298828125 data 2.24154698475 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x20000 0xd08 0xe00 False 0.491908482143 data 4.7076974378 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0x21000 0x9bb0 0x9c00 False 0.309870793269 data 4.36926499387 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .reloc 0x2b000 0xa54 0xc00 False 0.371419270833 data 5.10383786599 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country MUI 0x2aac8 0xe8 data English United States TYPELIB 0x231a8 0x50cc data English United States TYPELIB 0x28278 0xca0 data English United States RT_ICON 0x21d48 0x2e8 data English United States RT_ICON 0x22030 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x22180 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 4170156168, next used block 0 RT_ICON 0x22468 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x225b8 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 4170156168, next used block 0 RT_ICON 0x228a0 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x229f0 0x2e8 data English United States RT_ICON 0x22cd8 0x128 GLS_BINARY_LSB_FIRST English United States RT_STRING 0x28f18 0x96 data English United States RT_STRING 0x28fb0 0x1c0 data English United States

Copyright Joe Security LLC 2020 Page 13 of 15 Name RVA Size Type Language Country RT_STRING 0x29198 0x2a Hitachi SH big-endian COFF object file, not stripped, English United States 30208 sections, symbol offset=0x75006500 RT_STRING 0x29170 0x26 data English United States RT_STRING 0x2a158 0x602 data English United States RT_STRING 0x2a760 0x180 data English United States RT_STRING 0x2a8e0 0x1e6 data English United States RT_STRING 0x29de8 0x264 data English United States RT_STRING 0x291c8 0x1b0 data English United States RT_STRING 0x29378 0x4c0 data English United States RT_STRING 0x29838 0x394 data English United States RT_STRING 0x29bd0 0x212 AmigaOS bitmap font English United States RT_STRING 0x2a050 0xa8 data English United States RT_STRING 0x2a0f8 0x5e data English United States RT_GROUP_ICON 0x22158 0x22 data English United States RT_GROUP_ICON 0x22e00 0x22 data English United States RT_GROUP_ICON 0x229c8 0x22 data English United States RT_GROUP_ICON 0x22590 0x22 data English United States RT_VERSION 0x22e28 0x380 data English United States RT_MANIFEST 0x216a0 0x6a3 XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import msvcrt.dll _swab, swprintf_s, strcpy_s, wcsrchr, _itow, _itow_s, memset, free, wcscat_s, _vsnwprintf, _wcsicmp, _wcsnicmp, wcsncmp, bsearch, _callnewh, malloc, sprintf_s, wcscpy_s, _vsnprintf, _beginthread, _endthread, __C_specific_handler, memcmp, memcpy, memmove, strcmp OLEAUT32.dll VariantCopy, CreateErrorInfo, VariantInit, SafeArrayCreate, SafeArrayPutElement, SafeArrayGetUBound, SafeArrayDestroy, LoadTypeLib, UnRegisterTypeLib, LoadTypeLibEx, SysAllocString, LoadRegTypeLib, SysFreeString, SysStringLen, SysAllocStringLen, VariantChangeType, SafeArrayCopy, VariantClear, SafeArrayGetLBound, SafeArrayGetElement, SysAllocStringByteLen, SetErrorInfo KERNEL32.dll DeleteCriticalSection, GetCurrentThreadId, InitializeCriticalSection, GetPrivateProfileIntW, GetModuleHandleA, GetStartupInfoA, ExitProcess, LeaveCriticalSection, GetLastError, GetLocaleInfoA, GetModuleFileNameA, GetLocaleInfoW, GetCommandLineW, GetProcessHeap, HeapAlloc, GetCommandLineA, MultiByteToWideChar, EnterCriticalSection, GetPrivateProfileIntA, GetPrivateProfileStringA, WideCharToMultiByte, CreateFileW, HeapReAlloc, HeapFree, UnmapViewOfFile, CreateFileMappingA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetTickCount, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetFullPathNameW, GetCPInfo, GetFileAttributesA, GetPrivateProfileStringW, GetACP, GetFileAttributesW, FindClose, FindFirstFileA, FindFirstFileW, GetConsoleMode, GetStdHandle, CreateEventA, CreateThread, SetEvent, GetUserDefaultLCID, FlushFileBuffers, GetTempFileNameA, GetSystemDirectoryA, CreateFileA, GetTempPathA, GetFileSize, LoadLibraryExA, WriteFile, MapViewOfFile, SearchPathW, GetVersionExA, CloseHandle, SetLastError, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetModuleFileNameW, GetVersionExW, FindResourceExW, LoadResource, GetFullPathNameA, FormatMessageA, LocalFree, FormatMessageW, GetProcAddress, CreateFileMappingW, FreeLibrary, LocalAlloc, LoadLibraryExW USER32.dll LoadStringW, IsWindowVisible, PostMessageA, MsgWaitForMultipleObjectsEx, GetClassNameA, SetTimer, RegisterClassA, DefWindowProcA, CreateWindowExA, TranslateMessage, GetClassInfoA, SendMessageA, EnumThreadWindows, PeekMessageA, PostThreadMessageA, GetWindowLongPtrA, GetMessageA, MsgWaitForMultipleObjects, LoadStringA, DispatchMessageA, KillTimer, PostQuitMessage, GetParent, SetWindowLongPtrA, MessageBoxW, GetActiveWindow, CharNextA OLE32.dll CoGetTreatAsClass, CreateFileMoniker, CoInitialize, CoUninitialize, CoMarshalInterThreadInterfaceInStream, CoGetInterfaceAndReleaseStream, CoCreateInstance, CreateBindCtx, CoInitializeSecurity, CLSIDFromProgID, CoRegisterMessageFilter, CLSIDFromString, CoRevokeClassObject, CoGetMalloc, CoRegisterClassObject, StringFromCLSID, MkParseDisplayName, CoGetClassObject ADVAPI32.dll RegQueryValueExA, LookupAccountNameW, RegOpenKeyExA, ReportEventW, RegisterEventSourceW, RegEnumKeyExA, IsTextUnicode, GetUserNameW, DeregisterEventSource, ImpersonateLoggedOnUser, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyA, RegSetValueA, RegDeleteKeyA, RegCreateKeyExA, RegCreateKeyExW, RegQueryValueA, RegQueryValueExW, RegOpenKeyExW, RegSetValueExW VERSION.dll GetFileVersionInfoSizeA, VerQueryValueA, GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoA, GetFileVersionInfoSizeW

Version Infos

Description Data LegalCopyright Microsoft Corporation. All rights reserved. InternalName wscript.exe FileVersion 5.812.10240.16384 CompanyName Microsoft Corporation ProductName Microsoft Windows Script Host ProductVersion 5.812.10240.16384 FileDescription Microsoft Windows Based Script Host OriginalFilename wscript.exe Translation 0x0409 0x04b0

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: wiyqq.exe PID: 3300 Parent PID: 3264

General

Start time: 12:14:33 Start date: 12/03/2020 Path: C:\Users\user\Desktop\wiyqq.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\wiyqq.exe' Imagebase: 0x7ff69c740000 File size: 165888 bytes MD5 hash: F5E5DF6C9D62F4E940B334954A2046FC Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis