Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 351331 Cookbook: browseurl.jbs Time: 15:08:12 Date: 10/02/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report https://pub.lucidpress.com/0b597a37-4b38-4f16-a698- 8076bb6f34d1/ 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Compliance: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 12 Static File Info 20 No static file info 20 Network Behavior 20 Network Port Distribution 20 TCP Packets 20 UDP Packets 22 DNS Queries 23 DNS Answers 23 HTTPS Packets 24 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 29 Copyright null 2021 Page 2 of 30 Analysis Process: iexplore.exe PID: 5580 Parent PID: 792 29 General 29 File Activities 30 Registry Activities 30 Analysis Process: iexplore.exe PID: 664 Parent PID: 5580 30 General 30 File Activities 30 Registry Activities 30 Disassembly 30 Copyright null 2021 Page 3 of 30 Analysis Report https://pub.lucidpress.com/0b597a37-4…b38-4f16-a698-8076bb6f34d1/ Overview General Information Detection Signatures Classification Sample URL: https://pub.lucidpres s.com/0b597a37-4b38-4f1 AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb… 6-a698-8076bb6f34d1/ Antivirus / Scanner detection for sub Analysis ID: 351331 Most interesting Screenshot: Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100% Startup System is w10x64 iexplore.exe (PID: 5580 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 664 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5580 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright null 2021 Page 4 of 30 • AV Detection • Compliance • Networking • System Summary Click to jump to signature section AV Detection: Antivirus / Scanner detection for submitted sample Compliance: Uses new MSVCR Dlls Uses secure TLS version for HTTPS connections Binary contains paths to debug symbols Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright null 2021 Page 5 of 30 Hide Legend Behavior Graph Legend: ID: 351331 Process URL: https://pub.lucidpress.com/... Signature Startdate: 10/02/2021 Architecture: WINDOWS Created File Score: 48 DNS/IP Info Is Dropped Is Windows Process www.lucidpress.com app.lucidpress.com Number of created Registry Values Number of created Files started Visual Basic Antivirus / Scanner detection for submitted Delphi sample Java .Net C# or VB.NET C, C++ or other language iexplore.exe Is malicious Internet 1 74 started iexplore.exe 2 47 www.google.co.uk stats.l.doubleclick.net 172.217.22.195, 443, 49713, 49714 173.194.76.155, 443, 49709, 49710 5 other IPs or domains GOOGLEUS GOOGLEUS United States United States Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2021 Page 6 of 30 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://pub.lucidpress.com/0b597a37-4b38-4f16-a698-8076bb6f34d1/ 0% Virustotal Browse https://pub.lucidpress.com/0b597a37-4b38-4f16-a698-8076bb6f34d1/ 0% Avira URL Cloud safe https://pub.lucidpress.com/0b597a37-4b38-4f16-a698-8076bb6f34d1/ 100% SlashNext Fake Login Page type: Phishing & Social Engineering Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link www.google.co.uk 0% Virustotal Browse URLs Copyright null 2021 Page 7 of 30 Source Detection Scanner Label Link https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe https://analytics.lucid.app 0% Avira URL Cloud safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe hammerjs.github.io/ 0% Avira URL Cloud safe https://lucidspark.com/contact/contact-sales 0% Avira URL Cloud safe brandon.aaron.sh) 0% Avira URL Cloud safe https://www.lucidspark.com/enterprise 0% Avira URL Cloud safe https://www.preprodchart.com 0% Avira URL Cloud safe https://analytics.app.preprodchart.com 0% Avira URL Cloud safe https://analytics.app.preprodpress.com 0% Avira URL Cloud safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe https://analytics.lucidchart.eu 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation www.lucidpress.com 99.86.159.56 true false high app.lucidpress.com 3.209.16.152 true false high stats.l.doubleclick.net 173.194.76.155 true false high www.google.co.uk 172.217.22.195 true false 0%, Virustotal, Browse unknown d2pjrbs8oo6puz.cloudfront.net 13.226.169.69 true false high pub.lucidpress.com unknown unknown false high stats.g.doubleclick.net unknown unknown false high Contacted URLs Name Malicious Antivirus Detection Reputation https://pub.lucidpress.com/0b597a37-4b38-4f16-a698-8076bb6f34d1/ false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://player.vimeo.com/api/player.js viewer[1].js.2.dr false high https://www.lucidpress.com viewer[1].js.2.dr false high https://player.vimeo.com/video/ viewer[1].js.2.dr false high https://lucidpress.zendesk.com/hc viewer[1].js.2.dr false high viewer[1].js.2.dr false high https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v 3.2 https://www.youtube.com/embed/ viewer[1].js.2.dr false high https://pub.lucidpress.com/0b597a37-4b38-4f16-a698- {F912A7F2-6BF4-11EB-90E6-ECF4B false high 8076bb6f34d1/Root B82F7E0}.dat.1.dr https://d2pjrbs8oo6puz.cloudfront.net/0b597a37-4b38- 0b597a37-4b38-4f16-a698-8076bb false high 4f16-a698-8076bb6f34d1/thumb-0.png 6f34d1[1].htm.2.dr www.amazon.com/ msapplication.xml.1.dr false high https://pub.lucidpress.com/0b597a37-4b38-4f16-a698- ~DF0ACE495C2FE58817.TMP.1.dr false high 8076bb6f34d1/ g.co/ng/security#xss viewer[1].js.2.dr false high https://js.hsleadflows.net/leadflows.js viewer[1].js.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://www.lucidpress.com/favicon.ico?v=3 imagestore.dat.2.dr, 0b597a37-4b38- false high 4f16-a698-8076bb6f34d1[1].htm.2.dr https://analytics.lucid.app viewer[1].js.2.dr false Avira URL Cloud: safe unknown Copyright null 2021 Page 8 of 30 Name Source Malicious Antivirus Detection Reputation momentjs.com/guides/#/warnings/add-inverted-param/ viewer[1].js.2.dr false high www.twitter.com/ msapplication.xml5.1.dr false high support.lucidpress.com viewer[1].js.2.dr false high https://www.google.%/ads/ga-audiences? ga[1].js.2.dr false URL Reputation: safe low URL Reputation: safe URL Reputation: safe www.opensource.org/licenses/mit-license.php viewerDeps[1].js.2.dr false high momentjs.com/guides/#/warnings/js-date/ viewer[1].js.2.dr false high https://github.com/jquery/jquery/issues/2267 viewerDeps[1].js.2.dr false high https://fast.wistia.com/assets/external/E-v1.js viewer[1].js.2.dr false high https://www.lucidpress.com/business/pricing/index.html viewer[1].js.2.dr false high www.reddit.com/ msapplication.xml4.1.dr false high https://salesforce-api.lucidchart.com/ viewer[1].js.2.dr false high www.apache.org/licenses/LICENSE-2.0