MALICIOUS Threat Names: Gen:Application.Heur.Yq0@Kibvd8eo
Total Page:16
File Type:pdf, Size:1020Kb
DYNAMIC ANALYSIS REPORT #5908906 Classifications: Spyware PUA App/Generic-JJ Gen:Heur.Bodegun.1 MALICIOUS Threat Names: Gen:Application.Heur.yq0@kibVd8eO Verdict Reason: - Sample Type Windows Exe (x86-32) Sample Name NoVirus.exe ID #2186201 MD5 ac3abed311b8d059b6691f926f0eb4b1 SHA1 68bccd43882b24326647161d903b669de3c9a61c SHA256 35bed955c70565129adc8c506493f3cea00927f466a804094086f4599eb8ff44 File Size 816.50 KB Report Created 2021-04-28 01:14 (UTC+2) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 69 DYNAMIC ANALYSIS REPORT #5908906 OVERVIEW VMRay Threat Identifiers (15 rules, 23 matches) Score Category Operation Count Classification 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Mozilla Firefox, Opera, Internet Explorer, Vivaldi, SeaMonkey, Yandex Browser, Safari, Internet Explorer / Edge. 4/5 Antivirus Malicious content was detected by heuristic scan 1 - • Built-in AV detected the sample itself as "Gen:Heur.Bodegun.1". 2/5 Data Collection Reads sensitive browser data 8 - • (Process #41) webbrowserpassview.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file. • (Process #41) webbrowserpassview.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry. • (Process #41) webbrowserpassview.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #41) webbrowserpassview.exe tries to read sensitive data of web browser "Mozilla Firefox" by file. • (Process #41) webbrowserpassview.exe tries to read sensitive data of web browser "Yandex Browser" by file. • (Process #41) webbrowserpassview.exe tries to read sensitive data of web browser "Vivaldi" by file. • (Process #41) webbrowserpassview.exe tries to read sensitive data of web browser "Safari" by file. • (Process #41) webbrowserpassview.exe tries to read sensitive data of web browser "Opera" by file. 2/5 Hide Tracks Deletes file after execution 1 - • (Process #1) novirus.exe deletes executed executable "c:\users\rdhj0cnfevzx\desktop\webbrowserpassview.exe". 2/5 Data Collection Reads sensitive application data 1 - • (Process #41) webbrowserpassview.exe tries to read sensitive data of application "SeaMonkey" by file. 2/5 Antivirus Suspicious content was detected by heuristic scan 1 - • Built-in AV detected the dropped file C:\Users\RDhJ0CNFevzX\Desktop\WebBrowserPassView.exe as "Gen:Application.Heur.yq0@kibVd8eO". 2/5 Reputation Known suspicious file 1 PUA • Reputation analysis labels file "C:\Users\RDhJ0CNFevzX\Desktop\WebBrowserPassView.exe" as "App/Generic-JJ". 1/5 Persistence Installs system startup script or application 1 - • (Process #10) reg.exe adds "0" to Windows startup via registry. 1/5 Discovery Enumerates running processes 1 - • (Process #41) webbrowserpassview.exe enumerates running processes. 1/5 Discovery Possibly does reconnaissance 2 - • (Process #41) webbrowserpassview.exe tries to gather information about application "Mozilla Firefox" by file. • (Process #41) webbrowserpassview.exe tries to gather information about application "SeaMonkey" by file. 1/5 Crash A monitored process crashed 1 - • (Process #1) novirus.exe crashed. 1/5 Obfuscation Resolves API functions dynamically 1 - • (Process #41) webbrowserpassview.exe resolves 39 API functions by name. X-Ray Vision for Malware - www.vmray.com 2 / 69 DYNAMIC ANALYSIS REPORT #5908906 1/5 Execution Executes itself 1 - • (Process #1) novirus.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\novirus.exe. 1/5 Execution Drops PE file 1 - • (Process #1) novirus.exe drops file "C:\Users\RDhJ0CNFevzX\Desktop\WebBrowserPassView.exe". 1/5 Execution Executes dropped PE file 1 - • Executes dropped file "C:\Users\RDhJ0CNFevzX\Desktop\WebBrowserPassView.exe". - Trusted Known clean file 2 - • File "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\o2nehvkr.rbs.ps1" is a known clean file. • File "pass.txt" is a known clean file. X-Ray Vision for Malware - www.vmray.com 3 / 69 DYNAMIC ANALYSIS REPORT #5908906 Mitre ATT&CK Matrix Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control #T1060 Registry Run - - Keys / - - - - - - - - - Startup Folder #T1112 - - - - Modify - - - - - - - Registry #T1119 - - - - - - - - Automated - - - Collection #T1081 - - - - - Credentials - - - - - - in Files #T1083 File and - - - - - - - - - - - Directory Discovery #T1005 Data - - - - - - - - from Local - - - System #T1057 - - - - - - Process - - - - - Discovery #T1214 - - - - - Credentials - - - - - - in Registry #T1012 - - - - - - Query - - - - - Registry #T1217 Browser - - - - - - - - - - - Bookmark Discovery #T1003 - - - - - Credential - - - - - - Dumping #T1045 - - - - Software - - - - - - - Packing X-Ray Vision for Malware - www.vmray.com 4 / 69 DYNAMIC ANALYSIS REPORT #5908906 Sample Information ID 5908906 MD5 ac3abed311b8d059b6691f926f0eb4b1 SHA1 68bccd43882b24326647161d903b669de3c9a61c SHA256 35bed955c70565129adc8c506493f3cea00927f466a804094086f4599eb8ff44 SSDeep 24576:jZ7V+4s+PtY/XIq3bZ7V+4s+PtY/XIq3v:jRV+uY/zRV+uY/ ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Filename NoVirus.exe File Size 816.50 KB Sample Type Windows Exe (x86-32) Has Macros Analysis Information Creation Time 2021-04-28 01:14 (UTC+2) Analysis Duration 00:03:34 Termination Reason Sample crashed Number of Monitored Processes 45 Execution Successfull False Reputation Analysis Enabled WHOIS Enabled Built-in AV Enabled Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of AV Matches 2 YARA Enabled YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of YARA Matches 0 X-Ray Vision for Malware - www.vmray.com 5 / 69 DYNAMIC ANALYSIS REPORT #5908906 X-Ray Vision for Malware - www.vmray.com 6 / 69 DYNAMIC ANALYSIS REPORT #5908906 Screenshots trunkated. X-Ray Vision for Malware - www.vmray.com 7 / 69 DYNAMIC ANALYSIS REPORT #5908906 NETWORK General 0 bytes total sent 0 bytes total received 0 ports 0 contacted IP addresses 0 URLs extracted 0 files downloaded 0 malicious hosts detected DNS 0 DNS requests for 0 domains 0 nameservers contacted 0 total requests returned errors HTTP/S 0 URLs contacted, 0 servers 0 sessions, 0 bytes sent, 0 bytes recivied DNS Requests - HTTP Requests - X-Ray Vision for Malware - www.vmray.com 8 / 69 DYNAMIC ANALYSIS REPORT #5908906 BEHAVIOR Process Graph #4 reg.exe Child Process #5 reg.exe Child Process #6 reg.exe Child Process #7 reg.exe Child Process #8 reg.exe Child Process #9 reg.exe Child Process #24 Child Process #45 svchost.exe dllhost.exe #10 Child Process reg.exe Child Process #25 svchost.exe #11 Child Process ipconfig.exe Child Process #26 svchost.exe #2 Child Process #12 Child Process cmd.exe netsh.exe Child Process Child Process #27 Child Process svchost.exe #1 Child Process #44 #13 Sample Start Child Process novirus.exe novirus.exe powershell.exe Child Process Child Process #28 svchost.exe #46 #14 Child Process #15 Child Process werfault.exe net.exe net1.exe Child Process #29 svchost.exe #16 Child Process #17 Child Process net.exe net1.exe Child Process #30 svchost.exe #18 Child Process #19 net.exe net1.exe Child Process #31 Child Process svchost.exe #20 sc.exe #22 Child Process Created Daemon System #32 Child Process Child Process svchost.exe #21 Created Daemon sc.exe #23 services.exe Child Process Child Process #33 Child Process spoolsv.exe #41 webbrowserpassview.exe Child Process #34 officeclicktorun.exe #42 shutdown.exe Child Process #35 svchost.exe Child Process #36 svchost.exe Child Process #37 wmiapsrv.exe Child Process #38 svchost.exe Child Process #39 svchost.exe Child Process #40 trustedinstaller.exe #43 svchost.exe X-Ray Vision for Malware - www.vmray.com 9 / 69 DYNAMIC ANALYSIS REPORT #5908906 Process #1: novirus.exe ID 1 Filename c:\users\rdhj0cnfevzx\desktop\novirus.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\NoVirus.exe" Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\ Monitor Start Time Start Time: 108761, Reason: Analysis Target Unmonitor End Time End Time: 316457, Reason: Crashed Monitor Duration 207.70s Return Code 3762504530 PID 2720 Parent PID 2132 Bitness 32 Bit Dropped Files (2) Filename File Size SHA256 YARA Match C: 831fc560146de4a3d1a0b49e8f34f55f1f50d7a \Users\RDhJ0CNFevzX\Desktop\HACKED.ba 1.35 KB 32c92e3c8010890d7ace90bfd t C: f999357a17e672e87fbed66d14ba2bebd6fb04 \Users\RDhJ0CNFevzX\Desktop\WebBrowse 391.50 KB e058a1aae0f0fdc49a797f58fe rPassView.exe Host Behavior Type Count Module 8 Window 3 Registry 3 Process 1 File 15 X-Ray Vision for Malware - www.vmray.com 10 / 69 DYNAMIC ANALYSIS REPORT #5908906 Process #2: cmd.exe ID 2 Filename c:\windows\syswow64\cmd.exe Command Line "C:\Windows\System32\cmd.exe" /C "C:\Users\RDhJ0CNFevzX\Desktop\HACKED.bat" Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\ Monitor Start Time Start Time: 163012, Reason: Child Process Unmonitor End Time End Time: 294944, Reason: Terminated Monitor Duration 131.93s Return Code 0 PID 4120 Parent PID 2720 Bitness 32 Bit Host Behavior Type Count Module 8 Registry 17 File 259 Environment 176 System 1 Process 17 - 1 X-Ray Vision for Malware - www.vmray.com 11 / 69 DYNAMIC ANALYSIS REPORT #5908906 Process #4: reg.exe ID 4 Filename c:\windows\syswow64\reg.exe Command Line reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal