ID: 438228 Sample Name: prince_of_persia_P_v4_x86.exe Cookbook: default.jbs Time: 10:09:14 Date: 22/06/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Windows Analysis Report prince_of_persia_P_v4_x86.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Initial Sample 4 Memory Dumps 4 Unpacked PEs 5 Sigma Overview 5 System Summary: 5 Signature Overview 5 AV Detection: 5 System Summary: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Lowering of HIPS / PFW / Operating System Security Settings: 6 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 10 Public 10 General Information 10 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 12 Created / dropped Files 12 Static File Info 13 General 13 File Icon 14 Static PE Info 14 General 14 Entrypoint Preview 14 Data Directories 14 Sections 14 Imports 18 Network Behavior 18 Snort IDS Alerts 18 Network Port Distribution 18 TCP Packets 18 UDP Packets 18 ICMP Packets 18 DNS Queries 18 DNS Answers 18 HTTPS Packets 18 Code Manipulations 19 Statistics 19 Behavior 19 System Behavior 19 Analysis Process: prince_of_persia_P_v4_x86.exe PID: 6412 Parent PID: 5872 19 General 19 File Activities 19 Analysis Process: conhost.exe PID: 6444 Parent PID: 6412 19 General 19

Copyright Joe Security LLC 2021 Page 2 of 20 Analysis Process: netsh.exe PID: 6520 Parent PID: 6412 19 General 19 File Activities 20 File Created 20 File Written 20 File Read 20 Registry Activities 20 Disassembly 20 Code Analysis 20

Copyright Joe Security LLC 2021 Page 3 of 20 Windows Analysis Report prince_of_persia_P_v4_x86.e…xe

Overview

General Information Detection Signatures Classification

Sample prince_of_persia_P_v4_x8 Name: 6.exe AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb…

Analysis ID: 438228 MAnuutlllitttviii iArAuVVs SS/ cScaacnnanneenrrre drd eedttteetccetttciiiootinno nfffoo frrro srs uusbbumb… MD5: 28906318e1bfa99… AMAllllulloolctcia aAttteVess S mceaemnnooerrryry d iiinne tfffeoocrrreteiioiiggnnn f poprrro osccueebssmss…

SHA1: 4ef52c5ffc149a1… Ransomware CACololonnctttaaiitinness fffmuunneccmtttiiioonrnyaa lilliniittty yf o tttoroe ccigoonm ppraaorrrceee ususs… Miner Spreading SHA256: 3c4c4cb0e9a48e… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo icinnojjemeccptt atthhrerree uaas CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo iiinnjjjeeccttt ttthhrrreeaa… mmaallliiiccciiioouusss malicious Tags: exe poshc2 Evader Phishing

sssuusssppiiiccciiioouusss CCrroreenaattatteeinss s aa f uttthhnrrrceetaiaoddn iaiinnl i ataynn toottt hhineejrrer ecextx itiishstttriiinengag … suspicious

Infos: cccllleeaann

clean SCSiiriggemataae sdd eeattt eethccrttteedad:d:: M inaa allliiicnciioiotuuhsse rNN eiiissxhhisaatninnggg … Most interesting Screenshot: Exploiter Banker SSiiiggmaa ddeettteeccttteedd::: NMNTTaFlFicSSi o AAulllstttee Nrrrnnisaahttteea nDDgaa …

USUsisgeemss a nn edetettsstheh c tttotoe md:o oNddTiiifffyFy Sttthh eAe l Wteriiinndadotoeww Dss a nn… Spyware Trojan / Bot

Adware WUsrrrieiittteses sn ttetoot s fffohor rrteeoiiig gmnn o mdeiefym toohrrreyy Wrrreeiggniiidooonnwsss n Score: 80 Range: 0 - 100 AWAnnrttititiiveviiisrrru utsos ooforrr r Meiagacnchh miiinneem LLoeeraayrrr nnreiiinngggio ddneesttteecc…

Whitelisted: false CAConontnivtttaairiiiunnss offfuurn nMcctattiiioconhnaianllliieittty yL ttteooa ccrhnheienccgkk d iiiffef atae dcd… Confidence: 100% CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal lllldlyy…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym CCicPPaUUlly …

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hCeeP PPUEE BB Process Tree CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh riiicechah d m tahayey bPbeeE…B

CCroreenaattateeinss s aa f uDDniircreetcicottInInnappliuutytt owobbhjjeieccchtt (m(ooaffttyee nnb effoo System is w10x64 CCrrreeaattteess aa DDiiirrreecctttIIInnppuuttt oobbjjjeeccttt (((oofffttteenn fffoo…

prince_of_persia_P_v4_x86.exe (PID: 6412 cmdline: 'C:\Users\user\Desktop\prince_of_peCrCsrrireaea_atPttee_ssv aa4 _pDpxrrrio8roec6cce.eetssIxnsse p iii'nun t Ms souuDbss5jpep:ece 2ntn 8d(do9eef0dtde6 mn3 1ofoo8…E1BFA9949CD086E807A0F220) conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo netsh.exe (PID: 6520 cmdline: C:\Windows\system32\netsh.exe MD5: A0AA3322BB46DDBeeBtteFecCctte3ed6d A ppBoot9teeDnnCttiia1alDl ccBrryyBppBttooB f8fuu0nn7cc)ttiioonn

cleanup EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function

FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss…

FFoouunndd papo ohttteiegnnhttti iianallul smstttrrrbiiinneggr oddfee Wccrrryiynppdtttioiioownn /// aUa…s Malware Configuration JFJAAo3u3 n SSdSS pLLo ctcellliiienentniattt lfff iiisnntggrieenrrrgpp rrdriiinenttct srsyeepeetnino iininn / c caoo… MJAaa3yy SsslSlleeLee ppc l((i(eevnvata sfsiiniivvgeee lllroopoorpipnsst) )) s ttteooe hhniiin nindd eecrrro …

No configs have been found Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur…

PMPEEo n fffiiilltleeo rccsoo cnnetttaartiiinansisn m reoogrrreies tssreye cckttteiiiooynnsss / tttvhhaalnun …

PPEE fffiiilllee ccoonntttaaiiinnss smseeoccrttteiiioo nsness c wwtiioiittthnh s nn otohnna---nss …

QPEuue efrirliiee ssc otthhneeta vvinooslluu smeeec t iinonfnfoosrrm waaitthtiioo nno ((nnn-aasm Yara Overview Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam… SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m …

Initial Sample USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original UUsseess c3co2odbdeiet oPobbEfffu ufsisleccasatttiiioonn ttteecchhnniiiqquueess (((… Source Rule Description Author Strings UUsseess iicinnossdeeecc uuorrrbeef u TTsLLcSSa t //i/ o SSnSS tLeL c vvheenrrrsisqiiiouonen s fffo o(… prince_of_persia_P_v4_x86.exe HKTL_NET_GUID_PoshC Detects c# Arnim Rupp 0x25fd6:$typelibguid1: 9d32ad59-4093-420d-b45c-5fff3 2_Misc red/black-tYeUYaasmrreraas ssiniiiggsnneaactttuurrrree TmLaaStttc c/h hSSL version f9o1e990d tools via typelibguidYara signature match

Memory Dumps

Source Rule Description Author Strings 00000004.00000002.476073027.00000000057C HKTL_NET_GUID_PoshC Detects c# Arnim Rupp 0xeca:$typelibguid1: 9d32ad59-4093-420d-b45c-5fff39 0000.00000004.00000001.sdmp 2_Misc red/black-team 1e990d tools via typelibguid 00000004.00000002.479488843.0000000006A7 SUSP_Double_Base64_En Detects an Florian Roth 0x7db76:$: UVnFRQUFN 3000.00000004.00000001.sdmp coded_Executable executable that 0x97616:$: UVnFRQUFN has been encoded with base64 twice

Copyright Joe Security LLC 2021 Page 4 of 20 Source Rule Description Author Strings Process Memory Space: netsh.exe PID: 6520 SUSP_Double_Base64_En Detects an Florian Roth 0x3cfe33:$: UVnFRQUFN coded_Executable executable that 0x3dcb77:$: UVnFRQUFN has been encoded with base64 twice

Unpacked PEs

Source Rule Description Author Strings 4.2.netsh.exe.57c0000.6.raw.unpack HKTL_NET_GUID_PoshC Detects c# Arnim Rupp 0xeca:$typelibguid1: 9d32ad59-4093-420d-b45c-5fff39 2_Misc red/black-team 1e990d tools via typelibguid 4.0.netsh.exe.c532ec.0.raw.unpack HKTL_NET_GUID_PoshC Detects c# Arnim Rupp 0xeca:$typelibguid1: 9d32ad59-4093-420d-b45c-5fff39 2_Misc red/black-team 1e990d tools via typelibguid 1.0.prince_of_persia_P_v4_x86.exe.400000.0.unpack HKTL_NET_GUID_PoshC Detects c# Arnim Rupp 0x25fd6:$typelibguid1: 9d32ad59-4093-420d-b45c-5fff3 2_Misc red/black-team 91e990d tools via typelibguid 1.2.prince_of_persia_P_v4_x86.exe.400000.0.unpack HKTL_NET_GUID_PoshC Detects c# Arnim Rupp 0x25fd6:$typelibguid1: 9d32ad59-4093-420d-b45c-5fff3 2_Misc red/black-team 91e990d tools via typelibguid 4.2.netsh.exe.c532ec.0.raw.unpack HKTL_NET_GUID_PoshC Detects c# Arnim Rupp 0xeca:$typelibguid1: 9d32ad59-4093-420d-b45c-5fff39 2_Misc red/black-team 1e990d tools via typelibguid Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: Malicious Nishang PowerShell Commandlets

Sigma detected: NTFS Alternate Data Stream

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System Summary:

Malware Analysis System Evasion:

Contains functionality to compare user and computer (likely to detect sandboxes)

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Contains functionality to inject threads in other processes

Copyright Joe Security LLC 2021 Page 5 of 20 Creates a thread in another existing process (thread injection)

Writes to foreign memory regions

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command Path Process Masquerading 1 Input System Time Remote Input Exfiltration Encrypted Eavesdrop on Accounts and Scripting Interception Injection 4 1 2 Capture 1 Discovery 1 Services Capture 1 Over Other Channel 1 2 Insecure Interpreter 2 Network Network Medium Communication Default Native Boot or Boot or Logon Disable or Modify LSASS Query Registry 1 Remote Archive Exfiltration Non- Exploit SS7 to Accounts API 1 Logon Initialization Tools 1 Memory Desktop Collected Over Application Redirect Phone Initialization Scripts Protocol Data 1 Bluetooth Layer Calls/SMS Scripts Protocol 1 Domain At (Linux) Logon Script Logon Script Virtualization/Sandbox Security Security Software SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) (Windows) Evasion 1 Account Discovery 1 2 1 Admin Shares Network Exfiltration Layer Track Device Manager Shared Protocol 2 Location Drive Local At (Windows) Logon Script Logon Script Process NTDS Virtualization/Sandbox Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Injection 4 1 2 Evasion 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Logon Deobfuscate/Decode LSA Process Discovery 2 SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Files or Information 1 Secrets Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common Obfuscated Files or Cached Application Window VNC GUI Input Exfiltration Multiband Jamming or Through Information 2 Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Software Packing 1 DCSync Remote System Windows Web Exfiltration Commonly Rogue Wi-Fi Remote Task Items Discovery 1 Remote Portal Over Used Port Access Points Services Management Capture Alternative Protocol Drive-by Command Scheduled Scheduled Indicator Removal Proc File and Directory Shared Credential Exfiltration Application Downgrade to Compromise and Scripting Task/Job Task/Job from Tools Filesystem Discovery 1 Webroot API Over Layer Protocol Insecure Interpreter Hooking Symmetric Protocols Encrypted Non-C2 Protocol Exploit PowerShell At (Linux) At (Linux) Masquerading /etc/passwd System Information Software Data Exfiltration Web Protocols Rogue Cellular Public- and Discovery 2 2 Deployment Staged Over Base Station Facing /etc/shadow Tools Asymmetric Application Encrypted Non-C2 Protocol

Behavior Graph

Copyright Joe Security LLC 2021 Page 6 of 20 Hide Legend Behavior Graph Legend: ID: 438228

Sample: prince_of_persia_P_v4_x86.exe Process Startdate: 22/06/2021

Architecture: WINDOWS Signature Score: 80 Created File DNS/IP Info

nidhoggr.club Is Dropped Is Windows Process started Number of created Registry Values

Antivirus / Scanner Multi AV Scanner detection Sigma detected: Malicious Sigma detected: NTFS detection for submitted for submitted file Nishang PowerShell Commandlets Alternate Data Stream Number of created Files sample Visual Basic

Delphi prince_of_persia_P_v4_x86.exe Java

.Net C# or VB.NET 1 C, C++ or other language

Is malicious Contains functionality Uses netsh to modify Writes to foreign memory to inject threads in the Windows network 2 other signatures started started regions other processes and firewall settings Internet

netsh.exe conhost.exe

15 6

nidhoggr.club

185.112.146.165, 443, 49722, 49730 THE-1984-ASIS Iceland

Contains functionality to compare user and computer (likely to detect sandboxes)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 7 of 20 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link prince_of_persia_P_v4_x86.exe 49% Virustotal Browse prince_of_persia_P_v4_x86.exe 38% Metadefender Browse prince_of_persia_P_v4_x86.exe 76% ReversingLabs Win32.Hacktool.PoshC2 prince_of_persia_P_v4_x86.exe 100% Avira TR/Hijacker.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

Source Detection Scanner Label Link Download 1.2.prince_of_persia_P_v4_x86.exe.400000.0.unpack 100% Avira TR/Hijacker.Gen Download File 1.0.prince_of_persia_P_v4_x86.exe.400000.0.unpack 100% Avira TR/Hijacker.Gen Download File 1.1.prince_of_persia_P_v4_x86.exe.400000.0.unpack 100% Avira TR/ATRAPS.Gen Download File

Domains

Source Detection Scanner Label Link nidhoggr.club 0% Virustotal Browse

Copyright Joe Security LLC 2021 Page 8 of 20 URLs

Source Detection Scanner Label Link https://nidhoggr.club:443/unnoised/strange?ballistic=greyish17fc2a92-ec4c-4f30-84cc- 0% Avira URL Cloud safe 1b0ec4de471d/?KO https://nidhoggr.club:443/transparent/Hope/ballistic/Iseabal/greyish/Gizela/isobel/Iseabal/turbulent 0% Avira URL Cloud safe https://nidhoggr.club:443/jaquelyn/stygian/corrosive/drab/jaquith/hyacinthe/hunter/Hope/winterly/joy 0% Avira URL Cloud safe https://longwang-sword.com:443d 0% Avira URL Cloud safe https://nidhoggr.club/suzi/crepuscular/gladys/cffed8d8-1a55-4e70-8881-ed1ecd36a4f1/? 0% Avira URL Cloud safe KOVmXF4aOyDloJr https://nidhoggr.club:443; 0% Avira URL Cloud safe https://nidhoggr.club/unnoised/strange?ballistic=greyish17fc2a92-ec4c-4f30-84cc-1b0ec4de471d/? 0% Avira URL Cloud safe KOVmXF https://nidhoggr.club:443x 0% Avira URL Cloud safe https://nidhoggr.club:443/noiseproof/greyish/turbulent/turbulent/Hyacinthia/isabelle/Hildagard?glad= 0% Avira URL Cloud safe https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/ 0% Avira URL Cloud safe https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/abb8b9ce-b9bc-4fae-85d1-1b34 0% Avira URL Cloud safe https://nidhoggr.club/Isabel/bilious/undiscovered/sneaky/gloomy/turbulent?bad=Ivetteb108e02d- 0% Avira URL Cloud safe be73-4c https://nidhoggr.club:443/Isabel/bilious/undiscovered/sneaky/gloomy/turbulent? 0% Avira URL Cloud safe bad=Ivetteb108e02d-be7 https://nidhoggr.club:443/isabelle/Hulda/dark/isabella?crepuscular=isadoracc076ea2-05b9-4f33- 0% Avira URL Cloud safe 8f7c-d6 https://nidhoggr.club:443q 0% Avira URL Cloud safe https://nidhoggr.club:443-8 0% Avira URL Cloud safe https://nidhoggr.club/dreary/dull/Isahella/isobel/cheerless/dull/cheerless/noisefulness/counternoise 0% Avira URL Cloud safe https://nidhoggr.club:443/suzi/crepuscular/gladys/cffed8d8-1a55-4e70-8881-ed1ecd36a4f1/? 0% Avira URL Cloud safe KOVmXF4aOyDl https://nidhoggr.club:443/dreary/dull/Isahella/isobel/cheerless/dull/cheerless/noisefulness/countern 0% Avira URL Cloud safe https://nidhoggr.club/Hyacintha/surreptitious/overnoise/surreptitious/Issy/Hildegaard/darkened/Odili 0% Avira URL Cloud safe https://nidhoggr.club:443/jaquelyn/noisemaking/Hulda/surreptitious/noisemaker? 0% Avira URL Cloud safe Suzy=volatile6730903f- 0% Avira URL Cloud safe https://nidhoggr.club/Hildagard/ivory/spy/evil/Hyacintha/unrecognized/quiet/Hyacintha/ghost/dark/15f https://nidhoggr.club:443/jaquelyn/noisemaking/Hulda/surreptitious/noisemaker? 0% Avira URL Cloud safe Suzy=volatile2e092300- https://nidhoggr.clubD8$k 0% Avira URL Cloud safe 0% Avira URL Cloud safe https://nidhoggr.club:443/hynda/unnoised/heavy/stygian/nuclear/Hyacinthia/nameless/atomic/giulietta/ https://nidhoggr.club:443/slither/overnoise/infiltrator/giulietta/collapsar/ 0% Avira URL Cloud safe https://nidhoggr.club/noisefulness/Hyacinth/ballistic/hynda?silent=faultybd5e6337-de98-4813-9600- 0% Avira URL Cloud safe 839 https://nidhoggr.club:443h 0% Avira URL Cloud safe https://nidhoggr.club 0% Avira URL Cloud safe https://nidhoggr.club:443e 0% Avira URL Cloud safe https://nidhoggr.club:443 0% Avira URL Cloud safe https://nidhoggr.club:443/suzi/crepuscular/gladys/4505d406-d392-46c3-8cf5-dc5610b77808/? 0% Avira URL Cloud safe KOVmXF4aOyDl https://nidhoggr.club:443d 0% Avira URL Cloud safe https://nidhoggr.club:443/malicious/odette/bleak/ghost/silent?shadow=faultyd290c68b-cd84-427c- 0% Avira URL Cloud safe 886e-8 https://nidhoggr.club:443/slither/overnoise/infiltrator/giulietta/collapsar/abb8b9ce-b9bc-4fae-85d1- 0% Avira URL Cloud safe https://nidhoggr.club:443/noisefulness/Hyacinth/ballistic/hynda?silent=faultybd5e6337-de98-4813- 0% Avira URL Cloud safe 9600 https://nidhoggr.club:443/Gizela/ivie/jaquelyn/isabelita/Honor/noiseless/9344b327-de14-468e-be43- 0% Avira URL Cloud safe fca https://longwang-sword.com:443 0% Avira URL Cloud safe 0% Avira URL Cloud safe https://nidhoggr.club:443/Hyacintha/surreptitious/overnoise/surreptitious/Issy/Hildegaard/darkened/O 0% Avira URL Cloud safe https://nidhoggr.club/hynda/unnoised/heavy/stygian/nuclear/Hyacinthia/nameless/atomic/giulietta/6db9 https://nidhoggr.club/jaquelyn/noisemaking/Hulda/surreptitious/noisemaker? 0% Avira URL Cloud safe Suzy=volatile2e092300-ce2f 0% Avira URL Cloud safe https://nidhoggr.club:443/Hildagard/ivory/spy/evil/Hyacintha/unrecognized/quiet/Hyacintha/ghost/dark https://nidhoggr.club:443/noised/joyless?evil=atomicb9a123db-97ea-4dd9-9f16-bf55ce8111e2/? 0% Avira URL Cloud safe KOVmXF4aOy https://nidhoggr.club:443/ivie/soundless/Adelina/cheerless/gray/ivett? 0% Avira URL Cloud safe nameless=subreptice5db40807-72

Copyright Joe Security LLC 2021 Page 9 of 20 Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation nidhoggr.club 185.112.146.165 true false 0%, Virustotal, Browse unknown

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 185.112.146.165 nidhoggr.club Iceland 44925 THE-1984-ASIS false

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 438228 Start date: 22.06.2021 Start time: 10:09:14 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 26s Hypervisor based Inspection enabled: false Report type: light Sample file name: prince_of_persia_P_v4_x86.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 26 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal80.evad.winEXE@4/4@2/1 EGA Information: Failed HDC Information: Successful, ratio: 77.6% (good quality ratio 44.9%) Quality average: 50.2% Quality standard deviation: 45.4% HCA Information: Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All

Simulations

Behavior and APIs

Copyright Joe Security LLC 2021 Page 10 of 20 No simulations

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 185.112.146.165 40031ebd52934ce5967889a914e6fe7c.exe.upx.exe Get hash malicious Browse 185.112.1 46.165:123 /5QkRDmlpJ ktp9Wj0N1w 70A9sD0fhN gkYI4YOci_ 5r9lbfU4vj wCUeLaB9Dv 4ZVJ9k5rMg 5pF_xFooEo 2nUAqTZv_v 6_c8VcW/

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context nidhoggr.club payload.bat Get hash malicious Browse 185.112.14 6.165 playstation.exe Get hash malicious Browse 185.112.14 6.165 x86.exe Get hash malicious Browse 185.112.14 6.165

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context THE-1984-ASIS B2i1X1m7Mo.exe Get hash malicious Browse 93.95.227.51 NBkOqqQWw0.exe Get hash malicious Browse 93.95.227.164 payload.bat Get hash malicious Browse 185.112.14 6.165 playstation.exe Get hash malicious Browse 185.112.14 6.165 x86.exe Get hash malicious Browse 185.112.14 6.165 Request for Quote_SEKOLAH TUNAS BAKTI SG.doc__.rtf Get hash malicious Browse 93.95.226.183 IncomingF.A.X. . .htm Get hash malicious Browse 185.112.14 5.176 08142020_1463075702.doc Get hash malicious Browse 185.112.14 5.126

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context 54328bd36c14bd82ddaa0c04b25ed9ad 232.exe Get hash malicious Browse 185.112.14 6.165

hesaphareketi-01.pdf.exe Get hash malicious Browse 185.112.14 6.165 quotation #60321.exe Get hash malicious Browse 185.112.14 6.165 Tax Invoice.exe Get hash malicious Browse 185.112.14 6.165 quotation #60152 almaco.exe Get hash malicious Browse 185.112.14 6.165 Minutes of Meeting.exe Get hash malicious Browse 185.112.14 6.165 09058009000.exe Get hash malicious Browse 185.112.14 6.165 OlneDIQeSW.exe Get hash malicious Browse 185.112.14 6.165 SKGCM_Arabbank_Transfer_document2021doc.exe Get hash malicious Browse 185.112.14 6.165

Copyright Joe Security LLC 2021 Page 11 of 20 Match Associated Sample Name / URL SHA 256 Detection Link Context quote#2793 almaco.exe Get hash malicious Browse 185.112.14 6.165 ScanOrder.pdf.exe Get hash malicious Browse 185.112.14 6.165 HRXoZLG4ym.exe Get hash malicious Browse 185.112.14 6.165 SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.8690.exe Get hash malicious Browse 185.112.14 6.165 a6PLfh08ug.exe Get hash malicious Browse 185.112.14 6.165 VenusLocker.exe Get hash malicious Browse 185.112.14 6.165 IwM8bblvI2.exe Get hash malicious Browse 185.112.14 6.165 script_hack_412.zip.exe Get hash malicious Browse 185.112.14 6.165 SecuriteInfo.com.Artemis1BA9F0CFF517.9160.exe Get hash malicious Browse 185.112.14 6.165 Img-347654566091236.exe Get hash malicious Browse 185.112.14 6.165 R367LovDh2.exe Get hash malicious Browse 185.112.14 6.165

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Process: C:\Windows\SysWOW64\netsh.exe File Type: Microsoft Cabinet archive data, 60080 bytes, 1 file Category: dropped Size (bytes): 60080 Entropy (8bit): 7.995256720209506 Encrypted: true SSDEEP: 768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4 MD5: 6045BACCF49E1EBA0E674945311A06E6 SHA1: 379C6234849EECEDE26FAD192C2EE59E0F0221CB SHA-256: 65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58 SHA-512: DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789AB EB Malicious: false Reputation: moderate, very likely benign file Preview: MSCF...... ,...... I...... d...... R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<...... Ab.<..X....sb.....e...... dbu.3...0...... X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J...... wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&. ..E...g.....>uv."..!...... xc...... C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X...... qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s...... add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<- .}%.C.Z..r...I...<.R{Ac..x^. .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Process: C:\Windows\SysWOW64\netsh.exe File Type: data Category: modified Size (bytes): 328 Entropy (8bit): 3.1240735786320277 Encrypted: false SSDEEP: 6:kKZdsse8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:rss8kPlE99SNxAhUe3OMx MD5: AB0027150362BDB01AA3481728AAA3CC SHA1: AF0CE16D4A676ABC417E5AE36E4900958165E549 SHA-256: CE6810D56C871D0988D166ECDD1DAA0D16D179C55BB13D982BDB697C5F713198 SHA-512: C696C6B43847F8C7358A6028C28584496570B61F785A7E66191B002539857163BFE39DBCD2D9A50C6E36C58A8AEE294B2F045BF5B01F52CE2E6C70BFA1F64D70 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 12 of 20 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Preview: p...... "{.g..(...... L...... &...... h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./. s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.0.e.6.c.f.e.3.4.c.d.7.1.:.0."...

C:\Users\user\Documents\20210622\PowerShell_transcript.066656.8yu6QWeZ.20210622101006.txt Process: C:\Windows\SysWOW64\netsh.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 5405 Entropy (8bit): 4.848125260286816 Encrypted: false SSDEEP: 48:BZ7vhtoOdtqDYB1ZeCUHF+CUwFhFLUeFtF4F/U+FJvU1tF0UWUkUWKU8:BZbhtNbqDo1Z+lecPoST0cyJs1Tdrt08 MD5: 1B51D6043D533C24915E0A82CDBA4835 SHA1: 5336068CFE33E9B968B313C95713DF2CEFE26E69 SHA-256: 1412056E2EF7A3F35E6534A34823B3A9B496EFD850510C257632DA62E3C36871 SHA-512: 07B05E4620650F0DE397A95EA92B3DE5CF98095357C09005DCAFE4572BCAFE848DE2BFC59688BF0AE3169924A43FB3E7C0ED842E047F5A4194C3619CB86B6D6 7 Malicious: false Reputation: low Preview: .**********************..Windows PowerShell transcript start..Start time: 20210622101011..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 066656 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\system32\netsh.exe..Process ID: 6520..PSVersion: 5.1.17134.1..PSEdition: D esktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingP rotocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210622101011..**********************..PS>$o = IEX $c | Out-String..**********************..Command start time: 20210622101039..**********************..PS>TerminatingError(): "Exception calling "FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string.""..**********************..Command start time: 20210622101043..**********************..PS>Term

\Device\ConDrv Process: C:\Windows\SysWOW64\netsh.exe File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 6 Entropy (8bit): 2.584962500721156 Encrypted: false SSDEEP: 3:F:F MD5: BC1886BC86B4D4EC4DCC50E778799168 SHA1: 9DF8F90F705230C1B0752F6A0B440361A24C0314 SHA-256: B4D91B765F5C92247254496AEF44B885A80269F718FD16FD46263BCAF14E02D1 SHA-512: B57D09A6633F6C8780323355CC9D040BE593FE64699367AB9557528C74A70A31CAAB932BDA464C58FEFB2A3145CCB767CD0B131AE41AC89A2BF413AFA2DF468 5 Malicious: false Reputation: low Preview: netsh>

Static File Info

General File type: PE32 executable (console) Intel 80386, for MS Wind ows Entropy (8bit): 5.3834984979142515 TrID: Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% VXD Driver (31/22) 0.00% File name: prince_of_persia_P_v4_x86.exe File size: 257385 MD5: 28906318e1bfa9949cd086e807a0f220 SHA1: 4ef52c5ffc149a1dabfb748edbe137b5568f5c87 SHA256: 3c4c4cb0e9a48e8203ebe67da38dcfdc0d888213424ddd 335a767f6a04e798ff SHA512: 5654c31d3a830f1232d66ef30c23e0032a371e18de91e5b b255f008de0dd59f0864996c0ee4eb203612d8086f1a6a6 f3bd9c4102d7bc6e8dba9d79aa1f91a332

Copyright Joe Security LLC 2021 Page 13 of 20 General SSDEEP: 3072:Fw5tuhTTKtpWAFPmM9Kx067MjdfOW7B9tNY12 xGLgzONzW:FkgxAFfOWN/o2x8gzONi File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L... E.w`...... #...... 0....@...... i ......

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x4014c0 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows cui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x60771B45 [Wed Apr 14 16:41:41 2021 UTC] TLS Callbacks: 0x401950, 0x401900 CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 35b5715d1d5b1876f546dbd1eae03180

Entrypoint Preview

Data Directories

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x1884 0x1a00 False 0.537860576923 data 5.72777161489 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_2048BYTE S, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2021 Page 14 of 20 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .data 0x3000 0x25e64 0x26000 False 0.395777652138 data 5.16452375127 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_2048BYTE S, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ .rdata 0x29000 0x62c 0x800 False 0.244140625 data 4.40319106043 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ /4 0x2a000 0x10c 0x200 False 0.333984375 data 2.7692972491 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ .bss 0x2b000 0xc4 0x0 False 0 empty 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_CNT_UNINITIALIZ ED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2021 Page 15 of 20 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .idata 0x2c000 0x574 0x600 False 0.423828125 data 4.71875989432 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ .CRT 0x2d000 0x34 0x200 False 0.068359375 data 0.25451054171 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ .tls 0x2e000 0x8 0x200 False 0.02734375 data 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ /14 0x2f000 0x2b0 0x400 False 0.2158203125 data 1.51778855775 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ /29 0x30000 0x8ce2 0x8e00 False 0.399675396127 data 6.07015299298 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2021 Page 16 of 20 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics /41 0x39000 0x18dd 0x1a00 False 0.219951923077 data 4.64175413905 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ /55 0x3b000 0x1fb3 0x2000 False 0.420166015625 data 5.4216767087 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ /67 0x3d000 0x690 0x800 False 0.3857421875 TIM image, (3080,1028) 4.12195503319 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTE S, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ /80 0x3e000 0x42d 0x600 False 0.342447916667 data 4.00923224234 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ /91 0x3f000 0x11eb 0x1200 False 0.327690972222 data 2.97162240462 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2021 Page 17 of 20 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics /102 0x41000 0x3a0 0x400 False 0.3271484375 TIM image, Pixel at (96,0) 2.50870874154 IMAGE_SCN_ALIGN_MASK, Size=192x0 IMAGE_SCN_ALIGN_256BYTE S, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_ALIGN_1024BYTE S, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_ALIGN_4096BYTE S, IMAGE_SCN_MEM_READ

Imports

Network Behavior

Snort IDS Alerts

Source Dest Timestamp Protocol SID Message Port Port Source IP Dest IP 06/22/21- ICMP 402 ICMP Destination Unreachable Port Unreachable 192.168.2.3 8.8.8.8 10:10:20.522006

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 22, 2021 10:10:18.016066074 CEST 192.168.2.3 8.8.8.8 0x7870 Standard query nidhoggr.club A (IP address) IN (0x0001) (0) Jun 22, 2021 10:12:16.907757044 CEST 192.168.2.3 8.8.8.8 0xd831 Standard query nidhoggr.club A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jun 22, 2021 8.8.8.8 192.168.2.3 0x7870 No error (0) nidhoggr.club 185.112.146.165 A (IP address) IN (0x0001) 10:10:18.118741035 CEST Jun 22, 2021 8.8.8.8 192.168.2.3 0xd831 No error (0) nidhoggr.club 185.112.146.165 A (IP address) IN (0x0001) 10:12:16.969455004 CEST

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Jun 22, 2021 185.112.146.165 443 192.168.2.3 49722 CN=nidhoggr.club CN=nidhoggr.club Wed Apr Sat Apr 769,49162-49161- 54328bd36c14bd82ddaa0 10:10:18.750842094 14 12 49172-49171-53- c04b25ed9ad CEST 18:41:40 18:41:40 47-10,0-10-11-35- CEST CEST 23-65281,29-23- 2021 2031 24,0

Copyright Joe Security LLC 2021 Page 18 of 20 Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: prince_of_persia_P_v4_x86.exe PID: 6412 Parent PID: 5872

General

Start time: 10:10:02 Start date: 22/06/2021 Path: C:\Users\user\Desktop\prince_of_persia_P_v4_x86.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\prince_of_persia_P_v4_x86.exe' Imagebase: 0x400000 File size: 257385 bytes MD5 hash: 28906318E1BFA9949CD086E807A0F220 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities Show Windows behavior

Analysis Process: conhost.exe PID: 6444 Parent PID: 6412

General

Start time: 10:10:03 Start date: 22/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: netsh.exe PID: 6520 Parent PID: 6412

General

Start time: 10:10:03

Copyright Joe Security LLC 2021 Page 19 of 20 Start date: 22/06/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\netsh.exe Imagebase: 0xd90000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: HKTL_NET_GUID_PoshC2_Misc, Description: Detects c# red/black-team tools via typelibguid, Source: 00000004.00000002.476073027.00000000057C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000004.00000002.479488843.0000000006A73000.00000004.00000001.sdmp, Author: Florian Roth Reputation: high

File Activities Show Windows behavior

File Created

File Written

File Read

Registry Activities Show Windows behavior

Disassembly

Code Analysis

Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond

Copyright Joe Security LLC 2021 Page 20 of 20