Automated Malware Analysis Report for QRU2.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 264216 Sample Name: QRU2.exe Cookbook: default.jbs Time: 14:20:55 Date: 13/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents Table of Contents 2 Analysis Report QRU2.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 4 Signature Overview 5 AV Detection: 5 Spreading: 5 System Summary: 5 Data Obfuscation: 5 Malware Analysis System Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 10 Private 10 General Information 10 Simulations 11 Behavior and APIs 11 Created / dropped Files 11 Static File Info 24 General 24 File Icon 24 Static PE Info 24 General 24 Entrypoint Preview 25 Data Directories 26 Sections 26 Resources 27 Imports 27 Version Infos 27 Network Behavior 27 UDP Packets 27 Code Manipulations 28 Statistics 28 Behavior 28 System Behavior 28 Analysis Process: QRU2.exe PID: 6896 Parent PID: 5652 28 Copyright null 2020 Page 2 of 33 General 28 File Activities 28 File Created 28 File Written 29 File Read 30 Registry Activities 30 Key Value Created 30 Analysis Process: conhost.exe PID: 6904 Parent PID: 6896 31 General 31 Analysis Process: explorer.exe PID: 7004 Parent PID: 560 31 General 31 File Activities 31 Registry Activities 31 Analysis Process: shutdown.exe PID: 7068 Parent PID: 6896 31 General 31 File Activities 32 Analysis Process: conhost.exe PID: 7108 Parent PID: 7068 32 General 32 Analysis Process: SearchUI.exe PID: 5712 Parent PID: 800 32 General 32 File Activities 32 Registry Activities 33 Key Value Modified 33 Disassembly 33 Code Analysis 33 Copyright null 2020 Page 3 of 33 Analysis Report QRU2.exe Overview General Information Detection Signatures Classification Sample QRU2.exe Name: CChhaannggeess aauutttoosstttaarrrttt fffuunncctttiiioonnaallliiitttyy oofff ddrrr… Analysis ID: 264216 MChaaacchnhigiinneees L Laeeuaatrorrnnsiiitnnaggr t d dfeuetntteecccttittoiiioonnna flffiootyrrr sosafa mdrpp… MD5: 6b054a01128b7b… TMTrrraiiieecssh tittnooe dd Leeettteeaccrttnt sisnaagnn ddbebotoexxceetsiso anan nfdod r o osttthahemerrr…p SHA1: Ransomware 6eca71a8a448b5… Tries to detect sandboxes and other UTUrssieess stsohh udutettddtoeowcwtn ns...eaexnxede b tttoo x ssehhsuu ttatddnoodww onnt hooerrr r rrr… Miner Spreading SHA256: 76ac59be5102c1… YUYasareraas ddseehttueetccdttoeewdd n CC.eooxssettuu trroaa sAAhssusstedemowbblnlyy o LLroo r mmaallliiiccciiioouusss YYaarrraa ddeettteeccttteedd CCoosstttuurrraa AAsssseembblllyy LLoo… malicious Most interesting Screenshot: Evader Phishing sssuusssppiiiccciiioouusss AYAVaVr papr rrdooecceteesscsst e ssdtttrr riiCinngogss t fuffooruaun nAdds ((s(ooeffftmtteenbn l yuu ssLeeo… suspicious cccllleeaann clean AAllVlllloo cpcaraottteceses s mse esmtroionrrrgyys ww fioiittthuh n aad w w(orrriiifttttee nww auattstccehh… Exploiter Banker CACololonnctttaaiitinness ccmaaeppmaabboiiilrlliiyitttii ieewssi t tthtoo a dd ewetttreeitccettt vwviiirarrttttuucaah… Spyware Trojan / Bot CCoonntttaaiiinnss llclooannpgga sbsllileleieteieppss t(((o>> ==d e 33t e mcitiin nv)))irtua Adware CCrroreenaattatteeinss s CC lOonMg tsttaalesskek p ssscc h(h>ee=dd uu3llle em ooinbb)jjjeeccttt (((… Score: 60 Range: 0 - 100 CCrrreeaattteess aCa OpprrrMooc cteeassssk iiisnnc shsuuessdppueelenn ddoeebddje mcto o(… Whitelisted: false CCrrreeaattteess ffafiiill leepssr o iiincnsesiisiddsee i nttthh seeu ssyypssetttenemde ddi iirrmreecoc… Confidence: 100% DCDereettteaectcettteesd df i plpeoosttt eeinnstttiiiadallel cc trrrhyyepp tttsooy ffsfuutnencmctttii ioodnnirec EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function FEFonouaunbndlde isiinn lldliiinneeebddu gnn oopppri viiinnilsesttgtrrrueucsctttiiioonnss (((llliiikkeelllyy… Startup MFoaauyyn ssdllle eineelppin ((e(eedvv anasosiiipvve ein lllosotoorpupscs)t))i otttoon shh ii(innlidkdeerlrry … Moaonyni itstoolerrsse pcce e(rerttavaaiinns irrveeegg ilisostotrrypy s kk)ee tyyoss h // i nvvadaleluur System is w10x64 Moonniiitttoorrrss cceerrrtttaaiiinn rrreeggiiisstttrrryy kkeeyyss /// vvaallluu… QRU2.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\QRU2.exe' MD5: 6B054A01128B7OMBS8oS 5n vvBieteo9rrrrs2ssiii4o oc9nne0 trtt9otoaD sisn8tttr rr0iriinenCgg0 i msBt7aray3pp 9pkp)eiiinnyggs fff/oo vuuannldud … conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) POPEES fffviiillleer cscoionnttt aatoiiinn ss t srsittntrrragan nmggeae p rrrpeeissnooguu frrroccueenssd shutdown.exe (PID: 7068 cmdline: 'C:\Windows\System32\shutdown.exe' -r -t 0 MD5: 7PPAEE2 f2fiilFlee9 cc8ooFnn0ttaBaii7nnBss A sstEtrraEannFgg5eeF rEree1ss9oo6uu5rrcFcee0ss75A5E95) conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForcQPeEuVue e1frrir liiMiee ssDc ott5thhn:e etEa vvAinoo7sllluu7 sm7tDreea E niiinnEgfffoeAor rr7rme8as2aottEtiiiouo8nrnBc (e(4(nnsDaa7mC…7C33BBF8A4496) explorer.exe (PID: 7004 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D) SQSaaumerppiellees eethxxee ccvuuottliiuoomnn esst toionppfoss r wmwhhaiitlleieo npp rr(oonccaeem SearchUI.exe (PID: 5712 cmdline: 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cSSwaa5mnpp1lllehe 2 eetxxeyeeccwuutttyiiioo\Snne ssatttorocpphssU wwI.hehiixilllee 'p p-rrSrooeccreev…erName:CortanaUI.AppXa50dqqa5gqv4a428c 9y1jjw7m3btvepj.mca MD5: C4A9ACE9CDB9E5DB7CBA996CFA9EA7A2) SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … cleanup Sample file is different than original Malware Configuration No configs have been found Yara Overview Memory Dumps Source Rule Description Author Strings Process Memory Space: QRU2.exe PID: 6896 JoeSecurity_CosturaAsse Yara detected Joe Security mblyLoader Costura Assembly Loader Sigma Overview No Sigma rule has matched Copyright null 2020 Page 4 of 33 Signature Overview • AV Detection • Spreading • Software Vulnerabilities • Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Stealing of Sensitive Information Click to jump to signature section AV Detection: Machine Learning detection for sample Spreading: Changes autostart functionality of drives System Summary: Uses shutdown.exe to shutdown or reboot the system Data Obfuscation: Yara detected Costura Assembly Loader Malware Analysis System Evasion: Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) Mitre Att&ck Matrix Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Scheduled Scheduled Process Masquerading 1 1 OS Query Registry 1 Replication Archive Exfiltration Encrypted Eavesdrop on Through Task/Job 1 Task/Job 1 Injection 1 2 Credential Through Collected Over Other Channel 1 Insecure Removable Dumping Removable Data 1 Network Network Media 1 Media 1 Medium Communication Default Scheduled Boot or Scheduled Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Task/Job Logon Task/Job 1 Evasion 4 Memory Discovery 1 2 1 Desktop Removable Over Redirect Phone Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Disable or Modify Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Tools 1 Account Evasion 4 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At Logon Script Logon Script Process NTDS Process Discovery 2 Distributed Input Scheduled Protocol SIM Card Accounts (Windows) (Mac) (Mac) Injection 1 2 Component Capture Transfer Impersonation Swap Object Model Copyright null 2020 Page 5 of 33 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Cloud Cron Network Network Obfuscated Files or LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Information 2 Secrets Discovery 1 Transfer Channels Device Size Limits Communication Replication Launchd Rc.common Rc.common Software Packing 2 Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 2 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Discovery 1 2 Remote Capture Over Used Port Access Points Services Management Alternative Protocol Behavior Graph Hide Legend Behavior Graph Legend: ID: 264216 Sample: QRU2.exe Process Startdate: 13/08/2020 Architecture: WINDOWS Signature Score: 60 Created File DNS/IP Info Tries to detect sandboxes Uses shutdown.exe to Is Dropped Machine Learning detection and other dynamic analysis Yara detected Costura shutdown or reboot the started started started for sample tools (process name Assembly Loader system