Automated Malware Analysis Report for Set-Up.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 355727 Sample Name: Set-up.exe Cookbook: default.jbs Time: 13:38:24 Date: 21/02/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report Set-up.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Compliance: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 10 Static File Info 10 General 10 File Icon 10 Static PE Info 10 General 10 Authenticode Signature 11 Entrypoint Preview 11 Rich Headers 12 Data Directories 12 Sections 13 Resources 13 Imports 14 Version Infos 16 Possible Origin 16 Network Behavior 16 Code Manipulations 16 Statistics 16 System Behavior 16 Analysis Process: Set-up.exe PID: 3976 Parent PID: 5896 16 Copyright null 2021 Page 2 of 21 General 16 File Activities 17 File Created 17 File Written 17 File Read 21 Registry Activities 21 Key Value Created 21 Disassembly 21 Code Analysis 21 Copyright null 2021 Page 3 of 21 Analysis Report Set-up.exe Overview General Information Detection Signatures Classification Sample Set-up.exe Name: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd… Analysis ID: 355727 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdehetetteeccckttt ivvf iiirarrttt uud… MD5: de70f0deed893bb… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ddyeyntneaacmt iivicciaratllullllyy… SHA1: f351b0c2996a357… Ransomware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym llloiocccaaallllyee… Miner Spreading SHA256: b9a187b59c758e… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rqreeuaaeddr y tth hloeec PPaElEeBB CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreeaadd ttthhee PPEEBB mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing sssuusssppiiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh riiicechah d m tahayey bPbeeE…B suspicious cccllleeaann clean DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be Exploiter Banker FDFooeuutenncddt e lllaadrrr gpgeoe t aeamntoioauuln nctttr oyopfff tnnooo fnnu---neecxxteeioccnuuttteedd… FFoouunndd plpaoortgtteeenn ttatiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d Spyware Trojan / Bot Adware PFPEoEu ///n Od LLpEEo t ffefiiilllneet ihhaaal ss t arainn g iiinn dvveaacllliiidrdy cpceteirorrtttniiifffi iic/c aatttee Score: 7 Range: 0 - 100 PPEE ff/fii illOlee L ccEoon nftittlaaeiii nnhssa sst ttrarraannn iggneev a rrreleidsso ocuuerrrrccteiefisscate Whitelisted: false SPSaEam fiplpellle ec foffiiillnleet aiiissin ddsiii fffsfffeetrrrraeenngttt ettthh raaenns oourrriiriggciiiennsaalll … Confidence: 80% USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original UUsseess M32iiicbcrrrioto sPsooEffftt t'f''ssil e EEsnnhhaanncceedd CCrrryypptttoogg… UUsseess cMcooidcdereo osobobfffutu'ss ccEaantttiihiooannn tttceeeccdhh nnCiiiqrqyuupeetsos g(((… Startup Uses code obfuscation techniques ( System is w10x64 Set-up.exe (PID: 3976 cmdline: 'C:\Users\user\Desktop\Set-up.exe' MD5: DE70F0DEED893BBA56CCB78EAFD59606) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview • Cryptography • Bitcoin Miner • Compliance • Spreading • Networking Copyright null 2021 Page 4 of 21 • System Summary • Data Obfuscation • Persistence and Installation Behavior • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings Click to jump to signature section There are no malicious signatures, click here to show all signatures . Compliance: Uses 32bit PE files Creates install or setup log file Contains modern PE file flags such as dynamic base (ASLR) or NX Binary contains paths to debug symbols Mitre Att&ck Matrix Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Path Path Virtualization/Sandbox OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Accounts and Scripting Interception Interception Evasion 1 Credential Discovery 1 Services Collected Over Other Channel 2 Insecure Track Device Interpreter 2 Dumping Data 1 Network Network Without Medium Communication Authorization Default Scripting 1 Boot or Boot or Modify Registry 1 LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Logon Logon Memory Discovery 2 1 Desktop Removable Over Redirect Phone Wipe Data Initialization Initialization Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Domain Native Logon Script Logon Deobfuscate/Decode Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts API 1 (Windows) Script Files or Information 1 Account Evasion 1 Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Logon Scripting 1 NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Obfuscated Files or LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Information 2 Secrets Discovery 1 5 Transfer Channels Device Script Size Limits Communication Behavior Graph Copyright null 2021 Page 5 of 21 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Behavior Graph Number of created Registry Values Number of created Files ID: 355727 Visual Basic Sample: Set-up.exe Startdate: 21/02/2021 Delphi Architecture: WINDOWS Java Score: 7 .Net C# or VB.NET C, C++ or other language started Is malicious Internet Set-up.exe 1 11 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2021 Page 6 of 21 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link Set-up.exe 1% Virustotal Browse Set-up.exe 0% Metadefender Browse Set-up.exe 0% ReversingLabs Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link cacerts.dig 0% Avira URL Cloud safe ocsp.dig 0% Avira URL Cloud safe Copyright null 2021 Page 7 of 21 Source Detection Scanner Label Link https://127.0.0.1 0% Virustotal Browse https://127.0.0.1 0% Avira URL Cloud safe ocsp.digicert.c 0% Avira URL Cloud safe https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0.0 0% Avira URL Cloud safe https://tron-qe-user-packages.s3.amazonaws.comhttps://tron-qe-user-packages.s3- 0% Avira URL Cloud safe accelerate.amazonaws. Domains and IPs Contacted Domains No contacted domains info URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation typekit.com/eulas/000000000000000000014f4e Set-up.exe false high typekit.com/eulas/000000000000000000014f4d Set-up.exe false high cacerts.dig Set-up.exe, 00000000.00000002. false Avira URL Cloud: safe unknown 649160410.0000000001076000.000 00004.00000040.sdmp ocsp.dig Set-up.exe, 00000000.00000002. false Avira URL Cloud: safe unknown 649160410.0000000001076000.000 00004.00000040.sdmp https://127.0.0.1 Set-up.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe typekit.com/eulas/000000000000000000014825 Set-up.exe false high typekit.com/eulas/000000000000000000014824 Set-up.exe false high typekit.com/eulas/000000000000000000014823 Set-up.exe false high typekit.com/eulas/000000000000000000014822 Set-up.exe false high typekit.com/eulas/000000000000000000014f4f Set-up.exe false high ocsp.digicert.c Set-up.exe, 00000000.00000002. false Avira URL Cloud: safe unknown 649401359.0000000001114000.000 00004.00000001.sdmp www.winimage.com/zLibDll Set-up.exe false high typekit.com/eulas/000000000000000000014f52 Set-up.exe false high typekit.com/eulas/000000000000000000014f51 Set-up.exe false high typekit.com/eulas/000000000000000000014f50 Set-up.exe false high Set-up.exe false Avira URL Cloud: safe low https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0. 0.1https://127.0.0.1https://127.0.0 https://tron-qe-user- Set-up.exe false Avira URL Cloud: safe unknown packages.s3.amazonaws.comhttps://tron-qe-user- packages.s3-accelerate.amazonaws. Contacted IPs No contacted IP infos General Information Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 355727 Start date: 21.02.2021 Start time: 13:38:24 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: Set-up.exe Copyright null 2021 Page 8 of 21 Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader