Automated Malware Analysis Report for X64.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 310318 Sample Name: x64.exe Cookbook: default.jbs Time: 12:39:09 Date: 06/11/2020 Version: 31.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report x64.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 5 System Summary: 5 Signature Overview 5 System Summary: 5 Boot Survival: 5 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Entrypoint Preview 12 Data Directories 14 Sections 14 Imports 14 Network Behavior 15 Code Manipulations 15 Statistics 15 Behavior 15 System Behavior 15 Analysis Process: x64.exe PID: 6720 Parent PID: 5692 15 Copyright null 2020 Page 2 of 27 General 15 File Activities 16 File Written 16 File Read 17 Analysis Process: conhost.exe PID: 6736 Parent PID: 6720 17 General 17 Analysis Process: cmd.exe PID: 6788 Parent PID: 6720 17 General 17 File Activities 17 Analysis Process: whoami.exe PID: 6812 Parent PID: 6788 17 General 18 File Activities 18 Analysis Process: cmd.exe PID: 6840 Parent PID: 6720 18 General 18 File Activities 18 Analysis Process: powershell.exe PID: 6852 Parent PID: 6840 18 General 18 File Activities 19 File Created 19 File Deleted 20 File Written 20 File Read 21 Analysis Process: cmd.exe PID: 5848 Parent PID: 6720 26 General 26 File Activities 26 Analysis Process: whoami.exe PID: 5460 Parent PID: 5848 26 General 26 File Activities 26 Analysis Process: findstr.exe PID: 6228 Parent PID: 5848 26 General 26 File Activities 27 File Read 27 Disassembly 27 Code Analysis 27 Copyright null 2020 Page 3 of 27 Analysis Report x64.exe Overview General Information Detection Signatures Classification Sample x64.exe Name: SSiiiggmaa ddeettteeccttteedd::: Whhooaamiii EExxeeccuutttiiioonn Analysis ID: 310318 USUsisgeemss a ww dhheootaaemctiiei ccdoo: mWmhaoanandmd llilii inEneex etttoocouolltl ittotoon qq… MD5: 5daea8be23ce52… CUCosonentsttaa wiiinnhsso fffauumnncci tttciiioonnmaamllliiitttyay n tttodo oloipnpeen nt o aao plp toorrr tttq… SHA1: ba0b53de1b9e9d… Ransomware CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((t>>o== o 33p emniii nna))) port Miner Spreading SHA256: a0ff195e6d1d602… CCroreenaattateeinss s aa l oppnrrogoc cseelsesses piinns ss(u>us=sp p3ee nmnddiened)d moo CCrrreeaattteess aa pprrroocceessss iiinn ssuussppeennddeedd moo… mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing sssuusssppiiiccciiioouusss DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo suspicious cccllleeaann clean EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function Exploiter Banker FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… FFoouunndd iiainn llhliiinnigeehdd nnuoompp biiinnessrtt trroruufc cWtttiiiooinndsso (((wllliiikk /ee Ulllyys… Spyware Trojan / Bot Adware FFoouunndd llilanarrlriggnee daa mnoopuu nninttt s ootfrff u nncootnino---neesxx ee(clcikuuettteelydd… Score: 48 Range: 0 - 100 FFoouunndd plpaoortgtteeenn ttatiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d Whitelisted: false MFoaauyyn ssdllle epeeoppt e (((neetvviaalss siiivvterei n lllogoo odppessc))) r tyttoop hthioiiinnndd e/e rarr … Confidence: 100% QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm … SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… USUsasemessp clceoo dedexe e oocbbufffutuiosscnca astttitiioonpn s ttte ewcchhinnleiiiqq puureeossc e(((… Startup YUYasarreraas ssciiigogndnaeat ttuourbrreefu mscaaatttctcihohn techniques ( Yara signature match System is w10x64 x64.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\x64.exe' MD5: 5DAEA8BE23CE520DBCCE5A346E87DE35) conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 6788 cmdline: C:\Windows\system32\cmd.exe /c whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F) whoami.exe (PID: 6812 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701) cmd.exe (PID: 6840 cmdline: C:\Windows\system32\cmd.exe /c powershell.exe 'Get-ExecutionPolicy ;stop-process -Id $PID' ;exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) powershell.exe (PID: 6852 cmdline: powershell.exe 'Get-ExecutionPolicy ;stop-process -Id $PID' ;exit MD5: 95000560239032BC68B4C2FDFCDEF913) cmd.exe (PID: 5848 cmdline: C:\Windows\system32\cmd.exe /c whoami /priv |findstr 'SeImpersonatePrivilege seAssignPrimaryPrivilege SeDebugPrivilege SeLoadDrive rPrivilege SeTcbPrivilege SeBackupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeTakeOwnershipPrivilege ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) whoami.exe (PID: 5460 cmdline: whoami /priv MD5: AA18BE1AD24DE09417C1A7459F5C1701) findstr.exe (PID: 6228 cmdline: findstr 'SeImpersonatePrivilege seAssignPrimaryPrivilege SeDebugPrivilege SeLoadDriverPrivilege SeTcbPrivilege SeBackupPrivilege S eRestorePrivilege SeCreateTokenPrivilege SeTakeOwnershipPrivilege ' MD5: BCC8F29B929DABF5489C9BE6587FF66D) cleanup Malware Configuration No configs have been found Yara Overview Memory Dumps Source Rule Description Author Strings 00000000.00000002.276626953.00000001000C Recon_Commands_Windo Detects a set of Florian Roth 0x1098:$s1: netstat -an E000.00000002.00020000.sdmp ws_Gen1 reconnaissance 0x2310:$s3: net user commands on 0x1b10:$s4: whoami Windows systems 0x1ba0:$s4: whoami 0x2338:$s4: whoami 0x2df:$s6: systeminfo 0x14e8:$s6: systeminfo 0x1450:$s10: tasklist /svc Copyright null 2020 Page 4 of 27 Source Rule Description Author Strings 00000000.00000000.237038759.00000001000C Recon_Commands_Windo Detects a set of Florian Roth 0x1098:$s1: netstat -an E000.00000002.00020000.sdmp ws_Gen1 reconnaissance 0x2310:$s3: net user commands on 0x1b10:$s4: whoami Windows systems 0x1ba0:$s4: whoami 0x2338:$s4: whoami 0x2df:$s6: systeminfo 0x14e8:$s6: systeminfo 0x1450:$s10: tasklist /svc Process Memory Space: x64.exe PID: 6720 Recon_Commands_Windo Detects a set of Florian Roth 0xd7f:$s1: netstat -an ws_Gen1 reconnaissance 0x16e42:$s1: netstat -an commands on 0x62d08:$s1: netstat -an Windows systems 0x3c58:$s3: net user 0x1ae63:$s3: net user 0x64306:$s3: net user 0x4063:$s4: whoami 0xdd22:$s4: whoami 0xe63a:$s4: whoami 0x1949c:$s4: whoami 0x1965e:$s4: whoami 0x1b043:$s4: whoami 0x58b59:$s4: whoami 0x58c77:$s4: whoami 0x58d76:$s4: whoami 0x5ab33:$s4: whoami 0x5ac32:$s4: whoami 0x63929:$s4: whoami 0x639c4:$s4: whoami 0x6431c:$s4: whoami 0x905f2:$s4: whoami Sigma Overview System Summary: Sigma detected: Whoami Execution Signature Overview • Spreading • Software Vulnerabilities • Networking • System Summary • Data Obfuscation • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality Click to jump to signature section System Summary: Boot Survival: Uses whoami command line tool to query computer and username Copyright null 2020 Page 5 of 27 Mitre Att&ck Matrix Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command Path Process Masquerading 1 OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Accounts and Scripting Interception Injection 1 1 Credential Discovery 1 Services Collected Over Other Channel 1 Insecure Interpreter 2 Dumping Data 1 Network Network Medium Communication Default Scheduled Boot or Boot or Logon Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Ingress Tool Exploit SS7 to Accounts Task/Job Logon Initialization Evasion 2 Memory Discovery 1 Desktop Removable Over Transfer 1 Redirect Phone Initialization Scripts Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Process Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 Account Evasion 2 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Deobfuscate/Decode NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Files or Information 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Obfuscated Files or LSA Application Window SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Information 3 Secrets Discovery 1 Transfer Channels Device Size Limits Communication Replication Launchd Rc.common Rc.common Steganography Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi