Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 323663 Cookbook: browseurl.jbs Time: 10:26:27 Date: 27/11/2020 Version: 31.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report https://aka.ms/vmsettings 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 11 Public 12 General Information 12 Simulations 14 Behavior and APIs 14 Joe Sandbox View / Context 15 IPs 15 Domains 15 ASN 15 JA3 Fingerprints 15 Dropped Files 15 Created / dropped Files 15 Static File Info 36 No static file info 36 Network Behavior 36 Network Port Distribution 36 TCP Packets 36 UDP Packets 38 DNS Queries 39 DNS Answers 39 HTTPS Packets 40 Code Manipulations 42 Statistics 42 Behavior 42 System Behavior 42 Analysis Process: iexplore.exe PID: 4896 Parent PID: 792 42 General 42 File Activities 43 Registry Activities 43 Copyright null 2020 Page 2 of 44 Analysis Process: iexplore.exe PID: 1992 Parent PID: 4896 43 General 43 File Activities 43 Registry Activities 43 Analysis Process: TokenBrokerCookies.exe PID: 5844 Parent PID: 4896 44 General 44 File Activities 44 Disassembly 44 Code Analysis 44 Copyright null 2020 Page 3 of 44 Analysis Report https://aka.ms/vmsettings Overview General Information Detection Signatures Classification Sample URL: https://aka.ms/vmset tings HHTTMLL bbooddyy ccoonntttaaiiinnss lllooww nnuumbbeerrr oofff … Analysis ID: 323663 HHTTMLL ttbtiiittotllleed ydd ocoeoesns t nanoionttt s m loaawtttcc hhn uUUmRRbLLer of Most interesting Screenshot: PHPoTotttMeennLttt iiitaaitlll ebb rrrdooowwessee nrrr oeetxx mppllloaoitiittct dhde eUttteeRccLttteedd (((pp… Ransomware SPSuoubtbemniitittit a bblu ubttttrttoonwn scceoornn tettaaxiiinpnslso jijjata vdvaeastsecccrrritiipepttdt c c(aapllllll Miner Spreading VSVeuerbryym lloiotn nbggu ctctmondd lcliinnoeen tooappinttisioo njna fvfooauusnncddri,,p tthh ciissall VVeerrryy llloonngg ccmddllliiinnee oopptttiiioonn fffoouunndd,,, ttthhiiiss… mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss Very long cmdline option found, this suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 2 Range: 0 - 100 Whitelisted: false Confidence: 80% Startup System is w10x64 iexplore.exe (PID: 4896 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 1992 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4896 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) TokenBrokerCookies.exe (PID: 5844 cmdline: C:\Windows\system32\TokenBrokerCookies.exe <no_string> https://login.microsoftonline.com/ 0 tbauth://login.windows.net/? context=https%3A%2F%2Flogin.microsoftonline.com&request_nonce=AQABAAAAAAB2UyzwtQEKR7-rWbgdcBZIIl7bgDY_GC9ioLlP7UyZwNcF0Gx1yd97u01lz4PRAzWbTvDq- 5V1R6mzT4oAXB4gHhEI-2DF7F2ki_TfqenTgyAA&rid=3ba2171a-9af8-4eab-a790-ef9ae97a4c01 ESTSUSERLIST %7b%22users%22%3a%5b%5d%7d login.microsoftonline.com / 0 1208832155 30855147 1 MD5: 17F27A76AC8E9869C8F1BE286D88570A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright null 2020 Page 4 of 44 • Phishing • Software Vulnerabilities • Networking • System Summary • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Command Path Process Masquerading 1 OS Security Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts and Scripting Interception Injection 1 Credential Software Services Local Over Other Channel 2 Insecure Track Device System Interpreter 1 Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scripting 1 Boot or Boot or Process LSASS File and Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Logon Logon Injection 1 Memory Directory Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain Exploitation Logon Script Logon Scripting 1 Security System SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts for Client (Windows) Script Account Information Admin Shares Network Exfiltration Layer Track Device Device Device Execution 1 (Windows) Manager Discovery 1 Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright null 2020 Page 5 of 44 Hide Legend Behavior Graph Legend: ID: 323663 Process URL: https://aka.ms/vmsettings Signature Startdate: 27/11/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 2 Is Dropped Is Windows Process Number of created Registry Values aadcdn.msauth.net started Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET C, C++ or other language 5 52 Is malicious Internet started started iexplore.exe TokenBrokerCookies.exe 2 96 6 admin0a.online.lync.com sni1gl.wpc.alphacdn.net 52.112.108.12, 443, 49713, 49714 152.199.21.175, 443, 49728, 49729 17 other IPs or domains MICROSOFT-CORP-MSN-AS-BLOCKUS EDGECASTUS United States United States Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2020 Page 6 of 44 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://aka.ms/vmsettings 0% Virustotal Browse https://aka.ms/vmsettings 0% Avira URL Cloud safe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link sni1gl.wpc.alphacdn.net 0% Virustotal Browse aadcdn.msauth.net 2% Virustotal Browse assets.onestore.ms 0% Virustotal Browse acctcdn.msauth.net 0% Virustotal Browse URLs Copyright null 2020 Page 7 of 44 Source Detection Scanner Label Link https://acctcdn.msauth.net 0% URL Reputation safe https://acctcdn.msauth.net 0% URL Reputation safe https://acctcdn.msauth.net 0% URL Reputation safe https://www.youradchoices.ca/fr 0% URL Reputation safe https://www.youradchoices.ca/fr 0% URL Reputation safe https://www.youradchoices.ca/fr 0% URL Reputation safe https://acctcdn.msauth.net/lwsignupstringscountrybirthdate_en- 0% URL Reputation safe us_pVtahKS9WUIZdNqg1DDhHg2.js?v=1 https://acctcdn.msauth.net/lwsignupstringscountrybirthdate_en- 0% URL Reputation safe us_pVtahKS9WUIZdNqg1DDhHg2.js?v=1 https://acctcdn.msauth.net/lwsignupstringscountrybirthdate_en- 0% URL Reputation safe us_pVtahKS9WUIZdNqg1DDhHg2.js?v=1 https://aadcdn.msauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico~ 0% Avira URL Cloud safe https://privacy.micros 0% URL Reputation safe https://privacy.micros 0% URL Reputation safe https://privacy.micros 0% URL Reputation safe https://acctcdn.msauth.net/knockout_3.3.0_X1BYS2jZMbi7hfUj8VuqFA2.js?v=1 0% Avira URL Cloud safe https://www.youradchoices.ca 0% URL Reputation safe https://www.youradchoices.ca 0% URL Reputation safe https://www.youradchoices.ca 0% URL Reputation safe https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_kitf4x- 0% Avira URL Cloud safe q_4sb https://acctcdn.msauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg 0% URL Reputation safe https://acctcdn.msauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg 0% URL Reputation safe https://acctcdn.msauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg 0% URL Reputation safe 0% Avira URL Cloud safe https://aadcdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_7FOrbkodEq5Y0IAj8ZfQtw2.js https://acctcdn.msauth.net/images/favicon.ico?v=2~ 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~ 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~ 0% URL Reputation safe www.mpegla.com). 0% Avira URL Cloud safe https://signup.live.co 0% URL Reputation safe https://signup.live.co 0% URL Reputation safe https://signup.live.co 0% URL Reputation safe https://acctcdn.msauth.net/jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2.js?v=1 0% URL Reputation safe https://acctcdn.msauth.net/jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2.js?v=1 0% URL Reputation safe https://acctcdn.msauth.net/jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2.js?v=1 0% URL Reputation safe https://www.skype.com). 0% Avira URL Cloud safe https://acctcdn.msauth.net/lightweightsignuppackage_oZIcfFtGMdm_yHyDEji_8w2.js?v=1 0% Avira URL Cloud safe https://acctcdn.msauth.net/images/favicon.ico?v=2~( 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~( 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~( 0% URL Reputation safe https://acctcdn.msauth.net/converged_ux_v2_RfnRCrmapm3W_OFn994CMA2.css?v=1 0% Avira URL Cloud safe fontello.comiconsRegulariconsiconsVersion 0% URL Reputation safe fontello.comiconsRegulariconsiconsVersion 0% URL Reputation safe fontello.comiconsRegulariconsiconsVersion