Automated Malware Analysis Report for Iexpress.Exe

ID: 185077 Sample Name: iexpress.exe Cookbook: default.jbs Time: 15:15:57 Date: 24/10/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report iexpress.exe 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Mitre Att&ck Matrix 5 Signature Overview 6 Spreading: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 9 Created / dropped Files 10 Domains and IPs 10 Contacted Domains 10 Contacted IPs 10 Static File Info 10 General 10 File Icon 10 Static PE Info 10 General 10 Entrypoint Preview 11 Data Directories 12 Sections 12 Resources 13 Imports 13 Version Infos 13 Possible Origin 13 Network Behavior 14 Code Manipulations 14 Statistics 14

Copyright Joe Security LLC 2019 Page 2 of 14 System Behavior 14 Analysis Process: iexpress.exe PID: 4152 Parent PID: 1472 14 General 14 File Activities 14 Disassembly 14 Code Analysis 14

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 185077 Start date: 24.10.2019 Start time: 15:15:57 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 25s Hypervisor based Inspection enabled: false Report type: light Sample file name: iexpress.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winEXE@1/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 90.7% (good quality ratio 48.4%) Quality average: 27.8% Quality standard deviation: 31.7% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 2 0 - 100 true

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Copyright Joe Security LLC 2019 Page 5 of 14 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Port Monitors File System Credential System Time Application Data from Local Data Standard Remote Helper DLL Logical Offsets Dumping Discovery 1 Deployment System Encrypted 1 Cryptographic Management Software Protocol 1 Replication Service Port Monitors Accessibility Binary Padding Network File and Remote Services Data from Exfiltration Over Fallback Through Execution Features Sniffing Directory Removable Other Network Channels Removable Discovery 1 Media Medium Media Drive-by Windows Accessibility Path Rootkit Input System Windows Data from Automated Custom Compromise Management Features Interception Capture Information Remote Network Shared Exfiltration Cryptographic Instrumentation Discovery 3 Management Drive Protocol

Signature Overview

• Spreading • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Contains functionality to enumerate / list files inside a directory

System Summary:

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Classification label

Contains functionality for error logging

Contains functionality to load and extract PE file embedded resources

PE file has an executable .text section and no other executable section

Reads software policies

Executable creates window controls seldom found in malware

PE file has a high image base, often used for DLLs

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

Persistence and Installation Behavior:

Contains functionality to read ini properties file for application configuration

Malware Analysis System Evasion:

Found large amount of non-executed APIs Copyright Joe Security LLC 2019 Page 6 of 14 Program does not show much activity (idle)

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

Anti Debugging:

Program does not show much activity (idle)

Contains functionality to register its own exception handler

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Contains functionality to query windows version

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 185077 Visual Basic Sample: iexpress.exe Startdate: 24/10/2019 Delphi Architecture: WINDOWS Java Score: 2 .Net C# or VB.NET

C, C++ or other language

started Is malicious

Internet iexpress.exe

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Source Detection Scanner Label Link iexpress.exe 0% Virustotal Browse iexpress.exe 0% Metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w10x64 iexpress.exe (PID: 4152 cmdline: 'C:\Users\user\Desktop\iexpress.exe' MD5: 6CE1AADAE5F10999B2F4287649D5B334) cleanup

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 6.767913871987805 TrID: Win64 Executable GUI (202006/5) 92.02% Win64 Executable (generic) (12005/4) 5.47% Generic Win/DOS Executable (2004/3) 0.91% DOS Executable Generic (2002/1) 0.91% Java Script embedded in Visual Basic Script (1500/0) 0.68%

File name: iexpress.exe File size: 167424 MD5: 6ce1aadae5f10999b2f4287649d5b334 SHA1: e07692215ae111830484fbf44c9d644f1193dc7c SHA256: 00bec77c6658f77c0988a162d61dcf234a0620d314d23c9 3bffe2925d9f5bb5e SHA512: 542021c837ddf6d3ded6624b1373748f539f682e77febaf4 bda056442399208fc8605162d8571be5738b5d55efdc340 f4183c372b74f377c748582d2c060acd2 SSDEEP: 3072:WcGp4EmUsXladvtre7ePgxNNDnGOb+ahXNqJo hePnq45L84r:RGSEmUssdl+NDGOb+asEwv5L File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... g..<#.xo #.xo#.xo...o".xo...o".xo...o6.xo#.yo..xo...o1.xo...o).xo...o" .xo...o".xoRich#.xo...... PE..d...... P...

File Icon

Icon Hash: e8feeeeee6667618

Static PE Info

General Entrypoint: 0x14000fdd8 Entrypoint Section: .text Digitally signed: false Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x5010A6CD [Thu Jul 26 02:09:17 2012 UTC] TLS Callbacks: CLR (.Net) Version:

Copyright Joe Security LLC 2019 Page 10 of 14 General OS Version Major: 6 OS Version Minor: 2 File Version Major: 6 File Version Minor: 2 Subsystem Version Major: 6 Subsystem Version Minor: 2 Import Hash: 6eb63c97f69c75599c91eb5181d1442b

Entrypoint Preview

Instruction dec eax sub esp, 28h call 00007FF464A1BEA8h dec eax add esp, 28h jmp 00007FF464A1B877h int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 nop word ptr [eax+eax+00000000h] dec eax cmp ecx, dword ptr [00001309h] jne 00007FF464A1BAD4h dec eax rol ecx, 10h test cx, FFFFh jne 00007FF464A1BAC5h retn 0000h dec eax ror ecx, 10h jmp 00007FF464A1BACDh int3 int3 int3 int3 int3 int3 int3 int3 dec eax mov dword ptr [esp+08h], ecx push ebp dec eax mov ebp, esp dec eax sub esp, 00000080h dec eax lea ecx, dword ptr [000021D1h] call dword ptr [00006CE3h] dec eax mov eax, dword ptr [000022BCh] dec eax mov dword ptr [esp+48h], eax inc ebp

Copyright Joe Security LLC 2019 Page 11 of 14 Instruction xor eax, eax dec eax lea edx, dword ptr [esp+50h] dec eax mov ecx, dword ptr [esp+48h] call dword ptr [00006CBCh] dec eax mov dword ptr [esp+40h], eax dec eax cmp dword ptr [esp+40h], 00000000h je 00007FF464A1BB04h dec eax mov dword ptr [esp+38h], 00000000h dec eax lea eax, dword ptr [esp+58h] dec eax mov dword ptr [esp+30h], eax dec eax lea eax, dword ptr [esp+60h] dec eax mov dword ptr [esp+28h], eax dec eax lea eax, dword ptr [0000217Bh] dec eax mov dword ptr [esp+20h], eax dec esp mov ecx, dword ptr [esp+40h]

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x16000 0xdc .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x18000 0x157d8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x15000 0x6cc .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x2e000 0x104 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x1040 0x1c .text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x1a60 0x70 .text IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x16610 0x530 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xfcec 0xfe00 False 0.547720841535 data 6.34304608093 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x11000 0x3354 0x1000 False 0.115478515625 data 1.22469096808 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x15000 0x6cc 0x800 False 0.48974609375 data 4.32406620771 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .idata 0x16000 0x1638 0x1800 False 0.416829427083 data 4.68987904546 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0x18000 0x157d8 0x15800 False 0.620083121366 data 7.02066874618 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .reloc 0x2e000 0x2c2 0x400 False 0.216796875 data 1.97539787963 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name RVA Size Type Language Country MUI 0x2d6f0 0xe8 data English United States RT_BITMAP 0x261b0 0x71d8 data English United States RT_ICON 0x18750 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x18878 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x18de0 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 2022147975, next used block 128 RT_ICON 0x190c8 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free English United States block index 40, next free block 0, next used block 0 RT_ICON 0x19970 0x668 data English United States RT_ICON 0x19fd8 0xea8 data English United States RT_ICON 0x1ae80 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x1b2e8 0x10a8 data English United States RT_ICON 0x1c390 0x25a8 data English United States RT_ICON 0x1e938 0x77e0 PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_GROUP_ICON 0x26118 0x92 data English United States RT_VERSION 0x2d388 0x368 data English United States RT_MANIFEST 0x18380 0x3cf XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import KERNEL32.dll CopyFileA, SetFileAttributesA, FindClose, GetPrivateProfileStringA, LocalAlloc, WritePrivateProfileStringA, GetSystemInfo, GetModuleFileNameA, GetPrivateProfileSectionA, CompareStringA, GetUserDefaultUILanguage, GetVersionExA, CloseHandle, GetVersion, LocalFree, DeleteFileA, FreeResource, MapViewOfFile, UnmapViewOfFile, _llseek, FreeLibrary, LoadResource, _lwrite, GlobalLock, _lclose, GetTickCount, EnumResourceTypesA, FindResourceExA, GlobalAlloc, GetProcAddress, EnumResourceLanguagesA, GlobalUnlock, SetLastError, GlobalFree, GetTempFileNameA, CreateFileMappingA, MoveFileA, LockResource, _lread, LoadLibraryExA, EnumResourceNamesA, GetFileInformationByHandle, GetTempPathA, GetCurrentDirectoryA, GetSystemTime, WideCharToMultiByte, MultiByteToWideChar, lstrcmpiA, GetLastError, FindFirstFileA, CreateDirectoryA, GetShortPathNameA, ReadFile, CreateProcessA, GetExitCodeProcess, GetFileAttributesA, GetPrivateProfileIntA, WriteFile, FormatMessageA, GetModuleHandleW, WritePrivateProfileSectionA, lstrcmpA, Sleep, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, IsDBCSLeadByte, CreateFileA, SizeofResource, GetFullPathNameA GDI32.dll GetStockObject, GetDeviceCaps, CreateFontIndirectA, DeleteObject, GetObjectA, CreateFontIndirectW USER32.dll CheckRadioButton, IsDlgButtonChecked, ShowWindow, CheckDlgButton, GetWindowRect, SystemParametersInfoW, CharPrevA, SetDlgItemTextA, GetWindowLongPtrA, SendDlgItemMessageA, MsgWaitForMultipleObjects, LoadStringA, GetParent, MessageBeep, CharNextA, SetFocus, SendMessageA, GetDC, MessageBoxA, PeekMessageA, ReleaseDC, GetDlgItem, SetWindowLongPtrA, PostMessageA, DispatchMessageA, GetSystemMetrics, EnableWindow, CallWindowProcA, GetDlgItemTextA msvcrt.dll memcpy, _itoa, _itoa_s, free, _fmode, __C_specific_handler, _initterm, __setusermatherr, _ismbblead, _cexit, ? terminate@@YAXXZ, _commode, _acmdln, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, wcsncmp, mbstowcs, _splitpath_s, strtoul, toupper, memcpy_s, _vsnprintf, strtok, strchr, malloc, memset ntdll.dll RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind COMCTL32.dll CreatePropertySheetPageA, PropertySheetA, DestroyPropertySheetPage COMDLG32.dll GetOpenFileNameA, GetSaveFileNameA VERSION.dll GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA imagehlp.dll CheckSumMappedFile ADVAPI32.dll RegOpenKeyExA, RegCloseKey, RegQueryValueExA

Version Infos

Description Data LegalCopyright Microsoft Corporation. All rights reserved. InternalName IEXPRESS FileVersion 10.00.9200.16384 (win8_rtm.120725-1247) CompanyName Microsoft Corporation ProductName Windows Internet Explorer ProductVersion 10.00.9200.16384 FileDescription Wizard OriginalFilename IEXPRESS.EXE Translation 0x0409 0x04b0

Possible Origin

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: iexpress.exe PID: 4152 Parent PID: 1472

General

Start time: 15:17:17 Start date: 24/10/2019 Path: C:\Users\user\Desktop\iexpress.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\iexpress.exe' Imagebase: 0x7ff65ab80000 File size: 167424 bytes MD5 hash: 6CE1AADAE5F10999B2F4287649D5B334 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis