Automated Malware Analysis Report for Thxifi5gu4
Total Page:16
File Type:pdf, Size:1020Kb
ID: 291701 Sample Name: tHxifI5gu4 Cookbook: default.jbs Time: 17:04:18 Date: 30/09/2020 Version: 30.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report tHxifI5gu4 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Startup 6 Malware Configuration 6 Yara Overview 7 Memory Dumps 7 Unpacked PEs 7 Sigma Overview 7 System Summary: 7 Signature Overview 8 AV Detection: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 E-Banking Fraud: 8 System Summary: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 HIPS / PFW / Operating System Protection Evasion: 8 Lowering of HIPS / PFW / Operating System Security Settings: 8 Stealing of Sensitive Information: 8 Remote Access Functionality: 9 Mitre Att&ck Matrix 9 Behavior Graph 9 Screenshots 10 Thumbnails 10 Antivirus, Machine Learning and Genetic Malware Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 11 Domains 11 URLs 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 12 General Information 13 Simulations 13 Behavior and APIs 13 Joe Sandbox View / Context 13 IPs 13 Domains 14 ASN 14 JA3 Fingerprints 14 Dropped Files 14 Created / dropped Files 14 Static File Info 16 General 16 File Icon 16 Static PE Info 16 General 16 Copyright null 2020 Page 2 of 39 Entrypoint Preview 17 Data Directories 17 Sections 18 Resources 18 Imports 18 Possible Origin 18 Network Behavior 18 TCP Packets 18 Code Manipulations 20 Statistics 20 Behavior 20 System Behavior 21 Analysis Process: tHxifI5gu4.exe PID: 7148 Parent PID: 5940 21 General 21 File Activities 21 File Created 21 File Written 22 File Read 22 Registry Activities 22 Key Created 22 Key Value Created 22 Analysis Process: conhost.exe PID: 7156 Parent PID: 7148 22 General 22 Analysis Process: powershell.exe PID: 6880 Parent PID: 7148 23 General 23 File Activities 23 File Created 23 File Deleted 23 File Written 23 File Read 25 Analysis Process: conhost.exe PID: 6876 Parent PID: 6880 28 General 28 Analysis Process: images.exe PID: 6952 Parent PID: 7148 28 General 28 File Activities 29 File Created 29 File Read 29 Registry Activities 30 Key Created 30 Key Value Created 30 Key Value Modified 30 Analysis Process: conhost.exe PID: 6784 Parent PID: 6952 30 General 30 Analysis Process: cmd.exe PID: 1316 Parent PID: 3424 30 General 30 File Activities 31 File Read 31 Analysis Process: conhost.exe PID: 3492 Parent PID: 1316 31 General 31 Analysis Process: WMIC.exe PID: 4876 Parent PID: 1316 31 General 31 File Activities 31 File Written 32 Analysis Process: powershell.exe PID: 976 Parent PID: 6952 32 General 32 File Activities 32 File Created 32 File Deleted 33 File Written 33 File Read 34 Analysis Process: cmd.exe PID: 4484 Parent PID: 6952 37 General 37 Analysis Process: conhost.exe PID: 960 Parent PID: 976 38 General 38 Analysis Process: conhost.exe PID: 4560 Parent PID: 4484 38 General 38 Analysis Process: rdpvideominiport.sys PID: 4 Parent PID: -1 38 General 38 Analysis Process: rdpdr.sys PID: 4 Parent PID: -1 38 General 39 Analysis Process: tsusbhub.sys PID: 4 Parent PID: -1 39 General 39 Copyright null 2020 Page 3 of 39 Disassembly 39 Code Analysis 39 Copyright null 2020 Page 4 of 39 Analysis Report tHxifI5gu4 Overview General Information Detection Signatures Classification Sample tHxifI5gu4 (renamed file Name: extension from none to AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb… exe) MAnaatllliiivcciiiroouuusss / s sSaacmapnpllnleee ddr eedttteetccetttecetddio (((nttth hfrrorooru usgguhhb … Analysis ID: 291701 Muaulllttiticii AiAoVuV s SS sccaaamnnnpneleerrr ddeettteecctttieiioodnn ( fftfohorrr o ssuugbbhm … MD5: b96fe909c2d2f45… SMSiiigugmlti aaA dVde eSttteecccatttneendde::: rDD drrroeoptpessc stsicocrrnriiip pfttot ara ttts sustttbaamrrr… SHA1: 8fed92c2cf9e089… YSYaiagrrrmaa add eedttteetccetttecetdde dAA:v vDeeMroaparrsriiia as scstrtteiepaatl lleaerrtr star SHA256: 67cacba2f313fd6… YYaarraa ddeetteecctteedd AAvveeMaarriiaa sstteeaalleerr Most interesting Screenshot: AYAllallllooracca adttteestse mcteemd oAorrvryye iiMinn a ffforoirraree iisiggtnen a pplrerroorcceessss… CACololonnctttaaiitinness fffmuunneccmtttiiioonrnyaa lilliniittty yf o tttoroe ccigrrrenea aptttereo ppcrreroosccs… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo hchiriidedeae t ueus speerrrro aac… AveMaria CCrroreenaattatteeinss s aa f uttthhnrrrceetaiaoddn iaiinnl i ataynn toottt hheeidrrr e ee xuxiiissetttiiinrn gag … Score: 100 Range: 0 - 100 CCrrreeaattteess ffafiiill leethssr ieiinna adall lttitenerr rnananatottiiivtvheee drd aaetttxaai s sstttitrnrreegaa … Whitelisted: false CCrrreeaattteess pfpirlrreooscc eeinss ssaeeltsse rvvniiiaa t WiveM dIIIata strea Confidence: 100% HCHiiriddeeeasste uusss peerrro aaccceccsoosuuennstt tsvsia WMI HHiiigdgheh s nn uumsebbre earrrc oocffof jjujunntkks ccaallllllss fffoouunnddss (((llliiikk… IIHInniccgrrrhee aanssueemss b ttthehere o nnfu ujmunbbkee crrr a oolflff s cc ofoonnuccnuudrrrrsrree (nnlittkt … IIInnscsttrtaeallallllss eaas gg tlllhooebb aanlll u kkmeeybybeboro aaorrrfd dc hohonoocokukrrent MInasactcahhliliinsn eea LLgeeloaabrrrnaniilin nkgge dydebetotteeaccrttdtiiioo hnno fffookrrr ssaampp… WMarrriiicttteehssin ttteoo Lfffooerrraeeriiingginn gm deeemteoocrrrytyi o rrreneg gfioiioorn nsssamp AWAbbrnintoeorsrrm toaa lll f hohiriigeghihg CnC PPmUUe mUUsosaraygg ereegions AAnbnttntiiivoviiirrrmuussa olo hrrr iMghaa cCchhPiiinnUee U LLeseaagrrrnneiiinngg ddeettteecc… CAConontnivtttaairiiiunnss offfuurn nMcctattiiioconhnaianllliieittty yL ttteooa ccrhnheienccgkk d iiiffef atae dcd… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qcquhueercrryyk CCif PPaU Ud … CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hCeeP PPUEE BB CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh riiicechah d m tahayey bPbeeE…B CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((w>>=h= i 3c3h m miiinna)))y be CCrroreenaattatteeinss s aa l oDDniiirrgree csctltteIIInneppuusttt (oo>bb=jjje e3cc ttmt (((oionffft)tteenn fffoo… CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo… CCrrreeaattteess aa spsttrtaaorrrcttt e msese nninuu seeunnstttrrpryye ((n(SSdttteaadrrrtt t m Moee… CCrrreeaattteess oaorr r s mtaoordtd imiifffiiieesns uww ieiinnnddtoroyww (ssS stsaeerrrrtvv Miiicceess DCDereettteaectcettteesd do TrT CmCPPo d ooirrfr i eUUsDD wPPi n tttrrdraaofffffwfiiiccs o osnne rnnvooicnne…s EDEnenataebbcllleteessd dd TeeCbbuPugg o pprr rrUiiivvDiiillleePgg etersasffic on non FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… FFoouunndd llalaa rrhrggiege h aa mnuoomuunbntett oro ffof nfn oWonni--n-eedxxoeewccu u/t tteUedds… FFoouunndd plpaoortgtteeenn ttatiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d IIFInnossutttaanllldlllss p aao rrtraeawnwt i iiainnlp psuuttrtt i dndegev vdiiiceceec r (((yoopfffttteieonnn f ffo/o rarr … MInasaytya slsllsllee eaep pr a (((ewevv iaansspiiivuvete d llloeoovopipcsse))) (tttoo f htheiiinnd dfeoerrr … Moaodydi iiffsfiiieleesse epex x(iiiesstvttiiinangsgi vwweiiin nloddoopwwsss) stsoee rrrhvviiiniccdeeessr PMPEEo d fffiiillfleeie csco oennxtttaiasiiintninss g ss eweccintttiiiodononsws sww isiitttheh r nvnoiocnne---sss… QPEuue efrrirliiiee ssc ottthhneeta vvinoosllluu smeeec t iiinonffnfoosrrrm waaittthtiiioo nno (((nnn-aasm… SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… SSpapamawwpnnless eddxrrriieivvceeurrrstsion stops while proce SSttptooarrrewessn sfffiii llledesrsi v tttoeo r ttsthhee Wiiinnddoowwss sstttaarrrttt mee… YSYataorrrarae ssii igfginlneaasttt uutorrree t hmeaa Wtttcchihndows start me Yara signature match Copyright null 2020 Page 5 of 39 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Startup System is w10x64 tHxifI5gu4.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\tHxifI5gu4.exe' MD5: B96FE909C2D2F458ABF71665CE1BB1EF) conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 6880 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10) conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) images.exe (PID: 6952 cmdline: C:\ProgramData\images.exe MD5: B96FE909C2D2F458ABF71665CE1BB1EF) conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 976 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10) conhost.exe (PID: 960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 4484 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 1316 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: