ID: 396312 Cookbook: urldownload.jbs Time: 09:53:02 Date: 23/04/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report https://us.softpedia-secure- download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 9 Created / dropped Files 9 Static File Info 9 No static file info 9 Network Behavior 9 Network Port Distribution 9 TCP Packets 10 UDP Packets 10 DNS Queries 10 DNS Answers 10 HTTPS Packets 10 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 11 Analysis Process: cmd.exe PID: 3580 Parent PID: 912 11 General 11 File Activities 12 File Created 12 Analysis Process: conhost.exe PID: 5908 Parent PID: 3580 12 General 12 Analysis Process: wget.exe PID: 5992 Parent PID: 3580 12 General 12 File Activities 12 File Created 12 Disassembly 13 Code Analysis 13

Copyright Joe Security LLC 2021 Page 2 of 13 Analysis Report https://us.softpedia-secure-download.c…om/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe

Overview

General Information Detection Signatures Classification

Sample URL: https://us.softpedia-s ecure-download.com/dl/4b DDeettteeccttteedd ppoottteenntttiiiaalll ccrrryypptttoo fffuunncctttiiioonn 98b6dbc02a94c36aff3c768 UDUseseteessc ctceoodd eep ootbbefffnuutssiacclaa ctttiiriooynnp ttttoee ccfuhhnnciiiqqtiuuoeenss (((… 6bdbd31/60813f0d/300818 793/drivers/keyboard/sp10 Uses code obfuscation techniques ( 0907.exe Ransomware

Analysis ID: 396312 Miner Spreading Infos: mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss Most interesting Screenshot: suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 cmd.exe (PID: 3580 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/3008 18793/drivers/keyboard/sp100907.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 5992 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907 .exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright Joe Security LLC 2021 Page 3 of 13 • Compliance • Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Collected Over Other Channel 1 2 Insecure Track Device System Instrumentation Dumping Discovery 1 Data 1 Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 2 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information 1 Account System Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Discovery 1 Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright Joe Security LLC 2021 Page 4 of 13 Hide Legend Legend: Behavior Graph Process ID: 396312 Signature URL: https://us.softpedia-secure... Created File Startdate: 23/04/2021 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 1 Is Windows Process

Number of created Registry Values started Number of created Files

Visual Basic cmd.exe Delphi

Java

2 .Net C# or VB.NET C, C++ or other language

started started Is malicious Internet

wget.exe conhost.exe

2

us.softpedia-secure-download.com

5.35.211.214, 443, 49708 GTSCEGTSCentralEuropeAntelGermanyCZ Romania

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 5 of 13 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link https://us.softpedia-secure- 0% Avira URL Cloud safe download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907 .exe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Copyright Joe Security LLC 2021 Page 6 of 13 Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation us.softpedia-secure-download.com 5.35.211.214 true false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://us.softpedia-secure- wget.exe, 00000002.00000002.21 false high download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813 1734455.0000000000CF0000.00000 f0d/300818793/driv 004.00000020.sdmp, cmdline.out.2.dr

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 5.35.211.214 us.softpedia-secure- Romania 5588 GTSCEGTSCentralEuropeA false download.com ntelGermanyCZ

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 396312 Start date: 23.04.2021 Start time: 09:53:02 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 42s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs

Copyright Joe Security LLC 2021 Page 7 of 13 Sample URL: https://us.softpedia-secure-download.com/dl/4b98 b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/ drivers/keyboard/sp100907.exe Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.win@4/2@1/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): svchost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125 Excluded domains from analysis (whitelisted): blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net Execution Graph export aborted for target wget.exe, PID 5992 because there are no executed function Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Copyright Joe Security LLC 2021 Page 8 of 13 No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 452 Entropy (8bit): 5.163493341404146 Encrypted: false SSDEEP: 12:H9WFI7cmK+0cc5amKghmKliymKghmKJ5W3QT1De5RhZX9WFaKbb:SIwJ+S5aJghJgyJghJK36xePzXyaq MD5: 15C693F318C5B2053006DE68388DE109 SHA1: 9096FFD56714CC19208E63CDA3D289E14411D336 SHA-256: ABF102549A85E7B171116ABCF584626C6AE93F1804DCD7BF7FC9E5199C814B48 SHA-512: 8E56D0A2E312CD3E5C426892DC96CF664A931552ECBE6C33B39B09FCA338780308FB2C0BE50AD18B5E5C744D57A2B21C972A56B8D665600959AEF992AAA3163 C Malicious: false Reputation: low Preview: --2021-04-23 09:53:55-- https://us.softpedia-secure-download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe ..Resolving us.softpedia-secure-download.com (us.softpedia-secure-download.com)... 5.35.211.214..Connecting to us.softpedia-secure-download.com (us.softpedia-se cure-download.com)|5.35.211.214|:443... connected...HTTP request sent, awaiting response... 410 Gone..2021-04-23 09:53:55 ERROR 410: Gone.....

C:\Users\user\Desktop\download\.wget-hsts Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 191 Entropy (8bit): 5.152062369654515 Encrypted: false SSDEEP: 3:SY2FyFARLlbwFAM9CxnOLVFzDwIVhyyJxWQ5RdkA8dyXWYsv4XAIDDK0sV0WQvkU:SYeRLlbA0noH9VhyyJQQ5oA8UXWdaA2t MD5: 824C417D791EA95B00A6AB7599828759 SHA1: F682AF24F144BA4A3514AB66B38A82EC7355F223 SHA-256: B0C8EEC05B56479989273C3A2EB90E2678ED2D99FC777A0AFD99F3A44CCF0270 SHA-512: 22369E56F779AC2E6C3DC151AFA01D13DEAF146ED8D142480761BC01B5B569B54CDA3FC0BB67E6B52806555A66BF940E06306BAD8DFCF1244B90CAB3FC3FC7 27 Malicious: false Reputation: low Preview: # HSTS 1.0 Known Hosts database for GNU Wget...# Edit at your own risk...# ......us.softpedia-secure-downloa d.com.0.1.1619196835.63072000..

Static File Info

No static file info

Network Behavior

Network Port Distribution

Copyright Joe Security LLC 2021 Page 9 of 13 Total Packets: 10 • 53 (DNS) • 443 (HTTPS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 23, 2021 09:53:55.407780886 CEST 49708 443 192.168.2.3 5.35.211.214 Apr 23, 2021 09:53:55.472234011 CEST 443 49708 5.35.211.214 192.168.2.3 Apr 23, 2021 09:53:55.472362995 CEST 49708 443 192.168.2.3 5.35.211.214 Apr 23, 2021 09:53:55.478569031 CEST 49708 443 192.168.2.3 5.35.211.214 Apr 23, 2021 09:53:55.542885065 CEST 443 49708 5.35.211.214 192.168.2.3 Apr 23, 2021 09:53:55.552016973 CEST 443 49708 5.35.211.214 192.168.2.3 Apr 23, 2021 09:53:55.552063942 CEST 443 49708 5.35.211.214 192.168.2.3 Apr 23, 2021 09:53:55.552098989 CEST 443 49708 5.35.211.214 192.168.2.3 Apr 23, 2021 09:53:55.552143097 CEST 49708 443 192.168.2.3 5.35.211.214 Apr 23, 2021 09:53:55.558835030 CEST 49708 443 192.168.2.3 5.35.211.214 Apr 23, 2021 09:53:55.626178026 CEST 443 49708 5.35.211.214 192.168.2.3 Apr 23, 2021 09:53:55.628305912 CEST 49708 443 192.168.2.3 5.35.211.214 Apr 23, 2021 09:53:55.693011999 CEST 443 49708 5.35.211.214 192.168.2.3 Apr 23, 2021 09:53:55.733338118 CEST 49708 443 192.168.2.3 5.35.211.214 Apr 23, 2021 09:53:56.103929996 CEST 49708 443 192.168.2.3 5.35.211.214

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 23, 2021 09:53:48.667090893 CEST 60152 53 192.168.2.3 8.8.8.8 Apr 23, 2021 09:53:48.715848923 CEST 53 60152 8.8.8.8 192.168.2.3 Apr 23, 2021 09:53:55.307277918 CEST 57544 53 192.168.2.3 8.8.8.8 Apr 23, 2021 09:53:55.393995047 CEST 53 57544 8.8.8.8 192.168.2.3

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Apr 23, 2021 09:53:55.307277918 CEST 192.168.2.3 8.8.8.8 0x85e6 Standard query us.softpedia- A (IP address) IN (0x0001) (0) secure- download.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Apr 23, 2021 8.8.8.8 192.168.2.3 0x85e6 No error (0) us.softpedia- 5.35.211.214 A (IP address) IN (0x0001) 09:53:55.393995047 secure- CEST download.com

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2021 Page 10 of 13 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Apr 23, 2021 5.35.211.214 443 192.168.2.3 49708 CN=softpedia-secure- CN=DigiCert TLS RSA Thu Jan Mon Feb 771,49196-49200- 807fca46d9d0cf63adf4e5 09:53:55.552098989 download.com, SHA256 2020 CA1, 28 28 159-52393-52392- e80e414bbe CEST O=SoftNews Net SRL, O=DigiCert Inc, C=US 01:00:00 00:59:59 52394-49195- L=Bucharest, C=RO CN=DigiCert Global Root CET CET 49199-158-49188- CN=DigiCert TLS RSA CA, 2021 2022 49192-107-49187- SHA256 2020 CA1, OU=www.digicert.com, Thu Sep Tue Sep 49191-103-49162- O=DigiCert Inc, C=US O=DigiCert Inc, C=US 24 24 49172-57-49161- 02:00:00 01:59:59 49171-51-157-156- CEST CEST 61-60-53-47-255,0- 2020 2030 11-10-35-22-23- 13,29-23-25-24,0-1- CN=DigiCert TLS RSA CN=DigiCert Global Root Thu Sep Tue Sep 2 SHA256 2020 CA1, CA, 24 24 O=DigiCert Inc, C=US OU=www.digicert.com, 02:00:00 01:59:59 O=DigiCert Inc, C=US CEST CEST 2020 2030

Code Manipulations

Statistics

Behavior

• cmd.exe • conhost.exe • wget.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 3580 Parent PID: 912

General

Start time: 09:53:53 Start date: 23/04/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no -check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com/dl/4b98b6 dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe' > c mdline.out 2>&1 Imagebase: 0xbd0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true

Copyright Joe Security LLC 2021 Page 11 of 13 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\cmdline.out read attributes | device synchronous io success or wait 1 BDD194 CreateFileW synchronize | non alert | non generic write directory file

Analysis Process: conhost.exe PID: 5908 Parent PID: 3580

General

Start time: 09:53:53 Start date: 23/04/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Analysis Process: wget.exe PID: 5992 Parent PID: 3580

General

Start time: 09:53:54 Start date: 23/04/2021 Path: C:\Windows\SysWOW64\wget.exe Wow64 process (32bit): true Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-d isposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com/dl/4b98b6dbc02a94c36aff3c7686 bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe' Imagebase: 0x400000 File size: 3895184 bytes MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\download\.wget-hsts read attributes | device synchronous io success or wait 1 46596C fopen synchronize | non alert | non generic read | directory file generic write

Copyright Joe Security LLC 2021 Page 12 of 13 Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis

Copyright Joe Security LLC 2021 Page 13 of 13