ID: 414834 Cookbook: urldownload.jbs Time: 01:27:05 Date: 15/05/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Analysis Report https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.24- setup-3.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Analysis Advice 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 5 Signature Overview 5 Malware Analysis System Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 10 Public 10 General Information 11 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Created / dropped Files 12 Static File Info 13 No static file info 13 Network Behavior 13 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: cmd.exe PID: 6708 Parent PID: 4368 14 General 14 File Activities 14 File Created 14 Analysis Process: conhost.exe PID: 6744 Parent PID: 6708 14 General 14

Copyright Joe Security LLC 2021 Page 2 of 17 Analysis Process: wget.exe PID: 6792 Parent PID: 6708 15 General 15 File Activities 15 File Created 15 File Written 15 Analysis Process: gimp-2.10.24-setup-3.exe PID: 5168 Parent PID: 5968 16 General 16 Analysis Process: gimp-2.10.24-setup-3.tmp PID: 5776 Parent PID: 5168 16 General 16 Disassembly 17 Code Analysis 17

Copyright Joe Security LLC 2021 Page 3 of 17 Analysis Report https://download.gimp.org/mirror/pub/gi…mp/v2.10/windows/gimp-2.10.24-setup-3.exe

Overview

General Information Detection Signatures Classification

Sample URL: https://download.gim p.org/mirror/pub/gimp/v2.1 FFoouunndd eevvaassiiivvee AAPPIII cchhaaiiinn (((maayy sstttoopp… 0/windows/gimp-2.10.24-s AFAbobnunonordrrm eaavllla hhsiiiggvheh CACPPUIU c UhUassaiangg (eemay stop etup-3.exe Analysis ID: 414834 CACobonntottaarimiinnsas lff fuhuningcchtttii iooCnnPaaUllliiittt yyU ttstooa cgcheheecckk iiifff aa ww…

Ransomware Infos: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo llclaahuuennccckhh i faa a pp wrrr… Miner Spreading

Most interesting Screenshot: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qlqauuueenrrcyyh CC aPP pUUr CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy CCPPUU … mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e… suspicious

cccllleeaann

clean CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo sqshuhueuttrtddyo olwowcnna //l/ e …

Exploiter Banker DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy pptotttoo s ffhfuuunntcdctttoiiioownnn /

DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function Spyware Trojan / Bot

Adware FDFoorouupnnsdd PeevEvaa fssiliieivvsee AAPPIII cchhaaiiinn (((maayy sstttoopp… Score: 29 Range: 0 - 100 FFoouunndd eevvaassiiivvee AAPPIII cchhaaiiinn (((maayy sstttoopp…

Whitelisted: false FFoouunndd eevvaassiiivvee AAPPIII cchhaaiiinn c(cmhheeaccykk siiinntoggp fff… Confidence: 40% FFoouunndd llelaavrrrgagesei vaaem AooPuunIn ttct ohofaff ninoo cnnh---eexcxekecicnuugttte efdd…

FFoouunndd plpaoortgtteeenn tattiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d

PFPEoEu fffniiilllede cpcoontnetttanaiitininassl asantnr i iniinngvv adalleliiiddc rccyhhpeeticcokknss u/u ma Analysis Advice PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusururrccmee…

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automPPaEEt ifffoiiilllene cmcooannytttaa eiiinnxsst e sesnexedcect tctibiiouoentnahssb a wwlveiiit ttohrher nsnoonun-r--scse…

Sample may be VM or Sandbox-aware, try analysis on a native machine PPEE fffiiilllee ccoonntttaaiiinnss ssttetrrracatnnioggnees rr rewessitoohuu nrrrccoeenss-s

Sample may offer command line options, please run it with the 'Execute binary with argumenQtPsEu'u e cefrirorliiieeo sskc obttthhnoeetoa vkvinoo (sllluiu tsm'stre eap niioinngsfffoeosr rrirmbelasaeottt iiitouohnrnca (e(t(n nstaahme …command line switches require additional characters like: "-", "/", "--") UQUsuseessr i eccoso ddtheee oo vbbofffuulussmccaaettt iiioionnnfo tttreemcchahntniioiiqqnuu e(enssa (((m…

Uses code obfuscation techniques (

Startup

System is w10x64 cmd.exe (PID: 6708 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.24-setup-3.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6792 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.24-setup-3.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) gimp-2.10.24-setup-3.exe (PID: 5168 cmdline: 'C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe' MD5: 8CF9EE41CC3792E6F28011E4F58C442B) gimp-2.10.24-setup-3.tmp (PID: 5776 cmdline: 'C:\Users\user\AppData\Local\Temp\is-LDF2K.tmp\gimp-2.10.24-setup-3.tmp' /SL5='$A0134,252290745,780800,C:\User s\user\Desktop\download\gimp-2.10.24-setup-3.exe' MD5: D3320A403E7C76282723D61B2C344F34) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Copyright Joe Security LLC 2021 Page 4 of 17 Sigma Overview

No Sigma rule has matched

Signature Overview

• Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command Path Exploitation for Masquerading 1 OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Accounts and Scripting Interception Privilege Credential Discovery 1 Services Collected Over Other Channel 1 Insecure Interpreter 2 Escalation 1 Dumping Data 1 Network Network Medium Communication Default Native Boot or Access Token Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts API 1 2 Logon Manipulation 1 Evasion 1 Memory Discovery 1 Desktop Removable Over Redirect Phone Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Process Access Token Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) Injection 3 Manipulation 1 Account Evasion 1 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Process Injection 3 NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Logon Deobfuscate/Decode LSA Application Window SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Files or Information 1 Secrets Discovery 1 Transfer Channels Device Size Limits Communication Replication Launchd Rc.common Rc.common Obfuscated Files or Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Information 2 Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Compile After DCSync File and Directory Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Discovery 1 Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Copyright Joe Security LLC 2021 Page 5 of 17 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Drive-by Command Scheduled Scheduled Indicator Removal Proc System Information Shared Credential Exfiltration Application Downgrade to Compromise and Scripting Task/Job Task/Job from Tools Filesystem Discovery 3 6 Webroot API Over Layer Protocol Insecure Interpreter Hooking Symmetric Protocols Encrypted Non-C2 Protocol

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 414834 Process URL: https://download.gimp.org/m... Startdate: 15/05/2021 Signature Architecture: WINDOWS Created File Score: 29 DNS/IP Info started started Is Dropped

Is Windows Process gimp-2.10.24-setup-3.exe cmd.exe Number of created Registry Values

Number of created Files 2 Visual Basic

dropped Delphi

Java C:\Users\user\...\gimp-2.10.24-setup-3.tmp, PE32 started started started .Net C# or VB.NET

C, C++ or other language

Is malicious gimp-2.10.24-setup-3.tmp wget.exe conhost.exe Internet

3

194.71.11.165 194.71.11.166 SUNETSUNETSwedishUniversityNetworkEU SUNETSUNETSwedishUniversityNetworkEU 2 other IPs or domains dropped Sweden Sweden

C:\Users\user\...\gimp-2.10.24-setup-3.exe, PE32

Found evasive API chain (may stop execution after checking mutex)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 6 of 17 No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.24-setup-3.exe 0% Virustotal Browse https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.24-setup-3.exe 0% Avira URL Cloud safe

Dropped Files

Copyright Joe Security LLC 2021 Page 7 of 17 Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\is-LDF2K.tmp\gimp-2.10.24-setup-3.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\is-LDF2K.tmp\gimp-2.10.24-setup-3.tmp 2% ReversingLabs C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe 0% Virustotal Browse C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe 0% ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe www.dk-soft.org/ 0% URL Reputation safe www.dk-soft.org/ 0% URL Reputation safe www.dk-soft.org/ 0% URL Reputation safe www.dk-soft.org/ 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe https://www.remobjects.com/ps 1% Virustotal Browse https://www.remobjects.com/ps 0% Avira URL Cloud safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://www.innosetup.com/ 3% Virustotal Browse https://www.innosetup.com/ 0% Avira URL Cloud safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Copyright Joe Security LLC 2021 Page 8 of 17 Name Source Malicious Antivirus Detection Reputation https://jrsoftware.org/ishelp/index.php? gimp-2.10.24-setup-3.exe, 0000 false high topic=setupcmdlineSetupU 0014.00000000.719710943.000000 0000401000.00000020.00020000.sdmp, gimp-2.10.24-setup-3.exe.3.dr https://sectigo.com/CPS0 gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000003.721803160.000000 URL Reputation: safe 007FBC0000.00000004.00000001.s URL Reputation: safe dmp, gimp-2.10.24-setup-3.tmp.20.dr URL Reputation: safe ocsp.sectigo.com0 gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000003.721803160.000000 URL Reputation: safe 007FBC0000.00000004.00000001.s URL Reputation: safe dmp, gimp-2.10.24-setup-3.tmp.20.dr URL Reputation: safe

www.gnu.org/philosophy/why-not-lgpl.html gimp-2.10.24-setup-3.tmp, 0000 false high 0017.00000002.992103526.000000 0003500000.00000004.00000001.sdmp cmdline.out.3.dr false high https://ftp.acc.umu.se/pub/gimp/gimp/v2.10/windows/gimp- 2.10.24-setup-3.exe https://www.gimp.org/03 gimp-2.10.24-setup-3.exe, 0000 false high 0014.00000002.985175110.000000 00022B3000.00000004.00000001.sdmp, gimp-2.10.24-setup-3.tmp, 00000017. 00000002.987828300.00000000025 D3000.00000004.00000001.sdmp https://www.gimp.org/docs/pf gimp-2.10.24-setup-3.tmp, 0000 false high 0017.00000002.987706265.000000 00025AF000.00000004.00000001.sdmp https://www.gnu.org/licenses/ gimp-2.10.24-setup-3.tmp, 0000 false high 0017.00000002.992103526.000000 0003500000.00000004.00000001.sdmp https://bugzilla.gnome.org/enter_bug.cgi?product=GIMP gimp-2.10.24-setup-3.tmp, 0000 false high 0017.00000002.992915726.000000 0005564000.00000004.00000001.sdmp https://www.gimp.org/ gimp-2.10.24-setup-3.tmp, 0000 false high 0017.00000002.992103526.000000 0003500000.00000004.00000001.sdmp https://www.gimp.org/docs/pf) gimp-2.10.24-setup-3.exe, 0000 false high 0014.00000002.985085317.000000 0002296000.00000004.00000001.sdmp crl.sectigo.com/SectigoRSACodeSigningCA.crl0s gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000003.721803160.000000 URL Reputation: safe 007FBC0000.00000004.00000001.s URL Reputation: safe dmp, gimp-2.10.24-setup-3.tmp.20.dr URL Reputation: safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000003.721803160.000000 URL Reputation: safe 007FBC0000.00000004.00000001.s URL Reputation: safe dmp, gimp-2.10.24-setup-3.tmp.20.dr URL Reputation: safe https://jrsoftware.org/ishelp/index.php? gimp-2.10.24-setup-3.exe false high topic=setupcmdline www.dk-soft.org/ gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000002.984640250.000000 URL Reputation: safe 0002190000.00000004.00000001.sdmp, URL Reputation: safe gimp-2.10.24-setup-3.tmp, 00000017. URL Reputation: safe 00000002.993403649.00000000055 ED000.00000004.00000001.sdmp crl.sectigo.com/SectigoRSATimeStampingCA.crl0t gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000003.721803160.000000 URL Reputation: safe 007FBC0000.00000004.00000001.s URL Reputation: safe dmp, gimp-2.10.24-setup-3.tmp.20.dr URL Reputation: safe https://gitlab.gnome.org/GNOME/gimp/issues gimp-2.10.24-setup-3.tmp, 0000 false high 0017.00000002.992915726.000000 0005564000.00000004.00000001.sdmp, gimp-2.10.24-setup-3.tmp, 00000017. 00000002.992103526.00000000035 00000.00000004.00000001.sdmp cmdline.out.3.dr false high https://laotzu.ftp.acc.umu.se/pub/gimp/gimp/v2.10/windows/gi mp-2.10.24-setup-3.exe https://www.remobjects.com/ps gimp-2.10.24-setup-3.exe, 0000 false 1%, Virustotal, Browse unknown 0014.00000003.721803160.000000 Avira URL Cloud: safe 007FBC0000.00000004.00000001.s dmp, gimp-2.10.24-setup-3.tmp, gimp- 2.10.24-setup-3.tmp.20.dr crt.sectigo.com/SectigoRSATimeStampingCA.crt0# gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000003.721803160.000000 URL Reputation: safe 007FBC0000.00000004.00000001.s URL Reputation: safe dmp, gimp-2.10.24-setup-3.tmp.20.dr URL Reputation: safe

Copyright Joe Security LLC 2021 Page 9 of 17 Name Source Malicious Antivirus Detection Reputation https://www.gimp.org/4https://www.gimp.org/docs/ gimp-2.10.24-setup-3.exe, 0000 false high 0014.00000003.720131891.000000 00024B0000.00000004.00000001.sdmp, gimp-2.10.24-setup-3.tmp, 00000017. 00000002.992103526.00000000035 00000.00000004.00000001.sdmp https://www.innosetup.com/ gimp-2.10.24-setup-3.exe, 0000 false 3%, Virustotal, Browse unknown 0014.00000003.721803160.000000 Avira URL Cloud: safe 007FBC0000.00000004.00000001.s dmp, gimp-2.10.24-setup-3.tmp, gimp- 2.10.24-setup-3.tmp, 00000017.0000 0000.723954121.000000000040100 0.00000020.00020000.sdmp, gimp- 2.10.24-setup-3.tmp.20.dr https://sectigo.com/CPS0D gimp-2.10.24-setup-3.exe, 0000 false URL Reputation: safe unknown 0014.00000003.721803160.000000 URL Reputation: safe 007FBC0000.00000004.00000001.s URL Reputation: safe dmp, gimp-2.10.24-setup-3.tmp.20.dr URL Reputation: safe fsf.org/ gimp-2.10.24-setup-3.tmp, 0000 false high 0017.00000002.992103526.000000 0003500000.00000004.00000001.sdmp wget.exe, 00000003.00000002.59 false high https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gim 4815307.0000000001220000.00000 p-2.10.24-setup-3.exe 004.00000040.sdmp, wget.exe, 0 0000003.00000002.594825031.000 0000001226000.00000004.0000004 0.sdmp, cmdline.out.3.dr

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 8.8.8.8 unknown United States 15169 GOOGLEUS false 8.43.85.16 unknown United States 17314 REDHAT-HOSTEDUS false 194.71.11.165 unknown Sweden 1653 SUNETSUNETSwedishUniv false ersityNetworkEU 194.71.11.166 unknown Sweden 1653 SUNETSUNETSwedishUniv false ersityNetworkEU

Copyright Joe Security LLC 2021 Page 10 of 17 General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 414834 Start date: 15.05.2021 Start time: 01:27:05 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 13m 53s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: https://download.gimp.org/mirror/pub/gimp/v2.10/ windows/gimp-2.10.24-setup-3.exe Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 29 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus29.evad.win@7/4@0/4 EGA Information: Successful, ratio: 66.7% HDC Information: Successful, ratio: 20% (good quality ratio 19.6%) Quality average: 77.3% Quality standard deviation: 23.1% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Execution Graph export aborted for target wget.exe, PID 6792 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

Copyright Joe Security LLC 2021 Page 11 of 17 ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-LDF2K.tmp\gimp-2.10.24-setup-3.tmp

Process: C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 3033552 Entropy (8bit): 6.407861880146352 Encrypted: false SSDEEP: 49152:ULJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvuP:AwSi0b67zeCzt0+yO3kSS MD5: D3320A403E7C76282723D61B2C344F34 SHA1: A6796D0A1EDD833EFB1ABC76B1C8FA180D9660B5 SHA-256: 36F9ED64BAB50EF28F2E0C349EC4E0261BB34493CC4F8695C2963F1DBFFCC424 SHA-512: 3D813549CE50A141DD8C8B77711B03986C419391B2F149CFFE71FE6CB258A3ABB1530A5E047E34EA6CBF22B558F0B221A9AFE73437FEA1DBC15A981E155BB24 0 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2% Reputation: low Preview: MZP...... @...... InUn...... !..L.!..This program must be run under Win32..$7...... PE..L...p.._...... $,...... P6,...... @,...@...... @...... @...... -...... `-.49....-...... -..K...... -...... i- ...... -...... text...P.+...... +...... `.itext..t(....,..*....+...... `.data...... @,...... (,...... @....bss.....x....,...... idata..49...`-..:....,...... @....didata...... -...... ,...... @....edata...... -...... -...... @[email protected]...... rdata..].....-...... -...... @[email protected]...... -...... -...... @..@...... -...... @. .@......

C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 389914 Entropy (8bit): 2.2337781115811888 Encrypted: false SSDEEP: 1536:q0raJIhLv/Z9PKF0kyAjUwdpJ1s2FmFcRfiLf2wZwupQw2DJQzBkDtgnrnBz:rraivFQy MD5: BA98BE18517F8E2B8D0BBD5F497B4237 SHA1: 94C70CE9E9C91B9CBF0583783E6D3C78F46BB3BA SHA-256: 65B6EFCBCFC20A22B5CAE4A8BC224BE40E7A7673261BAD1D8E40080D4D61A790 SHA-512: D8E470A277A6719B9FE0553C736EC12A0B7C16F8242CDA73D106EB4FD98EDBADC36A727DFE6C6F5BC505A944D3F88E934953FFE8D5E7E0551599486B046B2C6 9 Malicious: false Reputation: low Preview: --2021-05-15 01:27:56-- https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.24-setup-3.exe..Resolving download.gimp.org (download.gimp.org)... 8. 43.85.16..Connecting to download.gimp.org (download.gimp.org)|8.43.85.16|:443... connected...WARNING: cannot verify download.gimp.org's certificate, issued by ' CN=R3,O=Let\'s Encrypt,C=US':.. Unable to locally verify the issuer's authority...HTTP request sent, awaiting response... 307 Temporary Redirect..Location: https://ftp.a cc.umu.se/pub/gimp/gimp/v2.10/windows/gimp-2.10.24-setup-3.exe [following]..--2021-05-15 01:27:57-- https://ftp.acc.umu.se/pub/gimp/gimp/v2.10/windows/gimp-2.1 0.24-setup-3.exe..Resolving ftp.acc.umu.se (ftp.acc.umu.se)... 194.71.11.165, 194.71.11.173, 194.71.11.163..Connecting to ftp.acc.umu.se (ftp.acc.umu.se)|194.71 .11.165|:443... connected...HTTP request sent, awaiting response... 302 Found..Location: https://laotzu.ftp.acc.umu.se/pub/gimp/gimp/v2.10/windows/gimp-2.10.24-setup- 3.exe [following]..--202

C:\Users\user\Desktop\download\.wget-hsts Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 176

Copyright Joe Security LLC 2021 Page 12 of 17 C:\Users\user\Desktop\download\.wget-hsts Entropy (8bit): 5.125804274884493 Encrypted: false SSDEEP: 3:SY2FyFARLlbwFAM9CxnOLVFzDwIVhyyJxWQ5RdkA8dyZKWwVLKXCkUVXhkQMov:SYeRLlbA0noH9VhyyJQQ5oA8UZlwhKQR MD5: 83EF7E15281B4E03A17E0DA84829B776 SHA1: FB3605FE5ADB5C452083426F1409E4E880059A9F SHA-256: 19E4070ED369FA5BCD39943BC3A225E438DA98CE009AFA3416513072CDE13493 SHA-512: 7A551233B91220F8D7A83082D90DE5AC5361631AED2EBDCBD5CBE2DBB8A4F05E4EE42E06DC827CFCFFD9B4336842FF9BD9701B461B2F3A0FA60BA14B1F302E F5 Malicious: false Reputation: low Preview: # HSTS 1.0 Known Hosts database for GNU Wget...# Edit at your own risk...# ......download.gimp.org .0.0.1621067277.31536000..

C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe

Process: C:\Windows\SysWOW64\wget.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 253914240 Entropy (8bit): 7.9999218956189875 Encrypted: true SSDEEP: 6291456:2SGUrNShGCiU9XMlJ1JpX+wvCBjBOUja0gNue5SccKP:2thMlJ17uwiBXjXgN15vP MD5: 8CF9EE41CC3792E6F28011E4F58C442B SHA1: 8537110E66406AAB41E5D813D06A6BE19E53B89C SHA-256: 5E9EABE5739523A9FC347B4614D919418F3335E7AAB082A65F71705421E85E04 SHA-512: 07808653D098DA659B098E30B4F8C2D8A00FC5BF5A8489DA7A6835E4C2DA2DBC88AA4A7AB1D38108B49CCEDBEB02815D8E93598B224E5096F401E35A1B5AED 35 Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZP...... @...... !..L.!..This program must be run under Win32..$7...... PE..L...n.._...... P...... ^...... p....@...... #...@...... @...... @...... 6....p...H...... "..K...... `...... "..D....0...... text....6...... 8...... `.itext...... P...... <...... `.data....7...p...8...T...... @....bss.....m...... idata..6...... @....didata...... 0...... @....edata...... @...... @[email protected]...... P...... rdata..]....`...... @[email protected]...... @..@...... @..@......

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Copyright Joe Security LLC 2021 Page 13 of 17 • cmd.exe • conhost.exe • wget.exe • gimp-2.10.24-setup-3.exe • gimp-2.10.24-setup-3.tmp

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6708 Parent PID: 4368

General

Start time: 01:27:54 Start date: 15/05/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no -check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://download.gimp.org/mirror/pub/gimp/v2.10/wi ndows/gimp-2.10.24-setup-3.exe' > cmdline.out 2>&1 Imagebase: 0x2a0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\cmdline.out read attributes | device synchronous io success or wait 1 2AD194 CreateFileW synchronize | non alert | non generic write directory file

Analysis Process: conhost.exe PID: 6744 Parent PID: 6708

General

Start time: 01:27:54 Start date: 15/05/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff61de10000

Copyright Joe Security LLC 2021 Page 14 of 17 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Analysis Process: wget.exe PID: 6792 Parent PID: 6708

General

Start time: 01:27:56 Start date: 15/05/2021 Path: C:\Windows\SysWOW64\wget.exe Wow64 process (32bit): true Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-d isposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.24-setup-3.exe' Imagebase: 0x400000 File size: 3895184 bytes MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe read attributes | device synchronous io success or wait 1 46596C fopen synchronize | non alert | non generic write directory file C:\Users\user\Desktop\download\.wget-hsts read attributes | device synchronous io success or wait 1 46596C fopen synchronize | non alert | non generic read | directory file generic write

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2021 Page 15 of 17 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe unknown 8192 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 30995 47F21C fwrite 00 04 00 0f 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 00 00 00 00 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 01 00 00 ...... ba 10 00 0e 1f b4 09 cd ...... 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: gimp-2.10.24-setup-3.exe PID: 5168 Parent PID: 5968

General

Start time: 01:30:58 Start date: 15/05/2021 Path: C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe' Imagebase: 0x400000 File size: 253914240 bytes MD5 hash: 8CF9EE41CC3792E6F28011E4F58C442B Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Antivirus matches: Detection: 0%, Virustotal, Browse Detection: 0%, ReversingLabs Reputation: low

Analysis Process: gimp-2.10.24-setup-3.tmp PID: 5776 Parent PID: 5168

General

Start time: 01:31:00 Start date: 15/05/2021 Path: C:\Users\user\AppData\Local\Temp\is-LDF2K.tmp\gimp-2.10.24-setup-3.tmp Wow64 process (32bit): true Commandline: 'C:\Users\user\AppData\Local\Temp\is-LDF2K.tmp\gimp-2.10.24-setup-3.tmp' /SL5='$ A0134,252290745,780800,C:\Users\user\Desktop\download\gimp-2.10.24-setup-3.exe' Copyright Joe Security LLC 2021 Page 16 of 17 Imagebase: 0x400000 File size: 3033552 bytes MD5 hash: D3320A403E7C76282723D61B2C344F34 Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Antivirus matches: Detection: 0%, Virustotal, Browse Detection: 2%, ReversingLabs Reputation: low

Disassembly

Code Analysis

Copyright Joe Security LLC 2021 Page 17 of 17