ID: 340409 Cookbook: urldownload.jbs Time: 18:57:38 Date: 15/01/2021 Version: 31.0.0 Red Diamond Table of Contents
Table of Contents 2 Analysis Report http://\Device\HarddiskVolume2\Program Files (x86)\Google\Chrome\Application\chrome.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 7 Contacted Domains 8 Contacted IPs 8 General Information 8 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 No static file info 9 Network Behavior 9 Code Manipulations 9 Statistics 9 Behavior 10 System Behavior 10 Analysis Process: cmd.exe PID: 6516 Parent PID: 5056 10 General 10 File Activities 10 File Created 10 Analysis Process: conhost.exe PID: 6536 Parent PID: 6516 10 General 10 Analysis Process: wget.exe PID: 6604 Parent PID: 6516 11 General 11 File Activities 11 Disassembly 11 Code Analysis 11
Copyright null 2021 Page 2 of 11 Copyright null 2021 Page 3 of 11 Analysis Report http://\Device\HarddiskVolume2\Program… Files (x86)\Google\Chrome\Application\chrome.exe
Overview
General Information Detection Signatures Classification
Sample URL: \Device\HarddiskVol No high impact signatures. ume2\Program Files (x86)\ Google\Chrome\Applicatio n\chrome.exe Analysis ID: 340409
Most interesting Screenshot: Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100%
Startup
System is w10x64 cmd.exe (PID: 6516 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6604 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
Copyright null 2021 Page 4 of 11 • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization
Behavior Graph
Copyright null 2021 Page 5 of 11 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info
ID: 340409 Is Dropped
URL: http://\Device\HarddiskVolu... Is Windows Process
Startdate: 15/01/2021 Number of created Registry Values Architecture: WINDOWS Number of created Files Score: 0 Visual Basic
Delphi started Java
.Net C# or VB.NET cmd.exe C, C++ or other language
Is malicious
2 Internet
started started
conhost.exe wget.exe
1
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2021 Page 6 of 11 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Copyright null 2021 Page 7 of 11 Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 340409 Start date: 15.01.2021 Start time: 18:57:38 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 47s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: \Device\HarddiskVolume2\Program Files (x86)\Go ogle\Chrome\Application\chrome.exe Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@4/1@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): svchost.exe
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
Copyright null 2021 Page 8 of 11 IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 486 Entropy (8bit): 4.94288292367257 Encrypted: false SSDEEP: 12:HFgR1MGz7X1gjpptZBbgjpptZBr5rgjpptZBc:llKFgj7Rbgj7RNgj7Rc MD5: 6BDF7BF360E5E21B9BA6D2DF24E6EF42 SHA1: 72BA08164B3463820B790E5737FB0D0E516B6D34 SHA-256: 71E0158DEA659B57BEF00AA3016CBD5623722C7217E8AE3F216C4CD93B4A87A0 SHA-512: 2C4CD042F75AE5A4E50A4BA268F92CE36F14C6666ED883528513885B83FF6010E09ACDB7A8F2955E07D8F034C9DA0E27CAC47384F798D14C1A80501356648FA6 Malicious: false Reputation: low Preview: --2021-01-15 18:58:27-- http://%5Cdevice%5Charddiskvolume2%5Cprogram%20files%20(x86)%5Cgoogle%5Cchrome%5Capplication%5Cchrome.exe/..Resolving \\device\\harddiskvolume2\\program files (x86)\\google\\chrome\\application\\chrome.exe (\\device\\harddiskvolume2\\program files (x86)\\google\\chrome\\application\\c hrome.exe)... failed: No such host is known. ...wget: unable to resolve host address '\\device\\harddiskvolume2\\program files (x86)\\google\\chrome\\application\\chrome. exe'..
Static File Info
No static file info
Network Behavior
No network behavior found
Code Manipulations
Statistics
Copyright null 2021 Page 9 of 11 Behavior
• cmd.exe • conhost.exe • wget.exe
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 6516 Parent PID: 5056
General
Start time: 18:58:26 Start date: 15/01/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no -check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://C:\Program Files (x86)\Google\Chrome\Applic ation\chrome.exe' > cmdline.out 2>&1 Imagebase: 0xbd0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\cmdline.out read attributes | device synchronous io success or wait 1 BDD194 CreateFileW synchronize | non alert | non generic write directory file
Analysis Process: conhost.exe PID: 6536 Parent PID: 6516
General
Start time: 18:58:26 Start date: 15/01/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false
Copyright null 2021 Page 10 of 11 Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: wget.exe PID: 6604 Parent PID: 6516
General
Start time: 18:58:27 Start date: 15/01/2021 Path: C:\Windows\SysWOW64\wget.exe Wow64 process (32bit): true Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-d isposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' Imagebase: 0x400000 File size: 3895184 bytes MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Disassembly
Code Analysis
Copyright null 2021 Page 11 of 11