Automated Malware Analysis Report For

ID: 289827 Sample Name: 2ZDE363WCL.exe Cookbook: default.jbs Time: 09:20:15 Date: 25/09/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report 2ZDE363WCL.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Analysis Advice 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 5 Signature Overview 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 9 Private 9 General Information 9 Simulations 10 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 13 General 13 File Icon 14 Static PE Info 14 General 14 Authenticode Signature 14 Entrypoint Preview 14 Rich Headers 15 Data Directories 15 Sections 16 Resources 16 Imports 16 Version Infos 17 Possible Origin 17 Network Behavior 18 UDP Packets 18 Code Manipulations 19

Copyright null 2020 Page 2 of 29 Statistics 19 Behavior 19 System Behavior 19 Analysis Process: cmd.exe PID: 5808 Parent PID: 2288 19 General 19 File Activities 19 File Created 19 Analysis Process: conhost.exe PID: 6012 Parent PID: 5808 19 General 20 Analysis Process: sc.exe PID: 4988 Parent PID: 5808 20 General 20 File Activities 20 File Written 20 Analysis Process: cmd.exe PID: 1552 Parent PID: 2288 20 General 20 File Activities 20 File Created 21 Analysis Process: conhost.exe PID: 868 Parent PID: 1552 21 General 21 Analysis Process: sc.exe PID: 6564 Parent PID: 1552 21 General 21 File Activities 21 File Written 21 Analysis Process: 2ZDE363WCL.exe PID: 5164 Parent PID: 580 22 General 22 File Activities 22 File Created 22 File Written 23 Registry Activities 27 Key Created 27 Analysis Process: svchost.exe PID: 6636 Parent PID: 580 27 General 27 File Activities 28 Analysis Process: svchost.exe PID: 6688 Parent PID: 580 28 General 28 File Activities 28 Analysis Process: svchost.exe PID: 5612 Parent PID: 580 28 General 28 File Activities 28 Registry Activities 28 Analysis Process: svchost.exe PID: 7144 Parent PID: 580 29 General 29 File Activities 29 Registry Activities 29 Disassembly 29 Code Analysis 29

Overview

General Information Detection Signatures Classification

Sample 2ZDE363WCL.exe Name: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd…

Analysis ID: 289827 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrcreehaaeddc kttth hiefe a PP dEEBB MD5: ee4acb8d8c93c0… CCrroreenaattatteeinss s aa f uppnrrroocctcieoesnsssa liiinnty s stuuoss rppeeeannddd etehdde m PoEo…B SHA1: Ransomware ee9172e7dc2607… Creates a process in suspended mo CCrrreeaattteess ffafiiill leepssr o iiincnsesiisiddsee i nttthh seeu ssyypssetttenemde ddi iirrmreecoc… Miner Spreading SHA256: d4fc20ff226a089… MCraaeyya stselleese efpipl e ((see vvinaassiidivvee tllohooeop psssy))s ttoeo m hhi inndddireerrc mmaallliiiccciiioouusss Maayy ssllleeeepp (((eevvaassiiivvee lllooooppss))) tttoo hhiiinnddeerrr … malicious

Most interesting Screenshot: Evader Phishing sssuusssppiiiccciiioouusss PMPEEa y fffii illsleel e cceoopnn tt(taaeiiivnnasss ssivtttrreraa nlnoggoeep rsrree) sstoou uhrrriccneedsser suspicious

cccllleeaann

clean QPEuue efrirrliiiee ssc oddniiisstkak i iniinnsfffo osrrrtmraaantttigiiooenn r ((e(oosffftotteeunnr c uuessseedd… Exploiter Banker

Quueerrriiieess ttdthhiesek vv ioonlllfuuomrmee a iiintnifoffoonrrr m(oaaftttieiioonnn u (((nsneaadm…

Spyware Trojan / Bot SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… Adware

SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … Score: 4 Range: 0 - 100 SSttatoomrrreepssl e llla afrrirlggeee i s bb idiinniafafrerryyr e ddnaattt tatah ttatoon tt thoherei g rrreienggaiiisls ttt…

Whitelisted: false USUstsoeerses scc ooladdreeg eoo bbfffiunusasccraya tttdiiiooannt a ttte etcoch htnhnieiiqq urueegssi s(((…t Confidence: 60% Uses code obfuscation techniques (

Analysis Advice

Initial sample is implementing a service and should be registered / started as service

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Startup

System is w10x64 cmd.exe (PID: 5808 cmdline: cmd /c sc create qkOxK binpath= 'C:\Users\user\Desktop\2ZDE363WCL.exe' >> C:\servicereg.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 4988 cmdline: sc create qkOxK binpath= 'C:\Users\user\Desktop\2ZDE363WCL.exe' MD5: 24A3E2603E63BCB9695A2935D3B24695) cmd.exe (PID: 1552 cmdline: cmd /c sc start qkOxK >> C:\servicestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 6564 cmdline: sc start qkOxK MD5: 24A3E2603E63BCB9695A2935D3B24695) 2ZDE363WCL.exe (PID: 5164 cmdline: C:\Users\user\Desktop\2ZDE363WCL.exe MD5: EE4ACB8D8C93C0E3241DB17A59026141) svchost.exe (PID: 6636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 6688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 5612 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 7144 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

No Sigma rule has matched

Signature Overview

• Cryptography • Networking • System Summary • Data Obfuscation • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Windows Windows Masquerading 1 OS System Time Remote Archive Exfiltration Data Eavesdrop on Remotely Accounts and Scripting Service 1 Service 1 Credential Discovery 1 Services Collected Over Other Obfuscation Insecure Track Device Interpreter 2 Dumping Data 1 Network Network Without Medium Communication Authorization Default Service Boot or Process Modify Registry 1 LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Execution 1 Logon Injection 1 1 Memory Discovery 2 1 Desktop Removable Over Redirect Phone Wipe Data Initialization Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Script Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) (Windows) Evasion 2 Account Evasion 2 Admin Shares Network Exfiltration Track Device Device Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Logon Script Process NTDS System Information Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Injection 1 1 Discovery 2 2 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Obfuscated Files or LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Information 1 Secrets Discovery 1 Transfer Channels Device Size Limits Communication

Behavior Graph

Behavior Graph DNS/IP Info ID: 289827 Is Dropped Sample: 2ZDE363WCL.exe Is Windows Process Startdate: 25/09/2020 Architecture: WINDOWS Number of created Registry Values Score: 4 Number of created Files

Visual Basic started started started Delphi

cmd.exe cmd.exe 2ZDE363WJCaL.veaxe

.Net C# or VB.NET 4 other processes

2 2 C, C+9+ or other language

Is malicious

Internet 127.0.0.1 192.168.2.1 started started started started unknown unknown unknown unknown

conhost.exe sc.exe conhost.exe sc.exe

1 1

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link 2ZDE363WCL.exe 0% Virustotal Browse 2ZDE363WCL.exe 2% ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.logitech.com0 0% Avira URL Cloud safe https://storeedgefd.dsx.mp.microsoft.c 0% URL Reputation safe https://storeedgefd.dsx.mp.microsoft.c 0% URL Reputation safe

Copyright null 2020 Page 7 of 29 Source Detection Scanner Label Link https://storeedgefd.dsx.mp.microsoft.c 0% URL Reputation safe www.windowsphone.com/ 0% Virustotal Browse www.windowsphone.com/ 0% URL Reputation safe www.windowsphone.com/ 0% URL Reputation safe www.windowsphone.com/ 0% URL Reputation safe crl.microsoft. 0% Virustotal Browse crl.microsoft. 0% URL Reputation safe crl.microsoft. 0% URL Reputation safe crl.microsoft. 0% URL Reputation safe https://atalog.m 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.logitech.com0 2ZDE363WCL.exe false Avira URL Cloud: safe unknown www.xbox.com/ svchost.exe, 0000000E.00000003 false high .454307817.000001F064F62000.00 000004.00000001.sdmp, svchost.exe, 0000000E.00000002.4769499 26.000001F064913000.00000004.0 0000001.sdmp https://login.windows.net/common svchost.exe, 0000000E.00000003 false high .454422961.000001F0648C6000.00 000004.00000001.sdmp, svchost.exe, 0000000E.00000003.4543610 94.000001F0648A4000.00000004.0 0000001.sdmp, svchost.exe, 000 0000E.00000002.476790470.00000 1F064883000.00000004.00000001. sdmp www.hulu.com/privacy svchost.exe, 0000000E.00000003 false high .458881115.000001F065655000.00 000004.00000001.sdmp svchost.exe, 0000000E.00000003 false high www.g5e.com/G5_End_User_License_Supplemental_Terms .460008683.000001F06564E000.00 000004.00000001.sdmp https://www.hulu.com/do-not-sell-my-info svchost.exe, 0000000E.00000003 false high .458881115.000001F065655000.00 000004.00000001.sdmp svchost.exe, 00000013.00000002 false high schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous .641081085.000001B3E16F0000.00 . 000002.00000001.sdmp updates.logitech.com 2ZDE363WCL.exe false high https://storeedgefd.dsx.mp.microsoft.c svchost.exe, 0000000E.00000003 false URL Reputation: safe unknown .454336104.000001F064F61000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe www.hulu.com/terms svchost.exe, 0000000E.00000003 false high .458881115.000001F065655000.00 000004.00000001.sdmp https://live.xbox.com/purchase/xbox/ svchost.exe, 0000000E.00000003 false high .454307817.000001F064F62000.00 000004.00000001.sdmp https://instagram.com/hiddencity_ svchost.exe, 0000000E.00000003 false high .460008683.000001F06564E000.00 000004.00000001.sdmp www.windowsphone.com/ svchost.exe, 0000000E.00000003 false 0%, Virustotal, Browse unknown .454307817.000001F064F62000.00 URL Reputation: safe 000004.00000001.sdmp, svchost.exe, URL Reputation: safe 0000000E.00000002.4769499 URL Reputation: safe 26.000001F064913000.00000004.0 0000001.sdmp www.g5e.com/termsofservice svchost.exe, 0000000E.00000003 false high .460008683.000001F06564E000.00 000004.00000001.sdmp

Copyright null 2020 Page 8 of 29 Name Source Malicious Antivirus Detection Reputation 2ZDE363WCL.exe false high updates.logitech.com/logitech/vc/fw/meetup/latest/any/version s.bin.sig/logitech/vc/fw/bolide/ schemas.xmlsoap.org/ws/2004/0 svchost.exe, 00000013.00000002 false high .637895982.000001B3DBEAE000.00 000004.00000001.sdmp https://profile.xboxlive.com/users/batch/profile/settings svchost.exe, 0000000E.00000003 false high .454307817.000001F064F62000.00 000004.00000001.sdmp crl.microsoft. svchost.exe, 00000013.00000002 false 0%, Virustotal, Browse unknown .640465075.000001B3E1413000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://curl.haxx.se/docs/http-cookies.html 2ZDE363WCL.exe false high https://www.hulu.com/ca-privacy-rights svchost.exe, 0000000E.00000003 false high .458881115.000001F065655000.00 000004.00000001.sdmp www.openssl.org/support/faq.html 2ZDE363WCL.exe false high https://atalog.m svchost.exe, 0000000E.00000003 false Avira URL Cloud: safe unknown .463407509.000001F06564A000.00 000004.00000001.sdmp

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious

Private

IP 192.168.2.1 127.0.0.1

General Information

Joe Sandbox Version: 30.0.0 Red Diamond Copyright null 2020 Page 9 of 29 Analysis ID: 289827 Start date: 25.09.2020 Start time: 09:20:15 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 59s Hypervisor based Inspection enabled: false Report type: light Sample file name: 2ZDE363WCL.exe Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Run name: Run as Windows Service Number of analysed new started processes analysed: 24 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean4.winEXE@13/9@0/2 EGA Information: Successful, ratio: 100% HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 52.158.208.111, 52.184.221.185, 51.104.139.180, 20.190.3.175, 13.68.93.109, 20.54.26.129, 52.155.217.156, 80.239.148.26, 80.239.152.138, 51.105.249.239, 80.239.152.136, 80.239.148.32, 92.122.144.200 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, am3p.wns.notify.windows.com.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, displaycatal