DOCSLIB.ORG

Automated Malware Analysis Report for SUPERANTISPYWARE

Automated Malware Analysis Report for SUPERANTISPYWARE

ID: 459764 Sample Name: SUPERANTISPYWARE.EXE Cookbook: default.jbs Time: 14:53:19 Date: 05/08/2021 Version: 33.0.0 White Diamond Table of Contents Table of Contents 2 Windows Analysis Report SUPERANTISPYWARE.EXE 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 5 Jbx Signature Overview 5 Malware Analysis System Evasion: 5 Lowering of HIPS / PFW / Operating System Security Settings: 5 Stealing of Sensitive Information: 5 Remote Access Functionality: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 8 Private 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 27 General 28 File Icon 28 Static PE Info 28 General 28 Authenticode Signature 28 Entrypoint Preview 29 Rich Headers 29 Data Directories 29 Sections 29 Resources 29 Imports 29 Version Infos 29 Possible Origin 29 Network Behavior 29 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 29 Analysis Process: SUPERANTISPYWARE.EXE PID: 5720 Parent PID: 5776 29 General 29 File Activities 30 File Created 30 File Deleted 30 File Written 30 File Read 30 Registry Activities 30 Key Created 30 Key Value Created 30 Analysis Process: svchost.exe PID: 6008 Parent PID: 568 30 General 30 File Activities 30 Registry Activities 30 Copyright Joe Security LLC 2021 Page 2 of 34 Analysis Process: svchost.exe PID: 4972 Parent PID: 568 30 General 30 File Activities 31 Analysis Process: svchost.exe PID: 4316 Parent PID: 568 31 General 31 Registry Activities 31 Analysis Process: svchost.exe PID: 460 Parent PID: 568 31 General 31 Analysis Process: SgrmBroker.exe PID: 5400 Parent PID: 568 31 General 31 Analysis Process: svchost.exe PID: 5908 Parent PID: 568 32 General 32 Registry Activities 32 Analysis Process: svchost.exe PID: 5184 Parent PID: 568 32 General 32 File Activities 32 Analysis Process: MpCmdRun.exe PID: 4808 Parent PID: 5908 32 General 32 File Activities 33 File Written 33 Analysis Process: conhost.exe PID: 3528 Parent PID: 4808 33 General 33 Analysis Process: svchost.exe PID: 3868 Parent PID: 568 33 General 33 File Activities 33 Analysis Process: svchost.exe PID: 3528 Parent PID: 568 33 General 33 File Activities 34 Analysis Process: svchost.exe PID: 5508 Parent PID: 568 34 General 34 File Activities 34 Analysis Process: svchost.exe PID: 2484 Parent PID: 568 34 General 34 File Activities 34 Disassembly 34 Code Analysis 34 Copyright Joe Security LLC 2021 Page 3 of 34 Windows Analysis Report SUPERANTISPYWARE.EXE Overview General Information Detection Signatures Classification Sample SUPERANTISPYWARE.E Name: XE YYaarrraa ddeettteeccttteedd AAddWiiinndd RRAATT Analysis ID: 459764 CYChaharaann gdgeestse scseteeccduu rrrAiiitttydy W cceeinndtttee Rrrr sAseeTttttttiiinnggss (((nnoo… MD5: a231ad52671062… TCTrrrhiiieeassn gtttooe sdd eestteteecccuttt r ssitaayn ncddebbnootxexere ss eaatnntidnd g oosttth h(enerror… SHA1: eae2fd396a44e66… Ransomware ATAVrVie ppsrr rotoocc edesessste sscttttrrr iiisnnaggnssd fffbooouuxnnedds (( (oaoffnfttteden no utuhsseeer… Miner Spreading SHA256: 34fbe5823ecb07d… AAbVbnn poorrrromcaeallsl hshii igsghthr i CnCgPPsUU f o UUussnaadgg e(eoften use mmaallliiiccciiioouusss Infos: malicious Evader Phishing CAChbhenecockrkmss aiiff l AAhningttihivv iiCrruuPssU//AA nUnttsiissappgyyewwaarree//FFiirree sssuusssppiiiccciiioouusss CChheecckkss iiifff AAnntttiiivviiirrruuss///AAnntttiiissppyywwaarrree///FFiiirrree… suspicious Most interesting Screenshot: cccllleeaann CCrrhreeeaactttkeess ifffii illlAeesns t iiinvnsisriiuiddsee/ A ttthhneeti sspyyysswttteeamre dd/Fiiirrrieerecc… clean Exploiter Banker ECEnrneaaabbtllleess fddileebsbu uigng s ppidrrriieivv iiiltllehegege esssystem direc AdWind IIEIPPn aadbddlderrrsee ssdsse sbseueegen np iriinniv cicloeongnnenesecctttiiioonn wwiiittthh oo… Spyware Trojan / Bot Adware Score: 42 MIPaa ayyd ssdlllereeeespps ( ((seeevveaanssi iivivnee c lllooonopnpses))c) tttoio nhh iiinwndditeherr r o … Range: 0 - 100 PMPEEa y fffii illsleel e cceoopnn tt(taaeiiivnnasss aaivnne ii inlnovvoaapllliiisdd) ccthohe ehcciknksdsueumr Whitelisted: false PPEE fffiiilllee ccoonntttaaiiinnss sasttntrrra ainngvgaeel irrdree scsohoueurcrrcckeesssum Confidence: 100% QPEuue efrirrliiiee ssc oddniiisstkak i iniinnsfffo osrrrtmraaantttigiiooenn r ((e(oosffftotteeunnr c uuessseedd… Quueerrriiieess ttdthhiesek vv ioonlllfuuomrmee a iiintnifoffoonrrr m(oaaftttieiioonnn u (((nsneaadm… SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… Process Tree SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original System is w10x64 Tries to load missing DLLs SUPERANTISPYWARE.EXE (PID: 5720 cmdline: 'C:\Users\user\Desktop\SUPERANTISPYTWrieAsR toE .loEaXdE m' MissDin5g: AD2L3L1sAD526710623AF198F0328E648016) svchost.exe (PID: 6008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 4972 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 4316 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 460 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA) SgrmBroker.exe (PID: 5400 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6) svchost.exe (PID: 5908 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) MpCmdRun.exe (PID: 4808 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B) conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) svchost.exe (PID: 5184 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 3868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 3528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 5508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 2484 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) cleanup Malware Configuration No configs have been found Yara Overview Memory Dumps Source Rule Description Author Strings Process Memory Space: SUPERANTISPYWARE.EXE PID: JoeSecurity_AdWind Yara detected Joe Security 5720 AdWind RAT Copyright Joe Security LLC 2021 Page 4 of 34 Sigma Overview No Sigma rule has matched Jbx Signature Overview Click to jump to signature section Malware Analysis System Evasion: Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) Lowering of HIPS / PFW / Operating System Security Settings: Changes security center settings (notifications, updates, antivirus, firewall) Stealing of Sensitive Information: Yara detected AdWind RAT Remote Access Functionality: Yara detected AdWind RAT Mitre Att&ck Matrix Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows DLL Side- Process Masquerading 1 1 OS System Time Remote Data from Exfiltration Data Eavesdrop on Accounts Management Loading 1 Injection 2 Credential Discovery 1 Services Local Over Other Obfuscation Insecure Instrumentation 1 Dumping System Network Network Medium Communication Default Command and Boot or DLL Side- Disable or Modify LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Scripting Logon Loading 1 Tools 1 Memory Discovery 1 3 1 Desktop Removable Over Redirect Phone Interpreter 2 Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) Script Evasion 2 Account Evasion 2 Admin Shares Network Exfiltration Track Device (Windows) Manager Shared Location Drive Local At (Windows) Logon Script Logon Process Injection 2 NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network DLL Side-Loading 1 LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 1 Transfer Channels Device Script Size Limits Communication Replication Launchd Rc.common Rc.common Steganography Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Task Startup Startup Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    34 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us