ID: 406830 Cookbook: browseurl.jbs Time: 09:36:59 Date: 07/05/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Analysis Report https://hmk- my.sharepoint.com:443/:b:/g/personal/cdark3_hallmark_com/ESsoCnIn0KVAvpl8nR3eDlkBbuLERAJv3zcU0H7s6bMwEg? e=4%3ajV6tDZ&at=9 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Dropped Files 3 Sigma Overview 3 Signature Overview 4 Phishing: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 9 Contacted IPs 15 Public 15 Private 15 General Information 15 Simulations 18 Behavior and APIs 18 Joe Sandbox View / Context 18 IPs 18 Domains 18 ASN 18 JA3 Fingerprints 18 Dropped Files 18 Created / dropped Files 18 Static File Info 52 No static file info 52 Network Behavior 52 Network Port Distribution 52 TCP Packets 52 UDP Packets 54 DNS Queries 57 DNS Answers 58 HTTPS Packets 59 Code Manipulations 60 Statistics 60 Behavior 60 System Behavior 61 Analysis Process: iexplore.exe PID: 4292 Parent PID: 792 61 General 61 File Activities 61 Registry Activities 61 Analysis Process: iexplore.exe PID: 5400 Parent PID: 4292 61 General 61 File Activities 61 Registry Activities 62 Analysis Process: dllhost.exe PID: 6600 Parent PID: 792 62 General 62 File Activities 62 Analysis Process: explorer.exe PID: 3440 Parent PID: 6600 62 General 62 File Activities 62 Analysis Process: iexplore.exe PID: 724 Parent PID: 4292 63 General 63 File Activities 63 Registry Activities 63 Disassembly 63 Code Analysis 63 Copyright Joe Security LLC 2021 Page 2 of 63 Analysis Report https://hmk-my.sharepoint.com:443/:b:/…g/personal/cdark3_hallmark_com/ESsoCnIn0KVAvpl8nR3eDlkBbuLERAJv3zcU0H7s6bMwEg?e=4%3ajV6tDZ&at=9 Overview General Information Detection Signatures Classification Sample URL: https://hmk-my.sharepoint. com:443/:b:/g/personal/cd YYaarrraa ddeettteeccttteedd HHtttmlllPPhhiiisshh1100 ark3_hallmark_com/ESso PYPhahiirissahh diiinneggt e ssciiitttee d dd eHetttteemcctlttPeedhd i (s((bbhaa1ss0eedd oonn iiim… Cn...llmark_com/ESsoCnIn 0KVAvpl8nR3eDlkBbuLER PPhhiiisshhiiinngg ssiiitttee ddeettteeccttteedd (((bbaasseedd oonn llilomogg… AJv3zcU0H7s6bMwEg?e= 4%3ajV6tDZ&at=9 HPHThTiMshLLi n bbgoo dsdyiyt e cc odonentttaeaiciinntses d llloo (wwb a nnsuuemdb boeenrrr loofffg … Ransomware Miner Spreading Analysis ID: 406830 HHTTMLL ttbtiiittotllleed ydd ocoeoesns t nanoionttt s m loaawtttcc hhn uUUmRRbLLer of mmaallliiiccciiioouusss Infos: malicious Evader Phishing MHToonMniiittLtoo rrtrsist l ecce edrrrotttaaeiiinsn nrrreeoggt iiimsstttrarryyt c kkhee yUyssR ///L vvaallluu… sssuusssppiiiccciiioouusss Moonniittoorrss cceerrttaaiinn rreeggiissttrryy kkeeyyss // vvaalluu… suspicious Most interesting Screenshot: cccllleeaann SMSuuobbnmitoiiitttr bsb uuctttetttoortnna iccnoo rnnetttagaiiinsntssr y jjja akvveaayssscc rr/ri iipvptatt clcuaallllll clean Exploiter Banker Submit button contains javascript call HTMLPhisher Spyware Trojan / Bot Adware Score: 56 Range: 0 - 100 Whitelisted: false Confidence: 100% Startup System is w10x64 iexplore.exe (PID: 4292 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 5400 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4292 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) iexplore.exe (PID: 724 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4292 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) dllhost.exe (PID: 6600 cmdline: C:\Windows\system32\DllHost.exe /Processid:{49F171DD-B51A-40D3-9A6C-52D674CC729D} MD5: 2528137C6745C4EADD87817A1909677E) explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D) cleanup Malware Configuration No configs have been found Yara Overview Dropped Files Source Rule Description Author Strings C:\Users\user\AppData\Local\Microsoft\Windows\INet JoeSecurity_HtmlPhish_10 Yara detected Joe Security Cache\IE\OTUW0Q90\ESsoCnIn0KVAvpl8nR3eDl HtmlPhish_10 kBbuLERAJv3zcU0H7s6bMwEg[1].htm Sigma Overview No Sigma rule has matched Copyright Joe Security LLC 2021 Page 3 of 63 Signature Overview • Phishing • Compliance • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Phishing: Yara detected HtmlPhish10 Phishing site detected (based on image similarity) Phishing site detected (based on logo template match) Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Scripting 1 Path Process Masquerading 1 OS Query Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Interception Injection 2 Credential Registry 1 Services Local Over Other Channel 2 Insecure Track Device System Dumping System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Security Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 2 Memory Software Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Scripting 1 Security Process SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script Account Discovery 1 Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Local At Logon Script Logon Binary Padding NTDS File and Distributed Input Scheduled Protocol SIM Card Carrier Accounts (Windows) (Mac) Script Directory Component Capture Transfer Impersonation Swap Billing (Mac) Discovery 1 Object Model Fraud Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 63 Hide Legend Legend: Behavior Graph Process ID: 406830 URL: https://hmk-my.sharepoint.c... Signature Startdate: 07/05/2021 Architecture: WINDOWS Created File Score: 56 DNS/IP Info Is Dropped hmk.sharepoint.com hmk-my.sharepoint.com 2 other IPs or domains Is Windows Process started started Number of created Registry Values Phishing site detected Number of created Files Phishing site detected Yara detected HtmlPhish10 (based on logo template (based on image similarity) match) Visual Basic Delphi iexplore.exe Jdllahovsta.exe .Net C# or VB.NET 5 84 C, C++ or other language Is malicious 192.168.2.1 unknown statics-wcus.onestore.ms 8 other IPs or domains started started Internet injected unknown iexplore.exe iexplore.exe explorer.exe 2 47 333 blob.bl6prdstr14a.store.core.windows.net cs1227.wpc.alphacdn.net spoprod-a.akamaihd.net hmk.sharepoint.com 3 other IPs or domains dropped 52.239.152.74, 443, 49800, 49801 192.229.221.185, 443, 49777, 49778 10 other IPs or domains MICROSOFT-CORP-MSN-AS-BLOCKUS EDGECASTUS United States United States ESsoCnIn0KVAvpl8nR...cU0H7s6bMwEg[1].htm, HTML Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 63 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://hmk- 0% Virustotal Browse my.sharepoint.com:443/:b:/g/personal/cdark3_hallmark_com/ESsoCnIn0KVAvpl8nR3eDlkBbuLERAJv3z cU0H7s6bMwEg?e=4%3ajV6tDZ&at=9 https://hmk- 0% Avira URL Cloud safe my.sharepoint.com:443/:b:/g/personal/cdark3_hallmark_com/ESsoCnIn0KVAvpl8nR3eDlkBbuLERAJv3z cU0H7s6bMwEg?e=4%3ajV6tDZ&at=9 Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 2021 Page 6 of 63 Source Detection Scanner Label Link www.mercadolivre.com.br/ 0% URL Reputation safe www.mercadolivre.com.br/ 0% URL Reputation safe www.mercadolivre.com.br/ 0% URL Reputation safe www.mercadolivre.com.br/ 0% URL Reputation safe www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.merlin.com.pl/favicon.ico 0% URL Reputation safe https://www.microsoftstore.com.cn/surface-pro-x-configurate 0% Avira URL Cloud safe www.dailymail.co.uk/ 0% URL Reputation safe www.dailymail.co.uk/ 0% URL Reputation safe www.dailymail.co.uk/ 0% URL Reputation safe www.dailymail.co.uk/ 0% URL Reputation safe https://assets.onestore.ms 0% URL Reputation safe https://assets.onestore.ms 0% URL Reputation safe https://assets.onestore.ms 0% URL Reputation safe https://assets.onestore.ms 0% URL Reputation safe https://www.microsoftstore.com.cn/surface/surface-pro-7 0% Avira URL Cloud safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe busca.igbusca.com.br//app/static/images/favicon.ico
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages63 Page
-
File Size-