ID: 284831 Sample Name: HitmanPro_x64.exe Cookbook: default.jbs Time: 12:18:18 Date: 13/09/2020 Version: 29.0.0 Ocean Jasper Table of Contents Table of Contents 2 Analysis Report HitmanPro_x64.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Analysis Advice 5 Startup 5 Malware Configuration 5 Yara Overview 5 Memory Dumps 5 Sigma Overview 6 Signature Overview 6 Persistence and Installation Behavior: 6 Boot Survival: 6 Hooking and other Techniques for Hiding and Protection: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Domains and IPs 10 Contacted Domains 10 Contacted URLs 10 URLs from Memory and Binaries 10 Contacted IPs 11 Public 11 General Information 11 Simulations 12 Behavior and APIs 12 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Created / dropped Files 13 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Authenticode Signature 14 Entrypoint Preview 15 Rich Headers 16 Data Directories 16 Sections 16 Resources 17 Imports 20 Version Infos 20 Possible Origin 21 Copyright null 2020 Page 2 of 27 Network Behavior 21 Network Port Distribution 21 TCP Packets 21 UDP Packets 23 DNS Queries 23 DNS Answers 23 HTTP Request Dependency Graph 23 HTTP Packets 24 Code Manipulations 25 Statistics 25 System Behavior 25 Analysis Process: HitmanPro_x64.exe PID: 6760 Parent PID: 5732 25 General 25 File Activities 25 File Created 25 File Deleted 25 File Written 26 File Read 27 Registry Activities 27 Key Created 27 Key Value Created 27 Disassembly 27 Code Analysis 27 Copyright null 2020 Page 3 of 27 Analysis Report HitmanPro_x64.exe Overview General Information Detection Signatures Classification Sample HitmanPro_x64.exe Name: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo iiinnfffeeccttt ttthhee bb… Analysis ID: 284831 HCHiioiddneetsas ittnthhsaa ttft u ttthnhece t sisoaanmaplpitlllyee thhoaa isns fbbeeecete ntnh dedo obww… MD5: aaa78858180664… CHCoiodnnetttasa iiintnhssa fftfu utnhncectt tiisiooannmaallpliiitttlyye ttthooa ccsaa bllllll e nneaantttii ivdveeo wfff… SHA1: 81e4f3285715f74… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae d df… SHA256: cb1e8b96648330… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd… Most interesting Screenshot: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk ttithfh eae pdp… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccohomecmk uuthnneiiicc apa… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ecenonumummeeurrrnaaitttceea … CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qequnueuerrmryy e llloroacctaaellle e… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh qiiiccuhhe mrya aloyy c bbaeele… Score: 36 Range: 0 - 100 DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be Whitelisted: false FDFooeuutenncddt e ppdoo ttpteeonntttetiiiaanlllt issatttlrrr iicinnrggy p ddteoec cfrrruyynppctttiitiooionnn /// aa… Confidence: 40% HFHoTTuTTnPPd G pEoEtTTe nootrrri a PPl OstSSriTnT g ww diiitttehhcooruuyttpt atai o uunss e/e rrar … MHTaayTy P iiinn fGffeeEccttTt UU oSSr BBP OddrrrSiiivvTee sws ithout a user Maayy sisnlllefeeeecppt ((U(eeSvvaBass diiivvreiev lelloosooppss))) tttoo hhiiinnddeerrr … Maayy ususlseeee bpbc c(dedevedadisiittt i tvttooe mloooddpiiisfffyy) ttthohe eh Windiiinneddr … PMPEEa y fffii illulees cecoo bnnctttadaiieinndssi taa tnno iiimnnvvoaadllliiidfdy c cthheec cWkkssiunumd PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusurrurccmee… PPEE fffiiilllee ccoonntttaaiiinnss sesttxtrrraeancnuggteea brrreeless ooreuusrrrcoceeussrce SPSaEam fiplpellle ec foffiiillnleet aiiissin ddsiii fffsfffeetrrrraeenngttt ettthh raaenns oourrriiriggciiiennsaalll … TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original YTYarairerraas sstoiiigg nlnoaatttduu rrrmee imssaaintttccghh DLLs Yara signature match Copyright null 2020 Page 4 of 27 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Startup System is w10x64 HitmanPro_x64.exe (PID: 6760 cmdline: 'C:\Users\user\Desktop\HitmanPro_x64.exe' MD5: AAA7885818066476AB337A1CBBD427D9) cleanup Malware Configuration No configs have been found Yara Overview Memory Dumps Copyright null 2020 Page 5 of 27 Source Rule Description Author Strings 00000000.00000002.484922913.00007FF75024 SUSP_XORed_MSDOS_S Detects suspicious Florian Roth 0x74cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ F000.00000002.00020000.sdmp tub_Message XORed MSDOS x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x stub message 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B 0xa2cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B 00000000.00000000.204838234.00007FF75024 SUSP_XORed_MSDOS_S Detects suspicious Florian Roth 0x74cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ F000.00000002.00020000.sdmp tub_Message XORed MSDOS x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x stub message 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B 0xa2cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B Sigma Overview No Sigma rule has matched Signature Overview • Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section Persistence and Installation Behavior: Contains functionality to infect the boot sector Boot Survival: Contains functionality to infect the boot sector Hooking and other Techniques for Hiding and Protection: Hides that the sample has been downloaded from the Internet (zone.identifier) Mitre Att&ck Matrix Copyright null 2020 Page 6 of 27 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Command Bootkit 1 1 Process Virtualization/Sandbox OS System Time Replication Archive Exfiltration Encrypted Eavesdrop on Through and Scripting Injection 1 2 Evasion 1 Credential Discovery 1 Through Collected Over Other Channel 1 Insecure Removable Interpreter 2 Dumping Removable Data 1 Network Network Media 1 Media 1 Medium Communication Default Scheduled DLL Side- DLL Side- Process LSASS Security Software Remote Data from Exfiltration Ingress Tool Exploit SS7 to Accounts Task/Job Loading 1 Loading 1 Injection 1 2 Memory Discovery 4 1 Desktop Removable Over Transfer 1 Redirect Phone Protocol Media Bluetooth Calls/SMS Domain At (Linux) Logon Script Logon Script Deobfuscate/Decode Security Virtualization/Sandbox SMB/Windows Data from Automated Non- Exploit SS7 to Accounts (Windows) (Windows) Files or Information 1 Account Evasion 1 Admin Shares Network Exfiltration Application Track Device Manager Shared Layer Location Drive Protocol 2 Local At (Windows) Logon Script Logon Script Hidden Files and NTDS Process Discovery 3 Distributed Input Scheduled Application SIM Card Accounts (Mac) (Mac) Directories 1 Component Capture Transfer Layer Swap Object Model Protocol 2 Cloud Cron Network Network Obfuscated Files or LSA Peripheral Device SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Information 1 Secrets Discovery 1 Transfer Channels Device Size Limits Communication Replication Launchd Rc.common Rc.common Bootkit 1 1 Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items DLL Side-Loading 1 DCSync File and Directory Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Discovery 2 Remote Capture Over Used Port Access Points Services Management Alternative Protocol Drive-by Command Scheduled Scheduled Indicator Removal Proc System Information Shared Credential Exfiltration Application Downgrade to Compromise and Scripting Task/Job Task/Job from Tools Filesystem Discovery 1 4 Webroot API Over Layer Protocol Insecure Interpreter Hooking Symmetric Protocols Encrypted Non-C2 Protocol Behavior Graph Copyright null 2020 Page 7 of 27 Hide Legend Legend: Process Behavior Graph Signature ID: 284831 Created File Sample: HitmanPro_x64.exe DNS/IP Info Startdate: 13/09/2020 Is Dropped Architecture: WINDOWS Is Windows Process Score: 36 Number of created Registry Values Number of