DYNAMIC ANALYSIS REPORT #928218 Classifications: PUA Spyware App/Generic-JJ Gen:Variant.Razy.680050 Gen:Variant.Agentus.62 MALICIOUS Threat Names: Gen:Application.Heur.yq0@kibVd8eO Verdict Reason: - Sample Type Windows Exe (x86-32) Sample Name Project_Genocide_V5.1.1-.exe ID #303998 MD5 2f0909140e6006b3682bf2de804021e9 SHA1 eb9a6c6152d25c53a7a6098280e1be2dcc7146c7 SHA256 129fd5ce9840c318148335527b70b1a6b8df1e1c0005f24d06b28130df7ed056 File Size 13847.00 KB Report Created 2021-03-23 13:29 (UTC+1) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 55 DYNAMIC ANALYSIS REPORT #928218 OVERVIEW VMRay Threat Identifiers (22 rules, 53 matches) Score Category Operation Count Classification 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Opera, Mozilla Firefox, Internet Explorer, Yandex Browser, Vivaldi, SeaMonkey, Internet Explorer / Edge, Safari. 4/5 Antivirus Malicious content was detected by heuristic scan 2 - • Built-in AV detected the sample itself as "Gen:Variant.Razy.680050". • Built-in AV detected the dropped file C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe as "Gen:Variant.Agentus.62". 2/5 Data Collection Reads sensitive browser data 8 - • (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file. • (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry. • (Process #13) webbrowserpassview.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Mozilla Firefox" by file. • (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Yandex Browser" by file. • (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Vivaldi" by file. • (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Safari" by file. • (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Opera" by file. 2/5 Data Collection Reads sensitive application data 1 - • (Process #13) webbrowserpassview.exe tries to read sensitive data of application "SeaMonkey" by file. 2/5 Discovery Executes WMI query 3 - • (Process #32) wmic.exe executes WMI query: SELECT Size FROM Win32_DiskDrive. • (Process #35) wmic.exe executes WMI query: SELECT SerialNumber FROM Win32_BIOS. • (Process #36) wmic.exe executes WMI query: SELECT Name FROM WIN32_PROCESSOR. 2/5 Discovery Collects hardware properties 2 - • (Process #32) wmic.exe queries hardware properties via WMI. • (Process #36) wmic.exe queries hardware properties via WMI. 2/5 Discovery Collects BIOS properties 1 - • (Process #35) wmic.exe queries BIOS properties via WMI. 2/5 Network Connection Sets up server that accepts incoming connections 3 - • (Process #11) curl.exe starts a TCP server listening on localhost port 49720. • (Process #12) curl.exe starts a TCP server listening on localhost port 49725. • (Process #37) curl.exe starts a TCP server listening on localhost port 49720. 2/5 Reputation Known suspicious file 1 PUA • Reputation analysis labels file "C:\temp\WebBrowserPassView.exe" as "App/Generic-JJ". 2/5 Antivirus Suspicious content was detected by heuristic scan 1 - • Built-in AV detected the dropped file C:\temp\WebBrowserPassView.exe as "Gen:Application.Heur.yq0@kibVd8eO". 2/5 YARA Suspicious content matched by YARA rules 1 - X-Ray Vision for Malware - www.vmray.com 2 / 55 DYNAMIC ANALYSIS REPORT #928218 • Rule "PowerShell_Registry_Commands" from ruleset "Generic" has matched on the dropped file "C:\temp\finalres.vbs". 1/5 Privilege Escalation Enables process privilege 4 - • (Process #2) khaaksqr.exe enables process privilege "SeDebugPrivilege". • (Process #32) wmic.exe enables process privilege "SeDebugPrivilege". • (Process #35) wmic.exe enables process privilege "SeDebugPrivilege". • (Process #36) wmic.exe enables process privilege "SeDebugPrivilege". 1/5 Discovery Reads system data 1 Spyware • (Process #7) wscript.exe reads Windows license key from registry. 1/5 Hide Tracks Creates process with hidden window 1 - • (Process #8) wscript.exe starts (process #8) wscript.exe with a hidden window. 1/5 Discovery Enumerates running processes 1 - • (Process #13) webbrowserpassview.exe enumerates running processes. 1/5 Discovery Possibly does reconnaissance 2 - • (Process #13) webbrowserpassview.exe tries to gather information about application "Mozilla Firefox" by file. • (Process #13) webbrowserpassview.exe tries to gather information about application "SeaMonkey" by file. 1/5 Network Connection Performs DNS request 6 - • (Process #2) khaaksqr.exe resolves host name "cdn.discordapp.com" to IP "162.159.130.233". • (Process #2) khaaksqr.exe resolves host name "raw.githubusercontent.com" to IP "185.199.109.133". • (Process #2) khaaksqr.exe resolves host name "github.com" to IP "140.82.121.4". • (Process #11) curl.exe resolves host name "discordapp.com" to IP "162.159.130.233". • (Process #12) curl.exe resolves host name "myexternalip.com" to IP "216.239.34.21". • (Process #37) curl.exe resolves host name "discordapp.com" to IP "162.159.130.233". 1/5 Network Connection Connects to remote host 6 - • (Process #2) khaaksqr.exe opens an outgoing TCP connection to host "185.199.109.133:443". • (Process #2) khaaksqr.exe opens an outgoing TCP connection to host "162.159.130.233:443". • (Process #2) khaaksqr.exe opens an outgoing TCP connection to host "140.82.121.4:443". • (Process #11) curl.exe opens an outgoing TCP connection to host "162.159.130.233:443". • (Process #12) curl.exe opens an outgoing TCP connection to host "216.239.34.21:443". • (Process #37) curl.exe opens an outgoing TCP connection to host "162.159.130.233:443". 1/5 Crash A monitored process crashed 1 - • (Process #38) filed.exe crashed. 1/5 Obfuscation Resolves API functions dynamically 1 - • (Process #13) webbrowserpassview.exe resolves 38 API functions by name. 1/5 Execution Drops PE file 3 - • (Process #1) project_genocide_v5.1.1-.exe drops file "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe". • (Process #2) khaaksqr.exe drops file "C:\temp\WebBrowserPassView.exe". • (Process #2) khaaksqr.exe drops file "C:\temp\curl.exe". 1/5 Execution Executes dropped PE file 3 - X-Ray Vision for Malware - www.vmray.com 3 / 55 DYNAMIC ANALYSIS REPORT #928218 • Executes dropped file "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe". • Executes dropped file "C:\temp\WebBrowserPassView.exe". • Executes dropped file "C:\temp\curl.exe". - Trusted Known clean file 2 - • File "C:\temp\curl-ca-bundle.crt" is a known clean file. • File "C:/temp/RDhJ0CNFevzX_Passwords.txt" is a known clean file. X-Ray Vision for Malware - www.vmray.com 4 / 55 DYNAMIC ANALYSIS REPORT #928218 Mitre ATT&CK Matrix Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control #T1082 System - - - - - - - - - - - Information Discovery #T1012 - - - - - - Query - - - - - Registry #T1143 - - - - Hidden - - - - - - - Window #T1119 - - - - - - - - Automated - - - Collection #T1081 - - - - - Credentials - - - - - - in Files #T1083 File and - - - - - - - - - - - Directory Discovery #T1005 Data - - - - - - - - from Local - - - System #T1057 - - - - - - Process - - - - - Discovery #T1214 - - - - - Credentials - - - - - - in Registry #T1217 Browser - - - - - - - - - - - Bookmark Discovery #T1003 - - - - - Credential - - - - - - Dumping #T1047 Windows - Management - - - - - - - - - - Instrumentati on #T1045 - - - - Software - - - - - - - Packing X-Ray Vision for Malware - www.vmray.com 5 / 55 DYNAMIC ANALYSIS REPORT #928218 Sample Information ID 928218 MD5 2f0909140e6006b3682bf2de804021e9 SHA1 eb9a6c6152d25c53a7a6098280e1be2dcc7146c7 SHA256 129fd5ce9840c318148335527b70b1a6b8df1e1c0005f24d06b28130df7ed056 SSDeep 393216:8wM8oimwZaeuQs+UbbjIMzXTTPBrX3aNl4C:8whTZNuQMs8TTB7KNl9 ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Filename Project_Genocide_V5.1.1-.exe File Size 13847.00 KB Sample Type Windows Exe (x86-32) Has Macros Analysis Information Creation Time 2021-03-23 13:29 (UTC+1) Analysis Duration 00:04:00 Termination Reason Timeout Number of Monitored Processes 33 Execution Successfull False Reputation Analysis Enabled WHOIS Enabled Built-in AV Enabled Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of AV Matches 3 YARA Enabled YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of YARA Matches 1 X-Ray Vision for Malware - www.vmray.com 6 / 55 DYNAMIC ANALYSIS REPORT #928218 X-Ray Vision for Malware - www.vmray.com 7 / 55 DYNAMIC ANALYSIS REPORT #928218 Screenshots trunkated. X-Ray Vision for Malware - www.vmray.com 8 / 55 DYNAMIC ANALYSIS REPORT #928218 NETWORK General 7.34 KB total sent 2301.81 KB total received 7 ports 49737, 49739, 49720, 49722, 443, 49725, 49727 6 contacted IP addresses 2 URLs extracted 0 files downloaded 0 malicious hosts detected DNS 6 DNS requests for 5 domains 1 nameservers contacted 0 total requests returned errors HTTP/S 0 URLs contacted, 2 servers 3 sessions, 2.98 KB sent, 2290.18 KB recivied DNS Requests Type Hostname Response Code Resolved IPs CNames Verdict 162.159.130.233, 162.159.133.233, A cdn.discordapp.com NoError 162.159.135.233,