ID: 111943 Sample Name: Silverlight_x64.exe Cookbook: default.jbs Time: 14:43:52 Date: 21/02/2019 Version: 25.0.0 Tiger's Eye Table of Contents Table of Contents 2 Analysis Report Silverlight_x64.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Cryptography: 8 Spreading: 8 Software Vulnerabilities: 8 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 System Summary: 8 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Behavior Graph 10 Simulations 11 Behavior and APIs 11 Antivirus Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Screenshots 13 Thumbnails 13 Startup 13 Created / dropped Files 14 Domains and IPs 19 Contacted Domains 19 URLs from Memory and Binaries 19 Contacted IPs 22 Static File Info 22 General 22 File Icon 22 Static PE Info 22 General 22 Authenticode Signature 22 Entrypoint Preview 23 Copyright Joe Security LLC 2019 Page 2 of 74 Data Directories 24 Sections 24 Resources 24 Imports 25 Version Infos 25 Possible Origin 25 Network Behavior 25 TCP Packets 25 UDP Packets 26 DNS Queries 26 DNS Answers 26 Code Manipulations 26 Statistics 26 Behavior 26 System Behavior 27 Analysis Process: Silverlight_x64.exe PID: 2952 Parent PID: 4924 27 General 27 File Activities 27 File Created 27 File Written 28 File Read 31 Analysis Process: install.exe PID: 4188 Parent PID: 2952 31 General 31 File Activities 32 File Created 32 File Deleted 32 File Written 32 File Read 39 Registry Activities 40 Key Created 40 Analysis Process: microsoft_defaults.exe PID: 776 Parent PID: 4188 40 General 40 File Activities 40 File Created 40 File Written 41 Analysis Process: MSI12C0.tmp PID: 2680 Parent PID: 4960 43 General 43 Analysis Process: MSI13CA.tmp PID: 2216 Parent PID: 4960 43 General 43 Analysis Process: msiexec.exe PID: 4732 Parent PID: 4960 44 General 44 Registry Activities 44 Analysis Process: msiexec.exe PID: 4676 Parent PID: 4960 44 General 44 File Activities 44 Registry Activities 44 Analysis Process: rundll32.exe PID: 1920 Parent PID: 4188 44 General 44 File Activities 45 File Read 45 Analysis Process: rundll32.exe PID: 1488 Parent PID: 1920 45 General 45 Registry Activities 45 Analysis Process: rundll32.exe PID: 2244 Parent PID: 4188 45 General 45 File Activities 46 File Read 46 Analysis Process: rundll32.exe PID: 5108 Parent PID: 2244 46 General 46 Analysis Process: coregen.exe PID: 3896 Parent PID: 4188 46 General 46 File Activities 46 File Created 46 File Written 46 Analysis Process: conhost.exe PID: 2728 Parent PID: 3896 67 General 67 Analysis Process: Silverlight.Configuration.exe PID: 3492 Parent PID: 4188 68 General 68 Analysis Process: coregen.exe PID: 5020 Parent PID: 4188 68 General 68 Analysis Process: conhost.exe PID: 3508 Parent PID: 5020 68 Copyright Joe Security LLC 2019 Page 3 of 74 General 68 Analysis Process: coregen.exe PID: 4176 Parent PID: 4188 68 General 68 Analysis Process: conhost.exe PID: 4412 Parent PID: 4176 69 General 69 Analysis Process: coregen.exe PID: 4316 Parent PID: 4188 69 General 69 Analysis Process: conhost.exe PID: 4736 Parent PID: 4316 69 General 69 Analysis Process: coregen.exe PID: 3984 Parent PID: 4188 69 General 70 Analysis Process: conhost.exe PID: 5048 Parent PID: 3984 70 General 70 Analysis Process: coregen.exe PID: 1688 Parent PID: 4188 70 General 70 Analysis Process: conhost.exe PID: 1504 Parent PID: 1688 70 General 70 Analysis Process: coregen.exe PID: 2536 Parent PID: 4188 71 General 71 Analysis Process: conhost.exe PID: 4676 Parent PID: 2536 71 General 71 Analysis Process: coregen.exe PID: 4996 Parent PID: 4188 71 General 71 Analysis Process: conhost.exe PID: 4512 Parent PID: 4996 72 General 72 Analysis Process: coregen.exe PID: 5112 Parent PID: 4188 72 General 72 Analysis Process: conhost.exe PID: 4644 Parent PID: 5112 72 General 72 Analysis Process: coregen.exe PID: 2252 Parent PID: 4188 72 General 72 Analysis Process: conhost.exe PID: 1924 Parent PID: 2252 73 General 73 Analysis Process: coregen.exe PID: 4696 Parent PID: 4188 73 General 73 Analysis Process: conhost.exe PID: 4804 Parent PID: 4696 73 General 73 Analysis Process: coregen.exe PID: 4916 Parent PID: 4188 73 General 74 Disassembly 74 Code Analysis 74 Copyright Joe Security LLC 2019 Page 4 of 74 Analysis Report Silverlight_x64.exe Overview General Information Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 111943 Start date: 21.02.2019 Start time: 14:43:52 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 11m 57s Hypervisor based Inspection enabled: false Report type: light Sample file name: Silverlight_x64.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 41 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus24.evad.winEXE@60/36@1/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 86.1% (good quality ratio 73.1%) Quality average: 67.3% Quality standard deviation: 35.6% HCA Information: Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe Detection Copyright Joe Security LLC 2019 Page 5 of 74 Strategy Score Range Reporting Whitelisted Detection Threshold 24 0 - 100 Report FP / FN false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 2 0 - 5 true Classification Copyright Joe Security LLC 2019 Page 6 of 74 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Process Disabling Input Process Application Input Capture 1 Data Standard Remote Helper DLL Injection 1 1 Security Capture 1 Discovery 1 Deployment Compressed Cryptographic Management Tools 1 Software Protocol 2 Replication Service Port Monitors Accessibility Process Network Security Remote Data from Exfiltration Over Standard Non- Through Execution Features Injection 1 1 Sniffing Software Services Removable Other Network Application Removable Discovery 5 Media Medium Layer Media Protocol 1 Copyright Joe Security LLC 2019 Page 7 of 74 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Drive-by Windows Accessibility Path Obfuscated Input System Windows Data from Automated Standard Compromise Management Features Interception Files or Capture Information Remote Network Shared Exfiltration Application Instrumentation Information 2 Discovery 2 3 Management Drive Layer Protocol 1 Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials Remote System Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Files or in Files Discovery 1 Communication Application Information Signature Overview • Cryptography • Spreading • Software Vulnerabilities • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware