ID: 396312 Cookbook: urldownload.jbs Time: 09:53:02 Date: 23/04/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report https://us.softpedia-secure- download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 9 Created / dropped Files 9 Static File Info 9 No static file info 9 Network Behavior 9 Network Port Distribution 9 TCP Packets 10 UDP Packets 10 DNS Queries 10 DNS Answers 10 HTTPS Packets 10 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 11 Analysis Process: cmd.exe PID: 3580 Parent PID: 912 11 General 11 File Activities 12 File Created 12 Analysis Process: conhost.exe PID: 5908 Parent PID: 3580 12 General 12 Analysis Process: wget.exe PID: 5992 Parent PID: 3580 12 General 12 File Activities 12 File Created 12 Disassembly 13 Code Analysis 13 Copyright Joe Security LLC 2021 Page 2 of 13 Analysis Report https://us.softpedia-secure-download.co…m/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe Overview General Information Detection Signatures Classification Sample URL: https://us.softpedia-s ecure-download.com/dl/4b DDeettteeccttteedd ppoottteenntttiiiaalll ccrrryypptttoo fffuunncctttiiioonn 98b6dbc02a94c36aff3c768 UDUseseteessc ctceoodd eep ootbbefffnuutssiacclaa ctttiiriooynnp ttttoee ccfuhhnnciiiqqtiuuoeenss (((… 6bdbd31/60813f0d/300818 793/drivers/keyboard/sp10 Uses code obfuscation techniques ( 0907.exe Ransomware Analysis ID: 396312 Miner Spreading Infos: mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss Most interesting Screenshot: suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 80% Startup System is w10x64 cmd.exe (PID: 3580 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/3008 18793/drivers/keyboard/sp100907.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 5992 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907 .exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright Joe Security LLC 2021 Page 3 of 13 • Compliance • Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Collected Over Other Channel 1 2 Insecure Track Device System Instrumentation Dumping Discovery 1 Data 1 Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 2 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information 1 Account System Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Discovery 1 Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 13 Hide Legend Legend: Behavior Graph Process ID: 396312 Signature URL: https://us.softpedia-secure... Created File Startdate: 23/04/2021 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 1 Is Windows Process Number of created Registry Values started Number of created Files Visual Basic cmd.exe Delphi Java 2 .Net C# or VB.NET C, C++ or other language started started Is malicious Internet wget.exe conhost.exe 2 us.softpedia-secure-download.com 5.35.211.214, 443, 49708 GTSCEGTSCentralEuropeAntelGermanyCZ Romania Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 13 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://us.softpedia-secure- 0% Avira URL Cloud safe download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907 .exe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs No Antivirus matches Copyright Joe Security LLC 2021 Page 6 of 13 Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation us.softpedia-secure-download.com 5.35.211.214 true false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://us.softpedia-secure- wget.exe, 00000002.00000002.21 false high download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813 1734455.0000000000CF0000.00000 f0d/300818793/driv 004.00000020.sdmp, cmdline.out.2.dr Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Domain Country Flag ASN ASN Name Malicious 5.35.211.214 us.softpedia-secure- Romania 5588 GTSCEGTSCentralEuropeA false download.com ntelGermanyCZ General Information Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 396312 Start date: 23.04.2021 Start time: 09:53:02 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 42s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Copyright Joe Security LLC 2021 Page 7 of 13 Sample URL: https://us.softpedia-secure-download.com/dl/4b98 b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/ drivers/keyboard/sp100907.exe Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.win@4/2@1/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): svchost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125 Excluded domains from analysis (whitelisted): blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net Execution Graph export aborted for target wget.exe, PID 5992 because there are no executed function Report size getting too big, too many NtQueryValueKey calls found. Simulations Behavior and APIs No simulations Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints Copyright Joe Security LLC 2021 Page 8 of 13 No context Dropped Files No context Created / dropped Files C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 452 Entropy (8bit): 5.163493341404146 Encrypted: false SSDEEP: 12:H9WFI7cmK+0cc5amKghmKliymKghmKJ5W3QT1De5RhZX9WFaKbb:SIwJ+S5aJghJgyJghJK36xePzXyaq MD5: 15C693F318C5B2053006DE68388DE109 SHA1: 9096FFD56714CC19208E63CDA3D289E14411D336 SHA-256: ABF102549A85E7B171116ABCF584626C6AE93F1804DCD7BF7FC9E5199C814B48 SHA-512: 8E56D0A2E312CD3E5C426892DC96CF664A931552ECBE6C33B39B09FCA338780308FB2C0BE50AD18B5E5C744D57A2B21C972A56B8D665600959AEF992AAA3163 C Malicious: false Reputation: low Preview: --2021-04-23 09:53:55--