DYNAMIC ANALYSIS REPORT #1191526 Classifications: Downloader Spyware MALICIOUS Threat Names: - Verdict Reason: - Sample Type Windows Exe (x86-32) Sample Name DFI_078_41_02_005.pdf.exe ID #392292 MD5 401b898010200d87fa8b93e0bf20f45d SHA1 dd1621dfaaffc7ecf9e4b52215eda9bd7cfe1a3b SHA256 2b5a82318d126c8d7f49bfcf1a093d349da46924c7bdae0ed0428ddd4549feb3 File Size 463.80 KB Report Created 2021-04-21 20:23 (UTC+2) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 31 DYNAMIC ANALYSIS REPORT #1191526 OVERVIEW VMRay Threat Identifiers (18 rules, 46 matches) Score Category Operation Count Classification 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Kometa, Comodo Dragon, Elements Browser, Cyberfox, Opera, Mozilla Thunderbird, Epic Privacy Browser, BlackHawk, Torch, Chromium, Internet Explorer, CocCoc, Orbitum, Amigo, Google Chrome, Mozilla Firefox, Vivaldi, Uran, CentBrowser. 4/5 Masquerade Uses a double file extension 2 - • File "c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe" has a double file extension. • File "c:\users\rdhj0cnfevzx\appdata\local\temp\dfi_078_41_02_005.pdf.exe" has a double file extension. 2/5 Data Collection Reads sensitive browser data 18 - • (Process #2) dfi_078_41_02_005.pdf.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Google Chrome" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Chromium" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Kometa" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Amigo" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Torch" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Orbitum" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Comodo Dragon" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Vivaldi" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "CocCoc" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Uran" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "CentBrowser" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Elements Browser" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Opera" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Mozilla Firefox" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Cyberfox" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "BlackHawk" by file. 2/5 Data Collection Reads sensitive mail data 1 - • (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file. 2/5 Anti Analysis Tries to detect virtual machine 1 - • Multiple processes are possibly trying to detect a VM via rdtsc. 2/5 Heuristics Signed executable failed signature validation 1 - • C:\Users\RDhJ0CNFevzX\Desktop\DFI_078_41_02_005.pdf.exe is signed, but signature validation failed. 2/5 Injection Writes into the memory of a process running from a created or modified executable 1 - • (Process #1) dfi_078_41_02_005.pdf.exe modifies memory of (process #2) dfi_078_41_02_005.pdf.exe. 2/5 Injection Modifies control flow of a process running from a created or modified executable 1 - • (Process #1) dfi_078_41_02_005.pdf.exe alters context of (process #2) dfi_078_41_02_005.pdf.exe. 1/5 Privilege Escalation Enables process privilege 1 - • (Process #1) dfi_078_41_02_005.pdf.exe enables process privilege "SeDebugPrivilege". X-Ray Vision for Malware - www.vmray.com 2 / 31 DYNAMIC ANALYSIS REPORT #1191526 1/5 Persistence Installs system startup script or application 1 - • (Process #1) dfi_078_41_02_005.pdf.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\notpad.exe"" to Windows startup via registry. 1/5 Hide Tracks Creates process with hidden window 2 - • (Process #1) dfi_078_41_02_005.pdf.exe starts (process #2) dfi_078_41_02_005.pdf.exe with a hidden window. • (Process #2) dfi_078_41_02_005.pdf.exe starts (process #2) dfi_078_41_02_005.pdf.exe with a hidden window. 1/5 Discovery Enumerates running processes 1 - • (Process #1) dfi_078_41_02_005.pdf.exe enumerates running processes. 1/5 Obfuscation Reads from memory of another process 1 - • (Process #1) dfi_078_41_02_005.pdf.exe reads from (process #2) dfi_078_41_02_005.pdf.exe. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) dfi_078_41_02_005.pdf.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Discovery Possibly does reconnaissance 4 - • (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "Mozilla Firefox" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "Cyberfox" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "blackHawk" by file. • (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "icecat" by file. 1/5 Obfuscation Resolves API functions dynamically 1 - • (Process #2) dfi_078_41_02_005.pdf.exe resolves 74 API functions by name. 1/5 Execution Executes itself 1 - • (Process #1) dfi_078_41_02_005.pdf.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe. 1/5 Network Connection Downloads executable 7 Downloader • (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/6.jpg. • (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/1.jpg. • (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/2.jpg. • (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/3.jpg. • (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/4.jpg. • (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/5.jpg. • (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/7.jpg. - Trusted Known clean file 7 - • File "C:\\ProgramData\\softokn3.dll" is a known clean file. • File "C:\\ProgramData\\sqlite3.dll" is a known clean file. • File "C:\\ProgramData\\freebl3.dll" is a known clean file. • File "C:\\ProgramData\\mozglue.dll" is a known clean file. • File "C:\\ProgramData\\msvcp140.dll" is a known clean file. • File "C:\\ProgramData\\nss3.dll" is a known clean file. • File "C:\\ProgramData\\vcruntime140.dll" is a known clean file. Remarks Auto Reboot Triggered (0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence. X-Ray Vision for Malware - www.vmray.com 3 / 31 DYNAMIC ANALYSIS REPORT #1191526 Mitre ATT&CK Matrix Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control #T1036 - - - - Masqueradin - - - - - - - g #T1060 Registry Run - - Keys / - - - - - - - - - Startup Folder #T1112 - - - - Modify - - - - - - - Registry #T1143 - - - - Hidden - - - - - - - Window #T1057 - - - - - - Process - - - - - Discovery #T1045 - - - - Software - - - - - - - Packing #T1119 - - - - - - - - Automated - - - Collection #T1003 - - - - - Credential - - - - - - Dumping #T1005 Data - - - - - - - - from Local - - - System #T1081 - - - - - Credentials - - - - - - in Files #T1083 File and - - - - - - - - - - - Directory Discovery #T1497 #T1497 Virtualization Virtualization - - - - - - - - - - /Sandbox /Sandbox Evasion Evasion #T1124 - - - - - - System Time - - - - - Discovery #T1071 Standard - - - - - - - - - Application - - Layer Protocol #T1105 #T1105 - - - - - - - Remote File - Remote File - - Copy Copy X-Ray Vision for Malware - www.vmray.com 4 / 31 DYNAMIC ANALYSIS REPORT #1191526 Sample Information ID 1191526 MD5 401b898010200d87fa8b93e0bf20f45d SHA1 dd1621dfaaffc7ecf9e4b52215eda9bd7cfe1a3b SHA256 2b5a82318d126c8d7f49bfcf1a093d349da46924c7bdae0ed0428ddd4549feb3 SSDeep 6144:Zz3df/UYtfUeAIQHuA36cdrNSvsdssKDJXJ6a/2aKE4VCQMCS:f/JeeAItC66Jtg1Iajg/ ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Filename DFI_078_41_02_005.pdf.exe File Size 463.80 KB Sample Type Windows Exe (x86-32) Has Macros Analysis Information Creation Time 2021-04-21 20:23 (UTC+2) Analysis Duration 00:04:00 Termination Reason Timeout Number of Monitored Processes 4 Execution Successfull False Reputation Analysis Enabled WHOIS Enabled Built-in AV Enabled Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of AV Matches 0 YARA Enabled YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of YARA Matches 0 X-Ray Vision for Malware - www.vmray.com 5 / 31