ID: 358426 Sample Name: FolderSize-2.6- x86.msi Cookbook: defaultwindowsofficecookbook.jbs Time: 15:49:20 Date: 25/02/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report FolderSize-2.6-x86.msi 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Analysis Advice 5 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 6 Signature Overview 6 Compliance: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 12 General 12 File Icon 12 Static OLE Info 12 General 12 OLE File "FolderSize-2.6-x86.msi" 12 Indicators 12 Summary 12 Streams 13 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 468 13 General 13 Stream Path: \x16786\x17522\x15358\x17394\x16935\x16181\x18284\x18344\x16812\x18482, File Type: MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel, Stream Size: 25214 13 General 13 Stream Path: \x17163\x16689\x18229\x15870\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 13 General 13 Stream Path: \x17163\x16689\x18229\x16318\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 13 General 13 Stream Path: \x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766 14 General 14 Stream Path: \x17163\x16689\x18229\x17214\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078 14 General 14 Stream Path: \x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998 14 Copyright null 2021 Page 2 of 25 General 14 Stream Path: \x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998 14 General 14 Stream Path: \x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998 15 General 15 Stream Path: \x17551\x16879\x17768\x17180\x16957\x16830\x16740, File Type: Microsoft Cabinet archive data, 156085 bytes, 4 files, Stream Size: 156085 15 General 15 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1096 15 General 15 Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 200 15 General 15 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 31387 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3588 16 General 16 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 52 16 General 16 Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 4 16 General 16 Stream Path: \x18496\x16778\x17207\x17522\x16925\x17915, File Type: data, Stream Size: 420 17 General 17 Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4 17 General 17 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 16 17 General 17 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16 17 General 17 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 12 17 General 17 Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 36 17 General 17 Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 24 18 General 18 Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32 18 General 18 Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36 18 General 18 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 28 18 General 18 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18 18 General 18 Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 462 18 General 19 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 72 19 General 19 Stream Path: \x18496\x17356\x17828\x18486, File Type: data, Stream Size: 26 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 408 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 84 19 General 19 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 48 20 General 20 Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: VAX-order2 68k Blit mpx/mux executable, Stream Size: 24 20 General 20 Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1056 20 General 20 Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 4446 20 General 20 Stream Path: \x18496\x17742\x17589\x18485, File Type: data, Stream Size: 632 20 General 20 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 196 21 General 21 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 16 21 General 21 Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 104 21 General 21 Network Behavior 21 Code Manipulations 21 Statistics 21 Behavior 22 System Behavior 22 Analysis Process: msiexec.exe PID: 944 Parent PID: 2916 22 General 22 File Activities 22 Analysis Process: VSSVC.exe PID: 260 Parent PID: 428 22 General 22 File Activities 23 Registry Activities 23 Analysis Process: svchost.exe PID: 2920 Parent PID: 428 23 General 23 Analysis Process: svchost.exe PID: 2240 Parent PID: 428 23 General 23 Analysis Process: FolderSizeSvc.exe PID: 2296 Parent PID: 428 23 Copyright null 2021 Page 3 of 25 General 24 Analysis Process: FolderSize.exe PID: 2072 Parent PID: 908 24 General 24 File Activities 24 Registry Activities 24 Key Value Created 24 Analysis Process: FolderSize.exe PID: 2360 Parent PID: 1388 24 General 24 Disassembly 25 Code Analysis 25 Copyright null 2021 Page 4 of 25 Analysis Report FolderSize-2.6-x86.msi Overview General Information Detection Signatures Classification Sample FolderSize-2.6-x86.msi Name: AAllllllooccaattteess meemoorrryy wwiiittthhiiinn rrraannggee wwhhiiicc… Analysis ID: 358426 CAChlhloeeccakktsse fsffoo mrrr aaevvmaaoiiilllaraybb llwlee i tsshyyisnst ttereamn g dderrri iivwveehssi c … MD5: 12283f7c0b119d3… CCohonenttctaakiiinsn ssf o ccra aappvaaabbiiliilalliiittbtiiieeless stttoyo s ddteetmtteec cdttt r vivviiirrertttusua a… SHA1: f365b1ca8fb7e6c… Ransomware CCoonntttaaiiinnss ffcfuuannpccatttiibiooinlnitaaiellliiitsttyy t tottoo d ccehhteeccktk v iiiffif r atau dad… Miner Spreading SHA256: 8d01e67b69fde23… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal lllldlyy… mmaallliiiccciiioouusss Infos: malicious Evader Phishing CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyueneraryym CCicPPaUUlly sssuusssppiiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy CCPPUU … suspicious Most interesting Screenshot: cccllleeaann CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e… clean Exploiter Banker CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh qiiiccuhhe mrya aloyy c bbaeele… CCrroreenaattatteeinss s oo frrru mncootdidoiiiffnfiiieeassli t wyw iiiwnndhdoiocwwhs sm ssaeeyrrrv vbiiicceeess Spyware Trojan / Bot Adware DCDereettteaectcettteesd do prp oomttteeonndtttiiifiaaielll scc rrrwyypipntttodo o fffuwunnsc cstttiieioornnvices Score: 5 Range: 0 - 100 FDFooeuutenncddt e eedvv aapssoiiivtveeen AtAiaPPlI II c ccrhyhapaitiinon ((f(munaacyyt i osstnttoopp… Whitelisted: false FFoouunndd pepovotatteesnnivtttiieiaa lllA ssPtttrrrIiii nncggh addienec c(rrrmyyppatttyiiioo snnt o/// paa… Confidence: 60% MFoaauyyn ssdllle epeeoppt e (((neetvviaalss siiivvterei n lllogoo odppessc))) r tyttoop hthioiiinnndd e/e rarr … QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm … UQUsuseessr i eccoso ddtheee oo vbbofffuulussmccaaettt iiioionnnfo tttreemcchahntniioiiqqnuu e(enssa (((m… Analysis Advice Uses code obfuscation techniques ( Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Startup System is w7x64 msiexec.exe (PID: 944 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\FolderSize-2.6-x86.msi' MD5: AC2E7152124CEED36846BD1B6592A00F) VSSVC.exe (PID: 260 cmdline: C:\Windows\system32\vssvc.exe MD5: B60BA0BC31B0CB414593E169F6F21CC2) svchost.exe (PID: 2920 cmdline: C:\Windows\System32\svchost.exe -k swprv MD5: C78655BC80301D76ED4FEF1C1EA40A7D)