Loading ...

Analysis Report 47.txt .exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123509
Start date:15.04.2019
Start time:22:06:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:47.txt .exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:
Detection:MAL
Classification:mal84.troj.evad.winEXE@2/4@0/1
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 98% (good quality ratio 74.7%)
  • Quality average: 58.1%
  • Quality standard deviation: 38.7%
HCA Information:
  • Successful, ratio: 58%
  • Number of executed functions: 25
  • Number of non-executed functions: 33
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Masquerading3Input Capture1Security Software Discovery31Application Deployment SoftwareInput Capture1Data CompressedUncommonly Used Port1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information11Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus and Machine Learning detection for dropped fileShow sources
Source: C:\Windows\lsass.exeAvira: Label: WORM/Mydoom.L.1
Antivirus and Machine Learning detection for sampleShow sources
Source: 47.txt .exeAvira: Label: WORM/Mydoom.L.1
Antivirus and Machine Learning detection for unpacked fileShow sources
Source: 2.1.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 2.2.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 2.0.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\lsass.exeCode function: 2_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_2_00804D32

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49799 -> 15.236.162.112:1042
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 15.236.162.112
Source: unknownTCP traffic detected without corresponding DNS query: 15.236.162.112
Source: unknownTCP traffic detected without corresponding DNS query: 15.236.162.112
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 15.236.162.112 15.236.162.112
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: HP-INTERNET-AS-Hewlett-PackardCompanyUS HP-INTERNET-AS-Hewlett-PackardCompanyUS
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\lsass.exeCode function: 2_2_00807983 send,socket,connect,recv,htons,htons,htons,send,htons,recv,closesocket,2_2_00807983
Found strings which match to known social media urlsShow sources
Source: lsass.exeString found in binary or memory: hotmail equals www.hotmail.com (Hotmail)
Source: lsass.exeString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: lsass.exe, 00000002.00000002.5094950043.000000000018E000.00000004.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: lsass.exe, 00000002.00000002.5094950043.000000000018E000.00000004.sdmpString found in binary or memory: https://github.com/Microsoft/cpprestsdk.
Source: lsass.exe, 00000002.00000002.5094950043.000000000018E000.00000004.sdmpString found in binary or memory: https://github.com/Microsoft/cpprestsdk/blob/master/license.txt)
Source: 47.txt .exeString found in binary or memory: https://www.verivox.

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 47.txt .exe, 00000000.00000002.5090341285.0000000000690000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile created: C:\Windows\lsass.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\lsass.exeMutant created: \Sessions\1\BaseNamedObjects\
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile deleted: C:\Windows\lsass.exeJump to behavior
PE file contains strange resourcesShow sources
Source: 47.txt .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lsass.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile read: C:\Users\user\Desktop\47.txt .exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\47.txt .exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\lsass.exeSection loaded: wow64log.dllJump to behavior
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: 47.txt .exeStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Source: lsass.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Classification labelShow sources
Source: classification engineClassification label: mal84.troj.evad.winEXE@2/4@0/1
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile created: C:\Users\user\AppData\Local\Temp\fakfohvmwn.txtJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\47.txt .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\47.txt .exe 'C:\Users\user\Desktop\47.txt .exe'
Source: unknownProcess created: C:\Windows\lsass.exe 'C:\Windows\lsass.exe'

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\lsass.exeCode function: 2_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,2_2_00803108
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\lsass.exeCode function: 2_2_00807EE0 push eax; ret 2_2_00807F0E
Source: C:\Windows\lsass.exeCode function: 2_1_00807E22 push ebx; ret 2_1_00807E25
Source: C:\Windows\lsass.exeCode function: 2_1_00807F27 push cs; iretd 2_1_00807F28
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE files with benign system namesShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile created: C:\Windows\lsass.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\lsass.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile created: C:\Windows\lsass.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\47.txt .exeFile created: C:\Windows\lsass.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (a lot of spaces)Show sources
Source: Detected 79 consecutive spaces in filenameStatic PE information: 47.txt .exe
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: txt.exeStatic PE information: 47.txt .exe

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-2046
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_2-2046
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\47.txt .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\lsass.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-2859
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\47.txt .exe TID: 2576Thread sleep time: -84000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\47.txt .exe TID: 2576Thread sleep count: 58 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 4568Thread sleep count: 40 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\lsass.exeLast function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Windows\lsass.exeCode function: 2_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h2_2_00805247
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\lsass.exeCode function: 2_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_2_00804D32
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 47.txt .exe, 00000000.00000002.5090341285.0000000000690000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program exit pointsShow sources
Source: C:\Windows\lsass.exeAPI call chain: ExitProcess graph end nodegraph_2-2031

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\47.txt .exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\47.txt .exeProcess queried: DebugPortJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\lsass.exeCode function: 2_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,2_2_00803108
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\lsass.exeCode function: 2_2_0080418A strlen,lstrcat,lstrcmpi,lstrlen,GetProcessHeap,RtlAllocateHeap,memset,GetTickCount,_mbscpy,2_2_0080418A

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 47.txt .exe, 00000000.00000002.5091026970.0000000000DA0000.00000002.sdmp, lsass.exe, 00000002.00000002.5098546873.0000000001030000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: 47.txt .exe, 00000000.00000002.5091026970.0000000000DA0000.00000002.sdmp, lsass.exe, 00000002.00000002.5098546873.0000000001030000.00000002.sdmpBinary or memory string: Progman
Source: 47.txt .exe, 00000000.00000002.5091026970.0000000000DA0000.00000002.sdmp, lsass.exe, 00000002.00000002.5098546873.0000000001030000.00000002.sdmpBinary or memory string: Program ManagerUR

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Windows\lsass.exeCode function: 2_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,2_2_00802DB3
Contains functionality to query time zone informationShow sources
Source: C:\Windows\lsass.exeCode function: 2_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,2_2_00802DB3

Stealing of Sensitive Information:

barindex
Contains functionality to search for IE or Outlook window (often done to steal information)Show sources
Source: C:\Windows\lsass.exeCode function: 2_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetFileAttributesA,CreateThread,CreateThread,Sleep,CreateThread,Sleep,CreateThread,Sleep,2_2_00802C72

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\lsass.exeCode function: 2_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,2_2_00807D81

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
22:07:48API Interceptor2x Sleep call for process: 47.txt .exe modified
22:07:49AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Traybar C:\Windows\lsass.exe

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
47.txt .exe100%AviraWORM/Mydoom.L.1

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\lsass.exe100%AviraWORM/Mydoom.L.1

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.1.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
2.2.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
2.0.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
15.236.162.11225wlyang@jihu.exeGet hashmaliciousBrowse
    51transcript.exeGet hashmaliciousBrowse
      52file.exeGet hashmaliciousBrowse
        1tZfawXU8sz.exeGet hashmaliciousBrowse
          5ling@jihu.exeGet hashmaliciousBrowse
            5dxgnP9nu9p.exeGet hashmaliciousBrowse
              3Y1xiWSfW6w.exeGet hashmaliciousBrowse
                .exeGet hashmaliciousBrowse
                  3getwebcak.exeGet hashmaliciousBrowse

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    HP-INTERNET-AS-Hewlett-PackardCompanyUS57messag.exeGet hashmaliciousBrowse
                    • 16.112.73.241
                    11youtubeer@youtube.exeGet hashmaliciousBrowse
                    • 16.115.197.135
                    39transcrip.exeGet hashmaliciousBrowse
                    • 16.115.193.27
                    81fil.exeGet hashmaliciousBrowse
                    • 16.100.97.205
                    4181rBFqtShk.exeGet hashmaliciousBrowse
                    • 16.83.201.164
                    5mail.exeGet hashmaliciousBrowse
                    • 16.150.109.72
                    49srIXywGk1L.exeGet hashmaliciousBrowse
                    • 16.150.165.4
                    22readm.exeGet hashmaliciousBrowse
                    • 16.101.105.9
                    61byijh.exeGet hashmaliciousBrowse
                    • 16.118.36.86
                    32attachment.exeGet hashmaliciousBrowse
                    • 16.102.177.220
                    .exeGet hashmaliciousBrowse
                    • 16.83.194.190
                    1lette.exeGet hashmaliciousBrowse
                    • 16.100.129.139
                    1xgh@taixin.exeGet hashmaliciousBrowse
                    • 16.101.1.155
                    39documen.exeGet hashmaliciousBrowse
                    • 16.100.1.97
                    .exeGet hashmaliciousBrowse
                    • 16.188.122.43
                    61ghostviewer@youtube.exeGet hashmaliciousBrowse
                    • 16.101.234.103
                    7transcript.exeGet hashmaliciousBrowse
                    • 16.80.225.62
                    44bes.exeGet hashmaliciousBrowse
                    • 16.83.197.35
                    65leq.exeGet hashmaliciousBrowse
                    • 16.100.193.14
                    .exeGet hashmaliciousBrowse
                    • 16.112.77.63

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.