Loading ...

Play interactive tourEdit tour

Analysis Report .scr

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:141280
Start date:12.06.2019
Start time:23:06:19
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 16s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name: .scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.troj.evad.winEXE@3/8@0/7
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 82.3%)
  • Quality average: 65.2%
  • Quality standard deviation: 36.5%
HCA Information:
  • Successful, ratio: 75%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtOpenFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold760 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Winlogon Helper DLLProcess Injection1Masquerading12Input Capture1System Time Discovery12Remote File Copy1Input Capture1Data CompressedUncommonly Used Port1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing111Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingFile Deletion1Credentials in FilesSecurity Software Discovery51Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information11Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Windows\lsass.exeAvira: Label: WORM/Mydoom.L.1
Source: C:\Windows\lsass.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: .exeAvira: Label: WORM/Mydoom.L.1
Source: .exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.1. .exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.1.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 0.2. .exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.2.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.0.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 0.0. .exe.800000.1.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 0.0. .exe.800000.2.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 0.0. .exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 0.1. .exe.800000.0.unpackJoe Sandbox ML: detected
Source: 1.1.lsass.exe.800000.0.unpackJoe Sandbox ML: detected
Source: 0.2. .exe.800000.0.unpackJoe Sandbox ML: detected
Source: 1.2.lsass.exe.800000.0.unpackJoe Sandbox ML: detected
Source: 1.0.lsass.exe.800000.0.unpackJoe Sandbox ML: detected
Source: 0.0. .exe.800000.1.unpackJoe Sandbox ML: detected
Source: 0.0. .exe.800000.2.unpackJoe Sandbox ML: detected
Source: 0.0. .exe.800000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,
Source: C:\Windows\lsass.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49713 -> 16.150.109.160:1042
Source: global trafficTCP traffic: 192.168.2.5:49715 -> 144.197.68.32:1042
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 134.5.230.103:1042
Source: global trafficTCP traffic: 192.168.2.5:49718 -> 219.93.83.226:1042
Source: global trafficTCP traffic: 192.168.2.5:49721 -> 15.252.60.210:1042
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 16.150.109.160
Source: unknownTCP traffic detected without corresponding DNS query: 16.150.109.160
Source: unknownTCP traffic detected without corresponding DNS query: 16.150.109.160
Source: unknownTCP traffic detected without corresponding DNS query: 144.197.68.32
Source: unknownTCP traffic detected without corresponding DNS query: 144.197.68.32
Source: unknownTCP traffic detected without corresponding DNS query: 144.197.68.32
Source: unknownTCP traffic detected without corresponding DNS query: 134.5.230.103
Source: unknownTCP traffic detected without corresponding DNS query: 134.5.230.103
Source: unknownTCP traffic detected without corresponding DNS query: 134.5.230.103
Source: unknownTCP traffic detected without corresponding DNS query: 219.93.83.226
Source: unknownTCP traffic detected without corresponding DNS query: 219.93.83.226
Source: unknownTCP traffic detected without corresponding DNS query: 219.93.83.226
Source: unknownTCP traffic detected without corresponding DNS query: 15.252.60.210
Source: unknownTCP traffic detected without corresponding DNS query: 15.252.60.210
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 219.93.83.226 219.93.83.226
Source: Joe Sandbox ViewIP Address: 134.5.230.103 134.5.230.103
Source: Joe Sandbox ViewIP Address: 15.252.60.210 15.252.60.210
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: TMNET-AS-APTMNetInternetServiceProviderMY TMNET-AS-APTMNetInternetServiceProviderMY
Source: Joe Sandbox ViewASN Name: unknown unknown
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00807983 Sleep,socket,connect,recv,htons,htons,htons,send,htons,recv,closesocket,
Found strings which match to known social media urlsShow sources
Source: .exe, lsass.exeString found in binary or memory: hotmail equals www.hotmail.com (Hotmail)
Source: .exe, lsass.exeString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: .exe, 00000000.00000000.681671782.00000000006EA000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\lsass.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess396
Source: C:\Windows\lsass.exeMutant created: \Sessions\1\BaseNamedObjects\
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\ .exeFile deleted: C:\Windows\lsass.exeJump to behavior
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1168
PE file contains strange resourcesShow sources
Source: .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lsass.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\ .exeFile read: C:\Users\user\Desktop\ .exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\ .exeSection loaded: wow64log.dll
Source: C:\Windows\lsass.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: .exeStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Source: lsass.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Classification labelShow sources
Source: classification engineClassification label: mal76.troj.evad.winEXE@3/8@0/7
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Local\Temp\cmgpjcinetc.txtJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ .exe 'C:\Users\user\Desktop\ .exe'
Source: unknownProcess created: C:\Windows\lsass.exe 'C:\Windows\lsass.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1168

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00807EE0 push eax; ret
Source: C:\Windows\lsass.exeCode function: 1_2_00807EE0 push eax; ret
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE files with benign system namesShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\lsass.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\lsass.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\lsass.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\lsass.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\ .exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\
Source: C:\Users\user\Desktop\ .exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\lsass.exeWindow / User API: threadDelayed 621
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Users\user\Desktop\ .exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\lsass.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\ .exe TID: 3644Thread sleep time: -46000s >= -30000s
Source: C:\Users\user\Desktop\ .exe TID: 3644Thread sleep count: 60 > 30
Source: C:\Windows\lsass.exe TID: 3040Thread sleep count: 54 > 30
Source: C:\Windows\lsass.exe TID: 3040Thread sleep count: 42 > 30
Source: C:\Windows\lsass.exe TID: 3040Thread sleep count: 84 > 30
Source: C:\Windows\lsass.exe TID: 3040Thread sleep count: 132 > 30
Source: C:\Windows\lsass.exe TID: 3040Thread sleep count: 621 > 30
Source: C:\Windows\lsass.exe TID: 3040Thread sleep time: -46575s >= -30000s
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\ .exeLast function: Thread delayed
Source: C:\Windows\lsass.exeLast function: Thread delayed
Source: C:\Windows\lsass.exeLast function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h
Source: C:\Windows\lsass.exeCode function: 1_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,
Source: C:\Windows\lsass.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: .exe, 00000000.00000000.681671782.00000000006EA000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Program exit pointsShow sources
Source: C:\Users\user\Desktop\ .exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\lsass.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_desktop_3f3714ea22baf985.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\ .exeSystem information queried: KernelDebuggerInformation
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\ .exeProcess queried: DebugPort
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_0080418A strlen,lstrcmpi,lstrlen,GetProcessHeap,RtlAllocateHeap,memset,GetTickCount,_mbscpy,
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: .exe, 00000000.00000000.681932793.0000000000E20000.00000002.sdmp, lsass.exe, 00000001.00000002.1028910660.0000000001030000.00000002.sdmpBinary or memory string: Program Manager
Source: .exe, 00000000.00000000.681932793.0000000000E20000.00000002.sdmp, lsass.exe, 00000001.00000002.1028910660.0000000001030000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: .exe, 00000000.00000000.681932793.0000000000E20000.00000002.sdmp, lsass.exe, 00000001.00000002.1028910660.0000000001030000.00000002.sdmpBinary or memory string: Progman
Source: .exe, 00000000.00000000.681932793.0000000000E20000.00000002.sdmp, lsass.exe, 00000001.00000002.1028910660.0000000001030000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,

Stealing of Sensitive Information:

barindex
Contains functionality to search for IE or Outlook window (often done to steal information)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,
Source: C:\Windows\lsass.exeCode function: 1_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetFileAttributesA,CreateThread,CreateThread,Sleep,CreateThread,Sleep,CreateThread,Sleep,

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,
Source: C:\Windows\lsass.exeCode function: 1_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 141280 Sample: .scr Startdate: 12/06/2019 Architecture: WINDOWS Score: 76 29 Antivirus or Machine Learning detection for sample 2->29 31 Found evasive API chain (may stop execution after checking mutex) 2->31 33 Detected TCP or UDP traffic on non-standard ports 2->33 35 3 other signatures 2->35 6 lsass.exe 192 2->6         started        10        .exe 1 4 2->10         started        process3 dnsIp4 19 219.93.83.226, 1042 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 6->19 21 15.252.60.210, 1042 HP-INTERNET-AS-Hewlett-PackardCompanyUS United States 6->21 27 3 other IPs or domains 6->27 37 Antivirus or Machine Learning detection for dropped file 6->37 39 Found evasive API chain (may stop execution after checking mutex) 6->39 23 16.150.109.160, 1042 unknown United States 10->23 25 10.136.140.100, 1042 unknown unknown 10->25 15 C:\Windows\lsass.exe, PE32 10->15 dropped 17 C:\Windows\lsass.exe:Zone.Identifier, ASCII 10->17 dropped 13 WerFault.exe 24 10 10->13         started        file5 41 Detected TCP or UDP traffic on non-standard ports 23->41 signatures6 process7

Simulations

Behavior and APIs

TimeTypeDescription
23:07:27API Interceptor2x Sleep call for process: .exe modified
23:07:27AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Traybar C:\Windows\lsass.exe

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
.exe100%AviraWORM/Mydoom.L.1
.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\lsass.exe100%AviraWORM/Mydoom.L.1
C:\Windows\lsass.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.1. .exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
1.1.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
0.2. .exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
1.2.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
1.0.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
0.0. .exe.800000.1.unpack100%AviraTR/Agent.Blkhl.damDownload File
0.0. .exe.800000.2.unpack100%AviraTR/Agent.Blkhl.damDownload File
0.0. .exe.800000.0.unpack100%AviraTR/Agent.Blkhl.damDownload File
0.1. .exe.800000.0.unpack100%Joe Sandbox MLDownload File
1.1.lsass.exe.800000.0.unpack100%Joe Sandbox MLDownload File
0.2. .exe.800000.0.unpack100%Joe Sandbox MLDownload File
1.2.lsass.exe.800000.0.unpack100%Joe Sandbox MLDownload File
1.0.lsass.exe.800000.0.unpack100%Joe Sandbox MLDownload File
0.0. .exe.800000.1.unpack100%Joe Sandbox MLDownload File
0.0. .exe.800000.2.unpack100%Joe Sandbox MLDownload File
0.0. .exe.800000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
219.93.83.2265attachment.exeGet hashmaliciousBrowse
    13transcript.htm .exeGet hashmaliciousBrowse
      23message.exeGet hashmaliciousBrowse
        74documen.exeGet hashmaliciousBrowse
          43transcript.exeGet hashmaliciousBrowse
            16.150.109.16056messag.exeGet hashmaliciousBrowse
              55message.exeGet hashmaliciousBrowse
                134.5.230.103liucheng@holdtec.comGet hashmaliciousBrowse
                  message.html .scrGet hashmaliciousBrowse
                    19file.exeGet hashmaliciousBrowse
                      13file.exeGet hashmaliciousBrowse
                        11xwliu@jihu.exeGet hashmaliciousBrowse
                          33youtube@youtube.exeGet hashmaliciousBrowse
                            52ghdf.exeGet hashmaliciousBrowse
                              3iqn.exeGet hashmaliciousBrowse
                                29lette.exeGet hashmaliciousBrowse
                                  45messag.exeGet hashmaliciousBrowse
                                    .exeGet hashmaliciousBrowse
                                      43sHRxkiETos.exeGet hashmaliciousBrowse
                                        15.252.60.210Text.scrGet hashmaliciousBrowse
                                          26zhang.liping1@zte.exeGet hashmaliciousBrowse
                                            9message.exeGet hashmaliciousBrowse
                                              45tex.exeGet hashmaliciousBrowse
                                                www@gjjc.comGet hashmaliciousBrowse
                                                  3wxEYrf2yKl.exeGet hashmaliciousBrowse
                                                    .exeGet hashmaliciousBrowse
                                                      .exeGet hashmaliciousBrowse

                                                        Domains

                                                        No context

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        unknownrequest.docGet hashmaliciousBrowse
                                                        • 192.168.0.44
                                                        FERK444259.docGet hashmaliciousBrowse
                                                        • 192.168.0.44
                                                        b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        Setup.exeGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        base64.pdfGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        file.pdfGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        Spread sheet 2.pdfGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        request_08.30.docGet hashmaliciousBrowse
                                                        • 192.168.0.44
                                                        P_2038402.xlsxGet hashmaliciousBrowse
                                                        • 192.168.0.44
                                                        48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
                                                        • 192.168.0.22
                                                        seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        Adm_Boleto.via2.comGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        pptxb.pdfGet hashmaliciousBrowse
                                                        • 192.168.0.40
                                                        TMNET-AS-APTMNetInternetServiceProviderMY6300000711460.doc.wsfGet hashmaliciousBrowse
                                                        • 219.95.81.250
                                                        37#U0435.jseGet hashmaliciousBrowse
                                                        • 124.82.101.105
                                                        1PO 0465.exeGet hashmaliciousBrowse
                                                        • 210.195.10.251
                                                        17message.exeGet hashmaliciousBrowse
                                                        • 1.32.65.111
                                                        5attachment.exeGet hashmaliciousBrowse
                                                        • 219.93.83.226
                                                        http://55622.com/license/backup/info/Get hashmaliciousBrowse
                                                        • 104.66.82.122
                                                        8JXP7U1Bi.exeGet hashmaliciousBrowse
                                                        • 104.66.88.254
                                                        40INVOICE BTS_Pdf.exeGet hashmaliciousBrowse
                                                        • 1.32.56.246
                                                        39dhl_DOC109281.exeGet hashmaliciousBrowse
                                                        • 60.50.130.126
                                                        9Golden_#PO872991.exeGet hashmaliciousBrowse
                                                        • 175.144.81.140
                                                        13transcript.htm .exeGet hashmaliciousBrowse
                                                        • 219.93.83.226
                                                        47SKMTB_627638836E889.exeGet hashmaliciousBrowse
                                                        • 203.106.176.52
                                                        3PO48561D0.exeGet hashmaliciousBrowse
                                                        • 210.195.255.70
                                                        5PO-016.exeGet hashmaliciousBrowse
                                                        • 210.195.239.44
                                                        AppIeID-Documment.pdfGet hashmaliciousBrowse
                                                        • 104.66.74.130
                                                        Phot.exeGet hashmaliciousBrowse
                                                        • 219.95.123.1
                                                        17Bill of lading Status_pdf.exeGet hashmaliciousBrowse
                                                        • 1.32.56.246
                                                        69P.O 2315_PDF.exeGet hashmaliciousBrowse
                                                        • 1.32.56.246
                                                        rbot.x86Get hashmaliciousBrowse
                                                        • 124.13.41.51
                                                        48LC-IMG0038-38710-DRAFT_PDF.exeGet hashmaliciousBrowse
                                                        • 60.50.0.21

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Screenshots

                                                        Thumbnails

                                                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.