Loading ...

Play interactive tourEdit tour

Analysis Report malware.vir

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:148204
Start date:02.07.2019
Start time:23:14:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 40s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:malware.vir (renamed file extension from vir to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.winEXE@3/4@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 90.1% (good quality ratio 88.4%)
  • Quality average: 77.5%
  • Quality standard deviation: 25.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold600 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Masquerading1Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingSecurity Software Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingDLL Side-Loading1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: malware.exeJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: malware.exevirustotal: Detection: 19%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.malware.exe.4e0000.2.unpackJoe Sandbox ML: detected
Source: 0.0.malware.exe.4e0000.1.unpackJoe Sandbox ML: detected
Source: 0.2.malware.exe.4e0000.0.unpackJoe Sandbox ML: detected
Source: 0.0.malware.exe.4e0000.0.unpackJoe Sandbox ML: detected
Source: 0.1.malware.exe.4e0000.0.unpackJoe Sandbox ML: detected

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_01
Source: C:\Users\user\Desktop\malware.exeMutant created: \Sessions\1\BaseNamedObjects\MutexHelper
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2468
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\malware.exeCode function: 0_2_004F34C40_2_004F34C4
Source: C:\Users\user\Desktop\malware.exeCode function: 0_2_004F0EAC0_2_004F0EAC
Source: C:\Users\user\Desktop\malware.exeCode function: 0_2_004E57400_2_004E5740
Source: C:\Users\user\Desktop\malware.exeCode function: 0_2_004E9B780_2_004E9B78
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 532
Sample file is different than original file name gathered from version infoShow sources
Source: malware.exe, 00000000.00000000.632006095.000000000084D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWASpotLife.DLLD vs malware.exe
Source: malware.exeBinary or memory string: OriginalFilenameWASpotLife.DLLD vs malware.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\malware.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal60.winEXE@3/4@0/0
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1444.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: malware.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\malware.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: malware.exevirustotal: Detection: 19%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\malware.exe 'C:\Users\user\Desktop\malware.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 532
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\malware.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07034fd-6caa-4954-ac3f-97a27216f98a}\InProcServer32Jump to behavior
PE file has a big code sizeShow sources
Source: malware.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Submission file is bigger than most known malware samplesShow sources
Source: malware.exeStatic file information: File size 3620864 > 1048576
PE file has a big raw sectionShow sources
Source: malware.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2e2000
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: malware.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: malware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: WJH@LK$JHKLWJ@#LKJGWKL.PDB source: malware.exe

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: malware.exeStatic PE information: real checksum: 0x32ebdca9 should be: 0x37b09c
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\malware.exeCode function: 0_2_004ED7F0 push esi; mov dword ptr [esp], 00000000h0_2_004ED7F1
Source: C:\Users\user\Desktop\malware.exeCode function: 0_2_00DE013A push eax; iretd 0_2_00DE013B

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\malware.exeRDTSC instruction interceptor: First address: 4e2ee6 second address: 4e2eec instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\malware.exeRDTSC instruction interceptor: First address: 4e2eec second address: 4e2ee6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 mov esi, eax 0x00000006 sub esi, ebx 0x00000008 mov eax, dword ptr [esp+0Ch] 0x0000000c cmp eax, 00000000h 0x0000000f mov edx, dword ptr [esp+10h] 0x00000013 cmove edx, esi 0x00000016 cmp eax, 00000000h 0x00000019 mov ebx, dword ptr [esp+08h] 0x0000001d cmove ebx, esi 0x00000020 mov eax, dword ptr [esp+3Ch] 0x00000024 mov dword ptr [esp+3Ch], eax 0x00000028 cmp ebx, esi 0x0000002a cmovnbe ebx, esi 0x0000002d mov dword ptr [esp+14h], ebx 0x00000031 cmp edx, esi 0x00000033 cmovb edx, esi 0x00000036 mov eax, dword ptr [esp+2Ch] 0x0000003a xor eax, 30080152h 0x0000003f mov dword ptr [esp+18h], edx 0x00000043 mov edx, dword ptr [esp+0Ch] 0x00000047 add edx, 01h 0x0000004a mov esi, dword ptr [esp+14h] 0x0000004e mov dword ptr [esp+1Ch], esi 0x00000052 mov esi, dword ptr [esp+18h] 0x00000056 mov dword ptr [esp+28h], esi 0x0000005a mov dword ptr [esp+20h], edx 0x0000005e cmp edx, eax 0x00000060 mov dword ptr
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_desktop_3f3714ea22baf985.cdf-ms
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\malware.exeProcess queried: DebugPortJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\malware.exeCode function: 0_2_004E2254 EntryPoint,lstrcpyW,GetCommandLineW,CommandLineToArgvW,RtlComputeCrc32,LdrInitializeThunk,0_2_004E2254
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: malware.exe, 00000000.00000000.681287150.00000000015C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: malware.exe, 00000000.00000000.681287150.00000000015C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: malware.exe, 00000000.00000000.681287150.00000000015C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: malware.exe, 00000000.00000000.681287150.00000000015C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 148204 Sample: malware.vir Startdate: 02/07/2019 Architecture: WINDOWS Score: 60 16 Antivirus or Machine Learning detection for sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 Antivirus or Machine Learning detection for unpacked file 2->20 6 malware.exe 1 2->6         started        process3 signatures4 22 Tries to detect virtualization through RDTSC time measurements 6->22 9 WerFault.exe 24 10 6->9         started        12 conhost.exe 6->12         started        process5 file6 14 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->14 dropped

Simulations

Behavior and APIs

TimeTypeDescription
23:16:23API Interceptor2x Sleep call for process: malware.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
malware.exe20%virustotalBrowse
malware.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.malware.exe.4e0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.malware.exe.4e0000.2.unpack100%Joe Sandbox MLDownload File
0.0.malware.exe.4e0000.1.unpack100%Joe Sandbox MLDownload File
0.2.malware.exe.4e0000.0.unpack100%Joe Sandbox MLDownload File
0.0.malware.exe.4e0000.0.unpack100%Joe Sandbox MLDownload File
0.1.malware.exe.4e0000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.