Loading ...

Play interactive tourEdit tour

Analysis Report wget.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193295
Start date:03.12.2019
Start time:07:23:12
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 1s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wget.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Cmdline fuzzy
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean7.winEXE@6/3@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 63%
  • Number of executed functions: 29
  • Number of non-executed functions: 256
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold70 - 100trueclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsCommand-Line Interface2Application Shimming1Process Injection1Software Packing1Credential DumpingSystem Time Discovery2Application Deployment SoftwareScreen Capture1Data Encrypted1Standard Cryptographic Protocol1Data Destruction
Replication Through Removable MediaExecution through API2Port MonitorsApplication Shimming1Virtualization/Sandbox Evasion1Network SniffingSecurity Software Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Data Encrypted for Impact
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionProcess Injection1Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolDisk Structure Wipe
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesSystem Information Discovery24Logon ScriptsInput CaptureData EncryptedMultiband CommunicationDisk Content Wipe
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information21Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00475634 FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00475634
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047DA7E FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_0047DA7E
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00475634 FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,3_2_00475634
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0047DA7E FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,3_2_0047DA7E

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: wget.exeString found in binary or memory: http://upx.tsx.org
Source: wget.exe, wget.exe, 00000003.00000002.4593959655.0000000000401000.00000040.00020000.sdmp, wget.exe, 00000005.00000002.4601548276.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: wget.exe, wget.exe, 00000005.00000002.4601548276.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: wget.exe, 00000000.00000002.4585915789.0000000000401000.00000040.00020000.sdmp, wget.exe, 00000003.00000002.4593959655.0000000000401000.00000040.00020000.sdmp, wget.exe, 00000005.00000002.4601548276.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0041FC40 GetVersion,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,3_2_0041FC40

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004440600_2_00444060
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048D0000_2_0048D000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004970000_2_00497000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004960000_2_00496000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0049C0000_2_0049C000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004990000_2_00499000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004930000_2_00493000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004950000_2_00495000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004470100_2_00447010
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004920110_2_00492011
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0042F0200_2_0042F020
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004460800_2_00446080
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004471C00_2_004471C0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004232500_2_00423250
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004422600_2_00442260
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004402C00_2_004402C0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004503500_2_00450350
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0044F3100_2_0044F310
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004A03170_2_004A0317
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004473C00_2_004473C0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0043E3E00_2_0043E3E0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004533800_2_00453380
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004464700_2_00446470
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004764000_2_00476400
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0049641B0_2_0049641B
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0040E4300_2_0040E430
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004064CA0_2_004064CA
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004304E00_2_004304E0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004954A20_2_004954A2
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004455400_2_00445540
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004575400_2_00457540
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0043D5000_2_0043D500
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047A52C0_2_0047A52C
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004335300_2_00433530
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0049C58C0_2_0049C58C
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004446500_2_00444650
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004536500_2_00453650
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048A6600_2_0048A660
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004466100_2_00446610
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004506300_2_00450630
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004946C90_2_004946C9
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004577800_2_00457780
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004468200_2_00446820
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004438300_2_00443830
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004468A90_2_004468A9
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004449100_2_00444910
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00445A500_2_00445A50
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00423A600_2_00423A60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00447A100_2_00447A10
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00493ACF0_2_00493ACF
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00494AFB0_2_00494AFB
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00443B000_2_00443B00
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00441BC00_2_00441BC0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00424B900_2_00424B90
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00444C600_2_00444C60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00445C000_2_00445C00
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041DC800_2_0041DC80
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0040CDC00_2_0040CDC0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00494DFB0_2_00494DFB
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00424DA70_2_00424DA7
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048EDA40_2_0048EDA4
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00445E000_2_00445E00
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047FE3E0_2_0047FE3E
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048EEC80_2_0048EEC8
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00442E890_2_00442E89
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00422F600_2_00422F60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00424F600_2_00424F60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0043FF600_2_0043FF60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048DF210_2_0048DF21
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00441F900_2_00441F90
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004440603_2_00444060
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0048D0003_2_0048D000
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004970003_2_00497000
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004960003_2_00496000
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0049C0003_2_0049C000
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004990003_2_00499000
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004930003_2_00493000
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004950003_2_00495000
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004470103_2_00447010
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004920113_2_00492011
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0042F0203_2_0042F020
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004460803_2_00446080
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004471C03_2_004471C0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004232503_2_00423250
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004422603_2_00442260
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004402C03_2_004402C0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004503503_2_00450350
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0044F3103_2_0044F310
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004A03173_2_004A0317
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004473C03_2_004473C0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0043E3E03_2_0043E3E0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004533803_2_00453380
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004464703_2_00446470
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004764003_2_00476400
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0049641B3_2_0049641B
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0040E4303_2_0040E430
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004064CA3_2_004064CA
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004304E03_2_004304E0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004954A23_2_004954A2
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004455403_2_00445540
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004575403_2_00457540
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0043D5003_2_0043D500
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0047A52C3_2_0047A52C
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004335303_2_00433530
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0049C58C3_2_0049C58C
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004446503_2_00444650
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004536503_2_00453650
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0048A6603_2_0048A660
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004466103_2_00446610
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004506303_2_00450630
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004946C93_2_004946C9
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004577803_2_00457780
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004468203_2_00446820
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004438303_2_00443830
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004468A93_2_004468A9
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_004449103_2_00444910
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00445A503_2_00445A50
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00423A603_2_00423A60
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00447A103_2_00447A10
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00493ACF3_2_00493ACF
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00494AFB3_2_00494AFB
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00443B003_2_00443B00
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00441BC03_2_00441BC0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00424B903_2_00424B90
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00444C603_2_00444C60
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00445C003_2_00445C00
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0041DC803_2_0041DC80
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0040CDC03_2_0040CDC0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00494DFB3_2_00494DFB
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00424DA73_2_00424DA7
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0048EDA43_2_0048EDA4
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00445E003_2_00445E00
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0047FE3E3_2_0047FE3E
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0048EEC83_2_0048EEC8
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00442E893_2_00442E89
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00422F603_2_00422F60
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00424F603_2_00424F60
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0043FF603_2_0043FF60
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0048DF213_2_0048DF21
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00441F903_2_00441F90
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 004759CC appears 122 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00424460 appears 298 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00426FD0 appears 70 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0041EE10 appears 102 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 004048C0 appears 74 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00424430 appears 50 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00405100 appears 54 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00473A00 appears 810 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0041F000 appears 326 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0047923F appears 42 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0042AB40 appears 58 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00422450 appears 354 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0047CAAE appears 58 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00473A3D appears 132 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00477606 appears 42 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00421100 appears 66 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00401040 appears 38 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0047A4E0 appears 134 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00434C80 appears 78 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0041F090 appears 324 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00420DE0 appears 46 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0047402E appears 36 times
Classification labelShow sources
Source: classification engineClassification label: clean7.winEXE@6/3@0/0
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
Reads software policiesShow sources
Source: C:\Users\user\Desktop\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: wget.exeString found in binary or memory: -h, --help print this help.
Source: wget.exeString found in binary or memory: -h, --help print this help.
Source: wget.exeString found in binary or memory: bind-address
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: set-addPolicy
Source: wget.exeString found in binary or memory: --bind-address=ADDRESS bind to ADDRESS (hostname or IP) on local host.
Source: wget.exeString found in binary or memory: id-cmc-addExtensions
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: -h, --help print this help.
Source: wget.exeString found in binary or memory: -h, --help print this help.
Source: wget.exeString found in binary or memory: bind-address
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: set-addPolicy
Source: wget.exeString found in binary or memory: --bind-address=ADDRESS bind to ADDRESS (hostname or IP) on local host.
Source: wget.exeString found in binary or memory: id-cmc-addExtensions
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\wget.exe 'C:\Users\user\Desktop\wget.exe' -install
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\Desktop\wget.exe 'C:\Users\user\Desktop\wget.exe' /install
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\Desktop\wget.exe 'C:\Users\user\Desktop\wget.exe' /load
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00479999 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00479999
PE file contains sections with non-standard namesShow sources
Source: wget.exeStatic PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047A51B push ecx; ret 0_2_0047A52B
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00473A00 push eax; ret 0_2_00473A14
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00473A00 push eax; ret 0_2_00473A3C
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0047A51B push ecx; ret 3_2_0047A52B
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00473A00 push eax; ret 3_2_00473A14
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00473A00 push eax; ret 3_2_00473A3C
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041FDB0 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,0_2_0041FDB0

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00490083 rdtsc 0_2_00490083
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\wget.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-69261
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\wget.exeAPI coverage: 8.0 %
Source: C:\Users\user\Desktop\wget.exeAPI coverage: 7.5 %
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00475634 FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00475634
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047DA7E FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_0047DA7E
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_00475634 FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,3_2_00475634
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0047DA7E FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,3_2_0047DA7E
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047F42E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0047F42E
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wget.exe, 00000005.00000002.4602168771.0000000000850000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00490083 rdtsc 0_2_00490083
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00479999 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00479999

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,EnumSystemLocalesA,0_2_0047D1C1
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,_strlen,EnumSystemLocalesA,0_2_0047D1F8
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,EnumSystemLocalesA,0_2_0047D27E
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,0_2_0047D2D3
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,0_2_0048263D
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_00483C9C
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,_strncpy,0_2_0047CCA2
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_00483D58
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_00483DCC
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_00483E7F
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,EnumSystemLocalesA,3_2_0047D1C1
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,_strlen,EnumSystemLocalesA,3_2_0047D1F8
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,EnumSystemLocalesA,3_2_0047D27E
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,3_2_0047D2D3
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,3_2_0048263D
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,3_2_00483C9C
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,_strncpy,3_2_0047CCA2
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,MultiByteToWideChar,3_2_00483D58
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,3_2_00483DCC
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,WideCharToMultiByte,3_2_00483E7F
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00490000 cpuid 0_2_00490000
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00481431 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,0_2_00481431
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00478BA8 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_00478BA8
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00477F6E GetVersionExA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,0_2_00477F6E

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041D6B0 bind,WSAGetLastError,0_2_0041D6B0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041D710 listen,WSAGetLastError,0_2_0041D710
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0041D6B0 bind,WSAGetLastError,3_2_0041D6B0
Source: C:\Users\user\Desktop\wget.exeCode function: 3_2_0041D710 listen,WSAGetLastError,3_2_0041D710

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 193295 Sample: wget.exe Startdate: 03/12/2019 Architecture: WINDOWS Score: 7 5 wget.exe 1 2->5         started        7 wget.exe 1 2->7         started        9 wget.exe 1 2->9         started        process3 11 conhost.exe 5->11         started        13 conhost.exe 7->13         started        15 conhost.exe 9->15         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wget.exe1%VirustotalBrowse
wget.exe0%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
5.0.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
3.0.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
5.2.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
3.2.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.tsx.org0%VirustotalBrowse
http://upx.tsx.org0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.