Loading ...

Play interactive tourEdit tour

Analysis Report P3ccqv3djN.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:207476
Start date:11.02.2020
Start time:16:07:13
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:P3ccqv3djN.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Run as Windows Service
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.rans.troj.evad.winEXE@35/5@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 92.5%)
  • Quality average: 78.5%
  • Quality standard deviation: 31.1%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold680 - 100false
RobbinHood
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample is a service DLL but no service has been registered



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Modify Existing Service12Access Token Manipulation1Disabling Security Tools1Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService Execution13Application Shimming1Process Injection11Software Packing11Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API2New Service4Application Shimming1Access Token Manipulation1Input CaptureSecurity Software Discovery41Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareNew Service4Process Injection11Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationSystem Service Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information21Brute ForceSystem Network Configuration Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery23Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: P3ccqv3djN.exeVirustotal: Detection: 68%Perma Link
Machine Learning detection for sampleShow sources
Source: P3ccqv3djN.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 7.0.P3ccqv3djN.exe.b80000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2

Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected RobbinHood ransomwareShow sources
Source: Yara matchFile source: 00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: P3ccqv3djN.exe PID: 5964, type: MEMORY
Source: Yara matchFile source: 7.2.P3ccqv3djN.exe.b80000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B83AB0: DeviceIoControl,7_2_00B83AB0
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B86EC0 RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,CreateEventW,SetServiceStatus,SetServiceStatus,SetEvent,OpenSCManagerW,OpenServiceW,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,WaitForSingleObject,WaitForSingleObject,SetServiceStatus,FindCloseChangeNotification,SetServiceStatus,7_2_00B86EC0
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B8DC187_2_00B8DC18
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B910FA7_2_00B910FA
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9F0797_2_00B9F079
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00BA10477_2_00BA1047
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9624F7_2_00B9624F
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B973C57_2_00B973C5
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9EB077_2_00B9EB07
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B96B5B7_2_00B96B5B
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B88C707_2_00B88C70
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9FD937_2_00B9FD93
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9F5EB7_2_00B9F5EB
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9AE947_2_00B9AE94
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B83E807_2_00B83E80
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B96F907_2_00B96F90
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B967437_2_00B96743
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: String function: 00B8DF60 appears 43 times
Classification labelShow sources
Source: classification engineClassification label: mal68.rans.troj.evad.winEXE@35/5@0/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B87410 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,7_2_00B87410
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: OpenSCManagerW,GetModuleFileNameW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,7_2_00B870A0
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: CreateFileW,OpenSCManagerW,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,OpenServiceA,StartServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateFileW,7_2_00B82960
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B83E80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Sleep,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,_memmove,_memmove,Process32NextW,CloseHandle,Sleep,7_2_00B83E80
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW,7_2_00B871B0
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW,7_2_00B871B0
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6092:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6108:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:908:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_01
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "P3ccqv3djN.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "P3ccqv3djN.exe")
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: P3ccqv3djN.exeVirustotal: Detection: 68%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' >> C:\servicereg.log 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start juTze >> C:\servicestart.log 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc start juTze
Source: unknownProcess created: C:\Users\user\Desktop\P3ccqv3djN.exe C:\Users\user\Desktop\P3ccqv3djN.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTze
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc delete juTze
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Windows\temp\Runtime_Service.exe' & sc delete WindowsDeviceACL
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACL
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start juTze Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTzeJump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Windows\temp\Runtime_Service.exe' & sc delete WindowsDeviceACLJump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc delete juTzeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACLJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: P3ccqv3djN.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Mikhail\Desktop\Robnhold\Win7Release\Robbnhold.pdbFH source: P3ccqv3djN.exe, 00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Mikhail\Desktop\Robnhold\Win7Release\Robbnhold.pdb source: P3ccqv3djN.exe
Source: Binary string: 3gL)+.pdb source: P3ccqv3djN.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B83290 LoadLibraryW,GetProcAddress,_memset,FreeLibrary,GetCurrentProcessId,GetCurrentProcess,GetCurrentProcess,IsWow64Process,IsWow64Process,GetCurrentProcess,IsWow64Process,CreateFileW,Sleep,CreateFileW,Sleep,7_2_00B83290
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B8DFA5 push ecx; ret 7_2_00B8DFB8
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW,7_2_00B871B0
Uses sc.exe to modify the status of servicesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe'

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B8DC18 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00B8DC18
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00BCF0E8 rdtsc 7_2_00BCF0E8
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,7_2_00B830F0
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_7-16950
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeAPI call chain: ExitProcess graph end nodegraph_7-16951

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00BCF0E8 rdtsc 7_2_00BCF0E8
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9C827 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_00B9C827
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B9C827 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_00B9C827
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B83290 LoadLibraryW,GetProcAddress,_memset,FreeLibrary,GetCurrentProcessId,GetCurrentProcess,GetCurrentProcess,IsWow64Process,IsWow64Process,GetCurrentProcess,IsWow64Process,CreateFileW,Sleep,CreateFileW,Sleep,7_2_00B83290
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00BA0DF2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,7_2_00BA0DF2
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B90CEA SetUnhandledExceptionFilter,7_2_00B90CEA
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B90D1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00B90D1B

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start juTze Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTzeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc delete juTzeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACLJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe Jump to behavior
Uses taskkill to terminate processesShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,7_2_00B98145
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: GetLocaleInfoW,_GetPrimaryLen,7_2_00B988C5
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_00B98818
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,7_2_00B9892F
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: EnumSystemLocalesW,7_2_00B983B9
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,7_2_00B983F9
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,7_2_00B9BC83
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,7_2_00B984F9
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: EnumSystemLocalesW,7_2_00B98CD4
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,7_2_00B98476
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: GetLocaleInfoW,7_2_00B98D11
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,7_2_00B986EE
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,7_2_00B90785
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B8B334 cpuid 7_2_00B8B334
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\P3ccqv3djN.exeCode function: 7_2_00B92CCD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00B92CCD

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 207476 Sample: P3ccqv3djN.exe Startdate: 11/02/2020 Architecture: WINDOWS Score: 68 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected RobbinHood ransomware 2->53 55 Uses ping.exe to sleep 2->55 57 2 other signatures 2->57 7 P3ccqv3djN.exe 2->7         started        9 cmd.exe 2 2->9         started        11 cmd.exe 2 2->11         started        process3 process4 13 cmd.exe 1 7->13         started        17 cmd.exe 1 7->17         started        19 cmd.exe 1 7->19         started        21 cmd.exe 1 7->21         started        23 conhost.exe 9->23         started        25 sc.exe 1 9->25         started        27 conhost.exe 11->27         started        29 sc.exe 1 11->29         started        dnsIp5 49 1.1.1.1 unknown Australia 13->49 59 Uses ping.exe to sleep 13->59 31 taskkill.exe 1 13->31         started        33 conhost.exe 13->33         started        35 PING.EXE 1 13->35         started        47 3 other processes 17->47 37 taskkill.exe 1 19->37         started        39 conhost.exe 19->39         started        41 PING.EXE 1 19->41         started        43 conhost.exe 21->43         started        45 sc.exe 1 21->45         started        signatures6 process7

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
P3ccqv3djN.exe69%VirustotalBrowse
P3ccqv3djN.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.0.P3ccqv3djN.exe.b80000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
7.2.P3ccqv3djN.exe.b80000.0.unpack100%AviraHEUR/AGEN.1004669Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmpJoeSecurity_robbinhood_1Yara detected RobbinHood ransomwareJoe Security
    Process Memory Space: P3ccqv3djN.exe PID: 5964JoeSecurity_robbinhood_1Yara detected RobbinHood ransomwareJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.P3ccqv3djN.exe.b80000.0.unpackJoeSecurity_robbinhood_1Yara detected RobbinHood ransomwareJoe Security

        Sigma Overview

        No Sigma rule has matched

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        1.1.1.1QQ9.0.1.exeGet hashmaliciousBrowse
        • url-quality-stat.xf.qq.com/Analyze/Data?v=1&&format=json&&qq=0&&cmd=21&&product=qqdownload

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        unknownhttps://us4.mailchimp.com/mctx/clicks?url=https%3A%2F%2F400v.hu%2Fauswq&h=e3d33ca31b19a74aa3d01656e09f5748f9102aa4d3541b1766a0f79ea1d26259&v=1&xid=ccc48b60c6&uid=131832774&pool=&subject=?0096#vocerait@vocera.com#Get hashmaliciousBrowse
        • 85.255.15.230
        ted123189437062.msiGet hashmaliciousBrowse
        • 5.57.226.202
        Proforma_Invoice_10022020_pdf.jsGet hashmaliciousBrowse
        • 104.20.67.143
        007445106158089202000.msiGet hashmaliciousBrowse
        • 179.188.11.44
        http://i.yldbt.comGet hashmaliciousBrowse
        • 195.22.26.248
        9PYyydaKR8.exeGet hashmaliciousBrowse
        • 35.244.218.203
        P3ccqv3djN.exeGet hashmaliciousBrowse
        • 1.1.1.1
        P3ccqv3djN.exeGet hashmaliciousBrowse
        • 1.1.1.1
        http://customlanyardscanada.com/js/mage/time.jsGet hashmaliciousBrowse
        • 149.56.79.161
        Scan_document_098764.exeGet hashmaliciousBrowse
        • 172.217.23.193
        info_02_11.docGet hashmaliciousBrowse
        • 83.166.241.212
        https://motogp.com/en/set-cookie?value=flash&name=user_player&expire=1554118386&domain=.motogp.com&path=%2F&redirect=https%3A%2F%2Ftpmr.com%2Fi%2F70695%23j.brtest@mytest.eu&pid=1297435Get hashmaliciousBrowse
        • 152.199.23.37
        info_02_11.docGet hashmaliciousBrowse
        • 91.215.169.39
        https://firebasestorage.googleapis.com/v0/b/user7648467.appspot.com/o/index.html?alt=media&token=6c5bd7b5-6f17-47a2-a4a4-cb9b4ff54e31#danny.pollenus@baloise.beGet hashmaliciousBrowse
        • 192.229.221.185
        SWIFT_COPY MT103.exeGet hashmaliciousBrowse
        • 172.217.23.193
        http://url2957.hypertronium.com/ls/click?upn=pOhPS6QVHJwTWLCpCHjnQNTZyenZ5XhaCw2bwuv4svf5jBm8t2FSgJ7vTQ0ZThnXBpX-2BOlZBUgqaxDW-2BSiQ1nWPGFccoTBoWlmptN8llsW0-3Dg4uo_hv22ibrrJ9kDF6bQW3Kle-2Bss8ua3i0q-2BMFLW3QTO86g7TtiwHxFrj-2FdreIrKpxOPHy8EQcnogWe8-2F6zIWZRnx67RxtJJxL1e29wLWyH0gv1dBmjXXlJSSfHbJhgefIRItiDboJ9uyudzZiEMZuC5xCh1PX-2FcBwncaklYCT-2B1sk7ixV5aH-2BpCL0tvZoSZjkOIJooN4QQIgqXYIONfLpghfQk06n-2BD5lRf4yB9q8lLPJt-2BkFA6jaooPc0OjXnplxMegHcl-2FR4T4Pu4B8i22Jo7t-2FF-2BgirJVl-2F3e0EelBHl-2BepJ9LXpIb1-2FrKDf3BQT8-2BEMItV3gtMvKrZfwQh-2FRVgYnVkzFiUBU4pY1VAfKZQJMAcchW-2B6HzOsG-2B-2B4sruW3ERdXJSP8D4G6l55awiMuC5hbPAKqMjoKa5vyl2metDj89F5N5f3CWZsLM75DJphDP7IfpSTHlY8GKn6ta6KPOk9mHgfO-2FwINJAyooywG8tSh8RdlhRoeo79-2FyVkdq8EzLiWGUunUPCx1W3aSXJE4atQGbA4I95C0oGhc0CbGHn1baJtS2bCfCn-2FSYhMc3eoI0fLZ0hJ-2BKTA6dj2wKQuD9AEETAP-2FAD1xa2pyDcCdpPEK0ryoT7BW-2Ben7tvQ2oy7A3-2BJGet hashmaliciousBrowse
        • 153.120.181.198
        info_02_11.docGet hashmaliciousBrowse
        • 45.141.103.204
        Dhlwblah.exeGet hashmaliciousBrowse
        • 185.244.30.125
        FortiClientOnlineInstaller_6.0.exeGet hashmaliciousBrowse
        • 173.243.138.107
        hzukYWh4Nt.exeGet hashmaliciousBrowse
        • 52.215.31.191

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.