Play interactive tour

Edit tour

Analysis Report P3ccqv3djN.exe

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	207476
Start date:	11.02.2020
Start time:	16:07:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	P3ccqv3djN.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:	Run as Windows Service
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.rans.troj.evad.winEXE@35/5@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 92.5%) Quality average: 78.5% Quality standard deviation: 31.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	68	0 - 100		false	RobbinHood

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service

Sample is a service DLL but no service has been registered

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Modify Existing Service12	Access Token Manipulation1	Disabling Security Tools1	Credential Dumping	System Time Discovery1	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Cryptographic Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Service Execution13	Application Shimming1	Process Injection11	Software Packing11	Network Sniffing	Process Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Fallback Channels	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Execution through API2	New Service4	Application Shimming1	Access Token Manipulation1	Input Capture	Security Software Discovery41	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	System Firmware	New Service4	Process Injection11	Credentials in Files	Remote System Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Deobfuscate/Decode Files or Information1	Account Manipulation	System Service Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface	Modify Existing Service	New Service	Obfuscated Files or Information21	Brute Force	System Network Configuration Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features
Spearphishing Attachment	Scripting	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	System Information Discovery23	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: P3ccqv3djN.exe

Virustotal: Detection: 68%

Perma Link

Machine Learning detection for sample

Show sources

Source: P3ccqv3djN.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 7.0.P3ccqv3djN.exe.b80000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen2

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 1.1.1.1 1.1.1.1

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: unknown unknown

Spam, unwanted Advertisements and Ransom Demands:

Yara detected RobbinHood ransomware

Show sources

Source: Yara match	File source: 00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P3ccqv3djN.exe PID: 5964, type: MEMORY
Source: Yara match	File source: 7.2.P3ccqv3djN.exe.b80000.0.unpack, type: UNPACKEDPE

System Summary:

Contains functionality to communicate with device drivers

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B83AB0: DeviceIoControl,

7_2_00B83AB0

Contains functionality to delete services

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B86EC0 RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,CreateEventW,SetServiceStatus,SetServiceStatus,SetEvent,OpenSCManagerW,OpenServiceW,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,WaitForSingleObject,WaitForSingleObject,SetServiceStatus,FindCloseChangeNotification,SetServiceStatus,

7_2_00B86EC0

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B8DC18	7_2_00B8DC18
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B910FA	7_2_00B910FA
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B9F079	7_2_00B9F079
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00BA1047	7_2_00BA1047
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B9624F	7_2_00B9624F
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B973C5	7_2_00B973C5
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B9EB07	7_2_00B9EB07
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B96B5B	7_2_00B96B5B
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B88C70	7_2_00B88C70
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B9FD93	7_2_00B9FD93
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B9F5EB	7_2_00B9F5EB
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B9AE94	7_2_00B9AE94
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B83E80	7_2_00B83E80
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B96F90	7_2_00B96F90
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B96743	7_2_00B96743

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: String function: 00B8DF60 appears 43 times

Classification label

Show sources

Source: classification engine

Classification label: mal68.rans.troj.evad.winEXE@35/5@0/1

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B87410 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,

7_2_00B87410

Contains functionality to create services

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: OpenSCManagerW,GetModuleFileNameW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,		7_2_00B870A0
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: CreateFileW,OpenSCManagerW,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,OpenServiceA,StartServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateFileW,		7_2_00B82960

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B83E80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Sleep,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,_memmove,_memmove,Process32NextW,CloseHandle,Sleep,

7_2_00B83E80

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW,

7_2_00B871B0

Contains functionality to register a service control handler (likely the sample is a service DLL)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW,

7_2_00B871B0

Creates mutexes

Show sources

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6092:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6108:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_01

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "P3ccqv3djN.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "P3ccqv3djN.exe")

Reads software policies

Show sources

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: P3ccqv3djN.exe

Virustotal: Detection: 68%

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' >> C:\servicereg.log 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start juTze >> C:\servicestart.log 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\sc.exe sc start juTze
Source: unknown	Process created: C:\Users\user\Desktop\P3ccqv3djN.exe C:\Users\user\Desktop\P3ccqv3djN.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTze
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\sc.exe sc delete juTze
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Windows\temp\Runtime_Service.exe' & sc delete WindowsDeviceACL
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknown	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknown	Process created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACL
Source: unknown	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start juTze	Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTze	Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'	Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Windows\temp\Runtime_Service.exe' & sc delete WindowsDeviceACL	Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete juTze	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe	Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: P3ccqv3djN.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Mikhail\Desktop\Robnhold\Win7Release\Robbnhold.pdbFH source: P3ccqv3djN.exe, 00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Mikhail\Desktop\Robnhold\Win7Release\Robbnhold.pdb source: P3ccqv3djN.exe
Source:	Binary string: 3gL)+.pdb source: P3ccqv3djN.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B83290 LoadLibraryW,GetProcAddress,_memset,FreeLibrary,GetCurrentProcessId,GetCurrentProcess,GetCurrentProcess,IsWow64Process,IsWow64Process,GetCurrentProcess,IsWow64Process,CreateFileW,Sleep,CreateFileW,Sleep,

7_2_00B83290

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B8DFA5 push ecx; ret

7_2_00B8DFB8

Sample is packed with UPX

Show sources

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW,

7_2_00B871B0

Uses sc.exe to modify the status of services

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe'

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B8DC18 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00B8DC18

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00BCF0E8 rdtsc

7_2_00BCF0E8

Contains functionality to enumerate running services

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,

7_2_00B830F0

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_7-16950

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Program exit points

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

API call chain: ExitProcess graph end node

graph_7-16951

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00BCF0E8 rdtsc

7_2_00BCF0E8

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B9C827 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

7_2_00B9C827

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

7_2_00B9C827

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

7_2_00B83290

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00BA0DF2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

7_2_00BA0DF2

Enables debug privileges

Show sources

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B90CEA SetUnhandledExceptionFilter,		7_2_00B90CEA
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: 7_2_00B90D1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,		7_2_00B90D1B

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start juTze	Jump to behavior
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTze	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete juTze	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe	Jump to behavior

Uses taskkill to terminate processes

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe			Jump to behavior

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	7_2_00B98145
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	7_2_00B988C5
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00B98818
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	7_2_00B9892F
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: EnumSystemLocalesW,	7_2_00B983B9
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_00B983F9
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_00B9BC83
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	7_2_00B984F9
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: EnumSystemLocalesW,	7_2_00B98CD4
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_00B98476
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: GetLocaleInfoW,	7_2_00B98D11
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	7_2_00B986EE
Source: C:\Users\user\Desktop\P3ccqv3djN.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	7_2_00B90785

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B8B334 cpuid

7_2_00B8B334

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\P3ccqv3djN.exe

Code function: 7_2_00B92CCD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00B92CCD

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
P3ccqv3djN.exe	69%	Virustotal		Browse
P3ccqv3djN.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.0.P3ccqv3djN.exe.b80000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
7.2.P3ccqv3djN.exe.b80000.0.unpack	100%	Avira	HEUR/AGEN.1004669		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmp	JoeSecurity_robbinhood_1	Yara detected RobbinHood ransomware	Joe Security
Process Memory Space: P3ccqv3djN.exe PID: 5964	JoeSecurity_robbinhood_1	Yara detected RobbinHood ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.P3ccqv3djN.exe.b80000.0.unpack	JoeSecurity_robbinhood_1	Yara detected RobbinHood ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
1.1.1.1	QQ9.0.1.exe	Get hash	malicious	Browse	url-quality-stat.xf.qq.com/Analyze/Data?v=1&&format=json&&qq=0&&cmd=21&&product=qqdownload

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	https://us4.mailchimp.com/mctx/clicks?url=https%3A%2F%2F400v.hu%2Fauswq&h=e3d33ca31b19a74aa3d01656e09f5748f9102aa4d3541b1766a0f79ea1d26259&v=1&xid=ccc48b60c6&uid=131832774&pool=&subject=?0096#vocerait@vocera.com#	Get hash	malicious	Browse	85.255.15.230
	ted123189437062.msi	Get hash	malicious	Browse	5.57.226.202
	Proforma_Invoice_10022020_pdf.js	Get hash	malicious	Browse	104.20.67.143
	007445106158089202000.msi	Get hash	malicious	Browse	179.188.11.44
	http://i.yldbt.com	Get hash	malicious	Browse	195.22.26.248
	9PYyydaKR8.exe	Get hash	malicious	Browse	35.244.218.203
	P3ccqv3djN.exe	Get hash	malicious	Browse	1.1.1.1
	P3ccqv3djN.exe	Get hash	malicious	Browse	1.1.1.1
	http://customlanyardscanada.com/js/mage/time.js	Get hash	malicious	Browse	149.56.79.161
	Scan_document_098764.exe	Get hash	malicious	Browse	172.217.23.193
	info_02_11.doc	Get hash	malicious	Browse	83.166.241.212
	https://motogp.com/en/set-cookie?value=flash&name=user_player&expire=1554118386&domain=.motogp.com&path=%2F&redirect=https%3A%2F%2Ftpmr.com%2Fi%2F70695%23j.brtest@mytest.eu&pid=1297435	Get hash	malicious	Browse	152.199.23.37
	info_02_11.doc	Get hash	malicious	Browse	91.215.169.39
	https://firebasestorage.googleapis.com/v0/b/user7648467.appspot.com/o/index.html?alt=media&token=6c5bd7b5-6f17-47a2-a4a4-cb9b4ff54e31#danny.pollenus@baloise.be	Get hash	malicious	Browse	192.229.221.185
	SWIFT_COPY MT103.exe	Get hash	malicious	Browse	172.217.23.193
	http://url2957.hypertronium.com/ls/click?upn=pOhPS6QVHJwTWLCpCHjnQNTZyenZ5XhaCw2bwuv4svf5jBm8t2FSgJ7vTQ0ZThnXBpX-2BOlZBUgqaxDW-2BSiQ1nWPGFccoTBoWlmptN8llsW0-3Dg4uo_hv22ibrrJ9kDF6bQW3Kle-2Bss8ua3i0q-2BMFLW3QTO86g7TtiwHxFrj-2FdreIrKpxOPHy8EQcnogWe8-2F6zIWZRnx67RxtJJxL1e29wLWyH0gv1dBmjXXlJSSfHbJhgefIRItiDboJ9uyudzZiEMZuC5xCh1PX-2FcBwncaklYCT-2B1sk7ixV5aH-2BpCL0tvZoSZjkOIJooN4QQIgqXYIONfLpghfQk06n-2BD5lRf4yB9q8lLPJt-2BkFA6jaooPc0OjXnplxMegHcl-2FR4T4Pu4B8i22Jo7t-2FF-2BgirJVl-2F3e0EelBHl-2BepJ9LXpIb1-2FrKDf3BQT8-2BEMItV3gtMvKrZfwQh-2FRVgYnVkzFiUBU4pY1VAfKZQJMAcchW-2B6HzOsG-2B-2B4sruW3ERdXJSP8D4G6l55awiMuC5hbPAKqMjoKa5vyl2metDj89F5N5f3CWZsLM75DJphDP7IfpSTHlY8GKn6ta6KPOk9mHgfO-2FwINJAyooywG8tSh8RdlhRoeo79-2FyVkdq8EzLiWGUunUPCx1W3aSXJE4atQGbA4I95C0oGhc0CbGHn1baJtS2bCfCn-2FSYhMc3eoI0fLZ0hJ-2BKTA6dj2wKQuD9AEETAP-2FAD1xa2pyDcCdpPEK0ryoT7BW-2Ben7tvQ2oy7A3-2BJ	Get hash	malicious	Browse	153.120.181.198
	info_02_11.doc	Get hash	malicious	Browse	45.141.103.204
	Dhlwblah.exe	Get hash	malicious	Browse	185.244.30.125
	FortiClientOnlineInstaller_6.0.exe	Get hash	malicious	Browse	173.243.138.107
	hzukYWh4Nt.exe	Get hash	malicious	Browse	52.215.31.191

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report P3ccqv3djN.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Malware Configuration

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails