Loading ...

Play interactive tourEdit tour

Analysis Report https://drive.google.com/uc?id=1SGw0OecfYuWlMGsGemHAxzxZaV8cC-bb&export=download

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208483
Start date:14.02.2020
Start time:16:24:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 44s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://drive.google.com/uc?id=1SGw0OecfYuWlMGsGemHAxzxZaV8cC-bb&export=download
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean4.win@10/13@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 104.92.14.129, 172.217.23.206, 40.90.23.208, 40.90.137.120, 40.90.137.124, 93.184.220.29, 51.143.111.7, 152.199.19.161, 40.90.137.126, 40.90.23.154, 51.105.249.228
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, client.wns.windows.com, cs9.wac.phicdn.net, lgin.msa.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, ie9comview.vo.msecnd.net, wns.notify.windows.com.akadns.net, login.msa.msidentity.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, ocsp.digicert.com, login.live.com, emea1.notify.windows.com.akadns.net, go.microsoft.com.edgekey.net, drive.google.com, fe-bl02p-msa.trafficmanager.net, watson.telemetry.microsoft.com, cs9.wpc.v0cdn.net

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold40 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold00 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample crashes during execution, try analyze it on another analysis machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Winlogon Helper DLLProcess Injection11Masquerading11Input Capture1Virtualization/Sandbox Evasion2Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionModify Registry1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection11Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exeJump to behavior

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0o-10-docs.googleusercontent.com
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: unarchiver.exeBinary or memory string: "<HOOK MODULE='DDRAW.DLL' FUNCTION='DirectDrawCreateEx'/>"

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 952
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean4.win@10/13@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF87BAEB54BCC5C83B.TMPJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample might require command line argumentsShow sources
Source: 7za.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0
Source: unarchiver.exeString found in binary or memory: -install
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:388 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\my_attach_j0f_009855.zip'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ez1i1u0t.mdh' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\my_attach_j0f_009855.zip'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 952
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:388 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\my_attach_j0f_009855.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ez1i1u0t.mdh' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\my_attach_j0f_009855.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 952Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: symbols\dll\System.pdb source: unarchiver.exe
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: unarchiver.exe
Source: Binary string: C:\Windows\dll\System.pdb source: unarchiver.exe
Source: Binary string: rity\projects\Joebox\publicsvn\trunk\src\windows\usermode\unarchiver\unarchiver\obj\Debug\unarchiver.pdb source: unarchiver.exe
Source: Binary string: C:\Windows\assembly\GA.pdb source: unarchiver.exe
Source: Binary string: em.pdb source: unarchiver.exe
Source: Binary string: \??\C:\Windows\System.pdb source: unarchiver.exe
Source: Binary string: b.pdb source: unarchiver.exe
Source: Binary string: \??\C:\Windows\exe\unarchiver.pdb source: unarchiver.exe
Source: Binary string: m\2.0.0.0__b77a5c561934e089\System.pdb source: unarchiver.exe
Source: Binary string: System.pdb source: unarchiver.exe
Source: Binary string: tem.pdb source: unarchiver.exe
Source: Binary string: mscorrc.pdb source: unarchiver.exe
Source: Binary string: \??\C:\Windows\dll\System.pdb source: unarchiver.exe
Source: Binary string: \??\C:\Windows\SysWOW64\unarchiver.pdb source: unarchiver.exe
Source: Binary string: indows\System.pdb source: unarchiver.exe
Source: Binary string: " C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb" source: unarchiver.exe
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: unarchiver.exe
Source: Binary string: hiver.pdb source: unarchiver.exe
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: unarchiver.exe
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: unarchiver.exe
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: unarchiver.exe
Source: Binary string: C:\Windows\System.pdb source: unarchiver.exe
Source: Binary string: ymbols\exe\unarchiver.pdb source: unarchiver.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess queried: DebugPortJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ez1i1u0t.mdh' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\my_attach_j0f_009855.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 952Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 208483 URL: https://drive.google.com/uc... Startdate: 14/02/2020 Architecture: WINDOWS Score: 4 7 iexplore.exe 9 68 2->7         started        process3 9 unarchiver.exe 5 7->9         started        11 iexplore.exe 27 7->11         started        dnsIp4 14 7za.exe 2 9->14         started        16 dw20.exe 28 7 9->16         started        20 googlehosted.l.googleusercontent.com 172.217.23.193, 443, 49791, 49792 unknown United States 11->20 22 doc-0o-10-docs.googleusercontent.com 11->22 process5 process6 18 conhost.exe 14->18         started       

Simulations

Behavior and APIs

TimeTypeDescription
16:26:00API Interceptor1x Sleep call for process: dw20.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.