Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 28.0.0 Lapis Lazuli |
Analysis ID: | 215088 |
Start date: | 12.03.2020 |
Start time: | 18:50:22 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 2m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowscmdlinecookbook.jbs |
Analysis system description: | Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean1.win@2/0@0/0 |
Cookbook Comments: |
|
Detection |
---|
Strategy | Score | Range | Reporting | Whitelisted | Detection | |
---|---|---|---|---|---|---|
Threshold | 1 | 0 - 100 | false |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 4 | 0 - 5 | false |
Classification Spiderchart |
---|
Analysis Advice |
---|
Initial sample is implementing a service and should be registered / started as service |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Remote Management | Winlogon Helper DLL | Process Injection1 | Process Injection1 | Credential Dumping | System Service Discovery | Application Deployment Software | Data from Local System | Data Compressed | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Signature Overview |
---|
Click to jump to signature section
System Summary: |
---|
Classification label | Show sources |
Source: | Classification label: |
Creates mutexes | Show sources |
Source: | Mutant created: |
Spawns processes | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Malware Analysis System Evasion: |
---|
Program does not show much activity (idle) | Show sources |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Sample execution stops while process was sleeping (likely an evasion) | Show sources |
Source: | Last function: |
Anti Debugging: |
---|
Program does not show much activity (idle) | Show sources |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Malware Configuration |
---|
No configs have been found |
---|
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Joe Sandbox View / Context |
---|
Startup |
---|
|
Created / dropped Files |
---|
No created / dropped files found |
---|
Domains and IPs |
---|
Static File Info |
---|
No static file info |
---|
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:52:06 |
Start date: | 12/03/2020 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1200000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:52:06 |
Start date: | 12/03/2020 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff604130000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|