Loading ...

Play interactive tourEdit tour

Analysis Report https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg

Overview

General Information

Sample URL:https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg

Most interesting Screenshot:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 5668 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5716 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: unknownDNS traffic detected: queries for: m.media-amazon.com
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalCAG2.crt
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalCAG2.crt0
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalCAG2.crl
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalCAG2.crl05
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmp, wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalCAG2.crl
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalCAG2.crl0L
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl07
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/pca3-g5.crl
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/pca3-g5.crlY
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: http://s.symcd.com
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://s.symcd.com0
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0/
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rparimary
Source: wget.exe, 00000003.00000002.426212045.0000000000BB0000.00000004.00000020.sdmp, cmdline.out.3.drString found in binary or memory: https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg
Source: wget.exe, 00000003.00000002.426258359.00000000011A0000.00000004.00000040.sdmpString found in binary or memory: https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg#
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg=)
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: https://www.amazon.com
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: https://www.amazon.in
Source: wget.exe, 00000003.00000002.427605241.0000000002B08000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS
Source: wget.exe, 00000003.00000003.425372159.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

Source: classification engineClassification label: clean0.win@4/2@1/1
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_01
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://m.media-amazon.com/images/I/51j7fNomU2L._SL160_.jpg' Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingSystem Information Discovery12Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingRemote System Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 242344 URL: https://m.media-amazon.com/... Startdate: 30/06/2020 Architecture: WINDOWS Score: 0 5 cmd.exe 2 2->5         started        process3 7 wget.exe 2 5->7         started        10 conhost.exe 5->10         started        dnsIp4 12 media.amazon.map.fastly.net 151.101.1.16, 443, 49713 FASTLYUS United States 7->12 14 m.media-amazon.com 7->14 16 f.media-amazon.com 7->16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.