Loading ...

Play interactive tourEdit tour

Analysis Report icom32.exe

Overview

General Information

Sample Name:icom32.exe
Analysis ID:399805
MD5:d1f66d78808b8cbd18804812f1a457a5
SHA1:c99ee5407d446e9c0647e7749f307762d25e0143
SHA256:7793c2fd34248236e83206fdd01b547436e966bcb6cae21adcbf61550b62daea
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Entry point lies outside standard sections
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • icom32.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\icom32.exe' MD5: D1F66D78808B8CBD18804812F1A457A5)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Headers": "Accept-Encoding: binary\r\nHost: outlook.office.com\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATM)\r\n", "Type": "Metasploit Download", "URL": "http://adsec.pro/ssl/verify.crl"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmpMalware Configuration Extractor: Metasploit {"Headers": "Accept-Encoding: binary\r\nHost: outlook.office.com\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATM)\r\n", "Type": "Metasploit Download", "URL": "http://adsec.pro/ssl/verify.crl"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: icom32.exeVirustotal: Detection: 56%Perma Link
    Source: icom32.exeMetadefender: Detection: 29%Perma Link
    Source: icom32.exeReversingLabs: Detection: 75%
    Source: icom32.exeStatic PE information: 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2032785 ET TROJAN Cobalt Strike Stager Time Check M2 192.168.2.3:49710 -> 172.217.20.14:80
    Source: TrafficSnort IDS: 2032785 ET TROJAN Cobalt Strike Stager Time Check M2 192.168.2.3:49711 -> 172.217.20.14:80
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://adsec.pro/ssl/verify.crl
    Contains functionality to check if Internet connection is workingShow sources
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_00401010 WSAStartup,WSAGetLastError,gethostbyname,WSACleanup,htons,socket,WSACleanup,connect,send,recv,closesocket,WSACleanup, google.com0_2_00401010
    Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_00401010 WSAStartup,WSAGetLastError,gethostbyname,WSACleanup,htons,socket,WSACleanup,connect,send,recv,closesocket,WSACleanup,0_2_00401010
    Source: unknownDNS traffic detected: queries for: adsec.pro
    Source: icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmpString found in binary or memory: https://adsec.pro/
    Source: icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmpString found in binary or memory: https://adsec.pro/ssl/verify.crl
    Source: icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmpString found in binary or memory: https://adsec.pro/ssl/verify.crlX
    Source: icom32.exe, 00000000.00000002.780513408.000000000046C000.00000004.00000001.sdmpString found in binary or memory: https://adsec.pro/ssl/verify.crle
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: icom32.exe, 00000000.00000002.780379298.0000000000429000.00000004.00000001.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_007000D70_2_007000D7
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_007000BA0_2_007000BA
    Source: icom32.exe, 00000000.00000000.643920569.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameff_dd.exe8 vs icom32.exe
    Source: icom32.exe, 00000000.00000002.782887537.00000000029A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs icom32.exe
    Source: icom32.exeBinary or memory string: OriginalFilenameff_dd.exe8 vs icom32.exe
    Source: icom32.exeStatic PE information: 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE
    Source: classification engineClassification label: mal80.troj.winEXE@1/0@1/1
    Source: C:\Users\user\Desktop\icom32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\icom32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\icom32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\icom32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: icom32.exeVirustotal: Detection: 56%
    Source: icom32.exeMetadefender: Detection: 29%
    Source: icom32.exeReversingLabs: Detection: 75%
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_004092B0 LoadLibraryA,GetProcAddress,0_2_004092B0
    Source: initial sampleStatic PE information: section where entry point is pointing to: AUTO
    Source: icom32.exeStatic PE information: section name: AUTO
    Source: icom32.exeStatic PE information: section name: DGROUP
    Source: C:\Users\user\Desktop\icom32.exe TID: 7044Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\icom32.exeThread delayed: delay time: 30000Jump to behavior
    Source: icom32.exe, 00000000.00000002.780553808.000000000047C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_004092B0 LoadLibraryA,GetProcAddress,0_2_004092B0
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_004097B0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_004097B0
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_00406600 GetTimeZoneInformation,0_2_00406600
    Source: C:\Users\user\Desktop\icom32.exeCode function: 0_2_00406CE0 GetEnvironmentStringsA,GetVersion,GetModuleFileNameA,GetCommandLineA,GetCommandLineW,GetModuleFileNameA,0_2_00406CE0

    Remote Access Functionality:

    barindex
    Yara detected Metasploit PayloadShow sources
    Source: Yara matchFile source: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsNative API1Path InterceptionPath InterceptionVirtualization/Sandbox Evasion11Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.