Play interactive tour

Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:	484827
Infos:
Most interesting Screenshot:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suspicious powershell command line found

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Classification

Process Tree

System is w10x64

cmd.exe (PID: 3260 cmdline: cmd /C 'cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '& {mode con lines=1 cols=32766; Set-Variable -Name 'SNC_isWmi' -Value $true -Scope Global; & { 'execute remote test passed' }}' > '\\127.0.0.1\admin$\temp\psscript_output_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt' 2>'\\127.0.0.1\admin$\temp\psscript_err_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt''' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 852 cmdline: cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

chcp.com (PID: 3876 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)

powershell.exe (PID: 4796 cmdline: powershell -NonInteractive -WindowStyle Hidden -command MD5: DBA3E6449E97D4E3DF64527EF7012A10)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 4796	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xd387:$sa2: -encodedCommand 0xddf3:$sa2: -EncodedCommand 0xe914:$sa2: -EncodedCommand 0xe9af:$sa2: -encodedCommand 0x2532f:$sb3: -WindowStyle Hidden 0x25368:$sb3: -WindowStyle Hidden 0xdbce:$sc2: -NoProfile 0xdc0f:$sd2: -NonInteractive 0x2531f:$sd2: -NonInteractive 0x25358:$sd2: -NonInteractive 0x37fa5:$sd2: -noninteractive

Sigma Overview

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -NonInteractive -WindowStyle Hidden -command , CommandLine: powershell -NonInteractive -WindowStyle Hidden -command , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command ', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 852, ProcessCommandLine: powershell -NonInteractive -WindowStyle Hidden -command , ProcessId: 4796

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Source: powershell.exe, 00000005.00000002.215417490.0000000005227000.00000004.00000001.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: Process Memory Space: powershell.exe PID: 4796, type: MEMORYSTR

Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08337F00	5_2_08337F00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08330006	5_2_08330006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08337F00	5_2_08337F00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0833E478	5_2_0833E478
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0833E468	5_2_0833E468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08330040	5_2_08330040

Source: C:\Windows\SysWOW64\chcp.com

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: classification engine

Classification label: sus24.win@8/1@0/1

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C 'cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '& {mode con lines=1 cols=32766; Set-Variable -Name 'SNC_isWmi' -Value $true -Scope Global; & { 'execute remote test passed' }}' > '\\127.0.0.1\admin$\temp\psscript_output_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt' 2>'\\127.0.0.1\admin$\temp\psscript_err_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt'''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NonInteractive -WindowStyle Hidden -command
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NonInteractive -WindowStyle Hidden -command	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NonInteractive -WindowStyle Hidden -command
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NonInteractive -WindowStyle Hidden -command			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1236

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe cmd /C 'cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '& {mode con lines=1 cols=32766; Set-Variable -Name 'SNC_isWmi' -Value $true -Scope Global; & { 'execute remote test passed' }}' > '\\127.0.0.1\admin$\temp\psscript_output_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt' 2>'\\127.0.0.1\admin$\temp\psscript_err_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt'''

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NonInteractive -WindowStyle Hidden -command	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Process Injection11	Virtualization/Sandbox Evasion21	OS Credential Dumping	Process Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	PowerShell1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.215417490.0000000005227000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	484827
Start date:	17.09.2021
Start time:	00:58:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowscmdlinecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus24.win@8/1@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Execution Graph export aborted for target powershell.exe, PID 4796 because it is empty Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	788
Entropy (8bit):	5.110442753830987
Encrypted:	false
SSDEEP:	24:30+H05KNPAo4K0k515qRPjqV422HSCvKxrh:9l4tk1qR74/4SCve1
MD5:	0112BA3290AA94137C32FDA5F7A1E238
SHA1:	CEEB9A11553A99654AA0272E7D88B482FD85D0E8
SHA-256:	037D41CF56F286D85D848C137C15006DA7FEEAAB8AF5D3DBCC7A8B8A86B472C5
SHA-512:	4E23F4F2EE74A53E50595657E3FE3E0DED898834890F00E3D2A6EAC0DA330C253DDE61D78AE4E8277294FC85CE5A37104AB4211306390B2D26141494A277EB3A
Malicious:	false
Reputation:	low
Preview:	@...e...........................................................H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.<................):gK..G...$.1.q........System.Configuration@...............................................T.@.G.@...@..@@.

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 3260 Parent PID: 2628

General

Start time:	00:59:41
Start date:	17/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C 'cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '& {mode con lines=1 cols=32766; Set-Variable -Name 'SNC_isWmi' -Value $true -Scope Global; & { 'execute remote test passed' }}' > '\\127.0.0.1\admin$\temp\psscript_output_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt' 2>'\\127.0.0.1\admin$\temp\psscript_err_4aa8557d-5be1-4b05-bedd-6fc442052fb3.txt'''
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3888 Parent PID: 3260

General

Start time:	00:59:41
Start date:	17/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 852 Parent PID: 3260

General

Start time:	00:59:42
Start date:	17/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c 'chcp 65001 & powershell -NonInteractive -WindowStyle Hidden -command '
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: chcp.com PID: 3876 Parent PID: 852

General

Start time:	00:59:42
Start date:	17/09/2021
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xc50000
File size:	12800 bytes
MD5 hash:	561054CF9C4B2897E80D7E7D9027FED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 4796 Parent PID: 852

General

Start time:	00:59:43
Start date:	17/09/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -NonInteractive -WindowStyle Hidden -command
Imagebase:	0x920000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 4796 Parent PID: 852 powershell.exeCOMMON

Executed Functions

Function 08337F00, Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db5bc52045f9eb83db1cc981a9c532dea1d485d2cf2081458080b31b6d5ee30
Instruction ID: 1215fdb79cd7d7e4e721b8218d060c7936d2943ddc6764bb3bba9ce74e61848e
Opcode Fuzzy Hash: 0db5bc52045f9eb83db1cc981a9c532dea1d485d2cf2081458080b31b6d5ee30
Instruction Fuzzy Hash: 8A526F70A00219DFDB15DF68C850BA973B6EF89309F1185ADE90A9B390DB35ED46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 08770EC8, Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217538197.0000000008770000.00000040.00000001.sdmp, Offset: 08770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4e86e7783e6ae4099382df61feebaf4c2bb2888787ad655efa2d2e220f6c07
Instruction ID: 68e50cd36decc5c48e567ac5f3de95a06a67bbaa7e02022d31a31ab65947d9ec
Opcode Fuzzy Hash: ba4e86e7783e6ae4099382df61feebaf4c2bb2888787ad655efa2d2e220f6c07
Instruction Fuzzy Hash: 8BF09071A482969FC712DFB8D40569E7FF0AF06220F5544EAD044DB652E7709542CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 08336F86, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1187a69d5c81a56ed320c412fa5a21ed9e61452f9fe988d8d09b2e70e1320a
Instruction ID: cc4d12e942b2062ba1a2136593b46fd05f2308d2cfe61a4f0d04da1c0e5fbf81
Opcode Fuzzy Hash: 0d1187a69d5c81a56ed320c412fa5a21ed9e61452f9fe988d8d09b2e70e1320a
Instruction Fuzzy Hash: 18916A71B01214CFEB25DF68D854BAEB7B6FF88215F1581A9D909EB290DB309D81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04D4D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.215192585.0000000004D4D000.00000040.00000001.sdmp, Offset: 04D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555a77d80901e6a9b403225f5f95314fa8c5e995005ff03222b83845d884173a
Instruction ID: 774d082f44ee0c862e97eb8b37fcccb6e871fe454c61ef9689271b174eaf7498
Opcode Fuzzy Hash: 555a77d80901e6a9b403225f5f95314fa8c5e995005ff03222b83845d884173a
Instruction Fuzzy Hash: F001F7316083449BEB204E25E9C47A6BF98EF81364F28845AED445B286D379E845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 04D4D005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.215192585.0000000004D4D000.00000040.00000001.sdmp, Offset: 04D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8efe337771449fec0a3552314e7fe21ea431cb6cec825cb92f316ca1e5fe37
Instruction ID: 2c311ccc93c1a93cbf005ea696c1c905f07bbdc130e522d7d4ce9aa5b123d196
Opcode Fuzzy Hash: 7c8efe337771449fec0a3552314e7fe21ea431cb6cec825cb92f316ca1e5fe37
Instruction Fuzzy Hash: 49015E7150D3C09FE7128B259C94B92BFB4EF43224F1981DBE9888F293C2695849C772

Uniqueness

Uniqueness Score: -1.00%

Function 083351A0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda4a9a58ca9f9da81267589e15063772e8cf11395e309ac2f79c0edcd3f2eb4
Instruction ID: b86f72557088c260e2a4f3804c2d842e28cd8bef50d9fd54d8850429df8a27bb
Opcode Fuzzy Hash: fda4a9a58ca9f9da81267589e15063772e8cf11395e309ac2f79c0edcd3f2eb4
Instruction Fuzzy Hash: A9F05932B002544BCB16923CE8080EEBBEAABCD361B0900AFE542D7301CF759912CB91

Uniqueness

Uniqueness Score: -1.00%

Function 083351B0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fd523f869547c7239383e662fd16c5d982a5c51980f853edc10c6debc3a499
Instruction ID: 0fcbd26e1c0e86ae5640fabaee4799e6366b1748a853ed6d894555e0bbe040c8
Opcode Fuzzy Hash: b8fd523f869547c7239383e662fd16c5d982a5c51980f853edc10c6debc3a499
Instruction Fuzzy Hash: 27E0E532B0022487CB195668D8044EE73EAABC8351F05007ED902E7744CF759C058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0833FF90, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfecb201886a927cdbcde00dedf1a110d7aec60cdc3fca1abba28e649fd5acb5
Instruction ID: d8d35fa7336ea20bcdf571d06cc887a654ee01a8d51347391efd53b764ff5c02
Opcode Fuzzy Hash: bfecb201886a927cdbcde00dedf1a110d7aec60cdc3fca1abba28e649fd5acb5
Instruction Fuzzy Hash: DCE086353A62108FC3829B74F9589893B65EF49215B1541D7D909CB371C6799800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 087712A8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217538197.0000000008770000.00000040.00000001.sdmp, Offset: 08770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dbb82d00a0a61d16257b13fcff59fbd71e09075eb2f1eb6dfd7bc655b0a0bd
Instruction ID: cd8477be88af9cb95cb5cff3a9ad62a14835bc3f6ac3be723cf3e72d214cbed7
Opcode Fuzzy Hash: 71dbb82d00a0a61d16257b13fcff59fbd71e09075eb2f1eb6dfd7bc655b0a0bd
Instruction Fuzzy Hash: 59E0B6B1E4020AEFDB40EFA9C909B5EBBF0BF08600F5185AAD015E7225E7749645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0833FFA0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9870a260447f328d3ddee35f1bc689f993c8c13f2f4831359030684475307f3b
Instruction ID: 7e8c48ddec0bcc554fb76ed3df639c432f24957efd351f869553f103df096d55
Opcode Fuzzy Hash: 9870a260447f328d3ddee35f1bc689f993c8c13f2f4831359030684475307f3b
Instruction Fuzzy Hash: D5D05E353511209FC381AB68F448D8577A9EF49264B114095E90987361DB75EC008B91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0833E468, Relevance: 5.0, Strings: 3, Instructions: 1292COMMON

Download Yara Rule

Strings

D!m, xrefs: 0833E746
t%m, xrefs: 0833E70C
\m, xrefs: 0833E658

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID: D!m$\m$t%m
API String ID: 0-789673139
Opcode ID: 48a9e3591fbbbcf83a5e60dab56b2c24173e86395d8b0b9182eaa8321b2d587f
Instruction ID: 657ba2f739d1992e03297049460357678f139649b7fa565354eb91837e945b04
Opcode Fuzzy Hash: 48a9e3591fbbbcf83a5e60dab56b2c24173e86395d8b0b9182eaa8321b2d587f
Instruction Fuzzy Hash: 88A2B3B0F002185BDB24ABB6DC547BF35ABDBC5B08F24942899175B398DF725C814BE2

Uniqueness

Uniqueness Score: -1.00%

Function 0833E478, Relevance: 5.0, Strings: 3, Instructions: 1287COMMON

Download Yara Rule

Strings

D!m, xrefs: 0833E746
t%m, xrefs: 0833E70C
\m, xrefs: 0833E658

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID: D!m$\m$t%m
API String ID: 0-789673139
Opcode ID: f622b7782c2f3ab8138459f7a57ca87da778b5205b014c93bf5c7a26c3b0e55a
Instruction ID: 2fc7486764bf3c5a571bceac675e5c311e0cf3eb80daf6cdb4cbf9dfb3343339
Opcode Fuzzy Hash: f622b7782c2f3ab8138459f7a57ca87da778b5205b014c93bf5c7a26c3b0e55a
Instruction Fuzzy Hash: 2AA2A3B0F002185BDB24ABB6DC547BF35ABDBC5B08F24942899175B398DF725C814BA2

Uniqueness

Uniqueness Score: -1.00%

Function 08330006, Relevance: 4.4, Instructions: 4372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.217506795.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d36f3e8b593b66f26efb588a5b3d70670c1a9a6c33512e9d181db6e5813719
Instruction ID: 771e80e5543e94342d01391236878e145c883fbb218b0b26a3311dd2c3c33143
Opcode Fuzzy Hash: 25d36f3e8b593b66f26efb588a5b3d70670c1a9a6c33512e9d181db6e5813719
Instruction Fuzzy Hash: 4CA30170A006198FD754DF58E584A8977BAFF88308F208AD8D4095F36AD7B5ED868FD0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exe PID: 3260 Parent PID: 2628

General

Chronological Activities

Analysis Process: conhost.exe PID: 3888 Parent PID: 3260

General

Chronological Activities

Analysis Process: cmd.exe PID: 852 Parent PID: 3260

General

Chronological Activities

Analysis Process: chcp.com PID: 3876 Parent PID: 852

General

Chronological Activities

Analysis Process: powershell.exe PID: 4796 Parent PID: 852

General

Chronological Activities