Edit tour

Windows Analysis Report
AutoInstall.exe

Overview

General Information

Sample Name:	AutoInstall.exe
Analysis ID:	593200
MD5:	7700a0d1b07e63f054a730fbf9156ef0
SHA1:	6995f2e5f4544b3e99489364bccc56084198c61d
SHA256:	99b4df04fc5236a12bcf96a4c6ec797b2555189915050d7a0a1704f4f69ab770
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Writes to foreign memory regions

Allocates memory in foreign processes

May check the online IP address of the machine

PE file contains section with special chars

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

HTTP GET or POST without a user agent

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Enables debug privileges

Classification

Process Tree

System is w10x64

AutoInstall.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\AutoInstall.exe" MD5: 7700A0D1B07E63F054A730FBF9156EF0)

conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 64 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

cleanup

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, QueryName: ip-api.com

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AutoInstall.exe

Virustotal: Detection: 36%

Perma Link

Source: AutoInstall.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:

Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp, AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp

Networking

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: AutoInstall.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: AutoInstall.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AutoInstall.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: AutoInstall.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: AutoInstall.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: AutoInstall.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: AutoInstall.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: AutoInstall.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AutoInstall.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.641051378.0000000007127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com4
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: AutoInstall.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: AutoInstall.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: AutoInstall.exe	String found in binary or memory: http://www.entrust.net/rpa0
Source: AutoInstall.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: AutoInstall.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: AutoInstall.exe, 00000001.00000002.379164276.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file contains section with special chars

Source: AutoInstall.exe

Static PE information: section name: .pyX$d

Source: AutoInstall.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs AutoInstall.exe
Source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePennyWise.exe4 vs AutoInstall.exe
Source: AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs AutoInstall.exe
Source: AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePennyWise.exe4 vs AutoInstall.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D1478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D1DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DBF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DDEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DC850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D156F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D20D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055DBC38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D1E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_055D0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_09D76E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_09D76E40

Source: AutoInstall.exe

Static PE information: invalid certificate

Source: AutoInstall.exe

Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\AutoInstall.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: unknown	Process created: C:\Users\user\Desktop\AutoInstall.exe "C:\Users\user\Desktop\AutoInstall.exe"
Source: C:\Users\user\Desktop\AutoInstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AutoInstall.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\AutoInstall.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\8d96007aa6619f065c7ec2509ce5f96d

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winEXE@4/0@1/1

Source: 1.3.AutoInstall.exe.24b0000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.AppLaunch.exe.400000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: AutoInstall.exe

Static file information: File size 4344320 > 1048576

Source: AutoInstall.exe

Static PE information: Raw size of .iXgHkK is bigger than: 0x100000 < 0x3eae00

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.3.AutoInstall.exe.24b0000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 3_2_055D63F2 push D800035Eh; ret

Source: AutoInstall.exe	Static PE information: section name: .iXgHkK
Source: AutoInstall.exe	Static PE information: section name: .pyX$d

Source: initial sample

Static PE information: section name: .pyX$d entropy: 7.40228735958

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AutoInstall.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\Desktop\AutoInstall.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: F65008

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\AutoInstall.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\AutoInstall.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\AutoInstall.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\AutoInstall.exe

Code function: 1_2_00409C7C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	111 Windows Management Instrumentation	Path Interception	311 Process Injection	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AutoInstall.exe	37%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.3.AutoInstall.exe.24b0000.0.unpack	100%	Avira	HEUR/AGEN.1203048		Download File
3.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1203048		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://ip-api.com4	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aia.entrust.net/ts1-chain256.cer01	AutoInstall.exe	false		high
http://www.codeplex.com/DotNetZip	AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	AutoInstall.exe	false		high
http://ocsp.entrust.net03	AutoInstall.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa0	AutoInstall.exe	false		high
http://ocsp.entrust.net02	AutoInstall.exe	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	AutoInstall.exe	false		high
http://crl.entrust.net/2048ca.crl0	AutoInstall.exe	false		high
http://ip-api.com	AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.641051378.0000000007127000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com4	AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	593200
Start date and time:	2022-03-21 12:17:49 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	AutoInstall.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 72% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target AutoInstall.exe, PID 6564 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.8762873630378625
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AutoInstall.exe
File size:	4344320
MD5:	7700a0d1b07e63f054a730fbf9156ef0
SHA1:	6995f2e5f4544b3e99489364bccc56084198c61d
SHA256:	99b4df04fc5236a12bcf96a4c6ec797b2555189915050d7a0a1704f4f69ab770
SHA512:	9d063f2e37a35e20a322a4ab2be24884a245a40c4924b618a83f69515a62b15a954393717961f79c77945f2b692ea5d26d829153a8ece04c4ff774a48dc8607e
SSDEEP:	98304:IDWrdQJJ6qOobDtlLCSvKBXRAtiX2CVQmYRx6uiNnA9gEEtwPpAK3q2M:D6KPktlvIAtSNn6gFtYrzM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b8b..................@..<......;.........A...@..........................0B............................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40953b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6238628B [Mon Mar 21 11:33:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	99c2cae0b7316add27de679470515124

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	4/13/2021 5:00:00 PM 4/16/2024 4:59:59 PM
Subject Chain	CN=Nvidia Corporation, OU=IT-MIS, O=Nvidia Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	991A62097E637843EA62029BF4E829BC
Thumbprint SHA-1:	F518FAD5DEC9E0500DA1C1598C4B0FFC0268B2D0
Thumbprint SHA-256:	A4870BB5FEB7028CCB0E50936E9138F528FF3CCD001D44C7D268A69685455FE8
Serial:	0266ADFA176389D9B4301AC87EFD6A96

Entrypoint Preview

Instruction
call 00007F5E64D0882Eh
jmp 00007F5E64D07F19h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F5E64D080BBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F5E64D080ACh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F5E64D080AEh
add edx, 28h
cmp edx, esi
jne 00007F5E64D0808Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F5E64D0809Bh
push esi
call 00007F5E64D08B0Bh
test eax, eax
je 00007F5E64D080C2h
mov eax, dword ptr fs:[00000018h]
mov esi, 008211E4h
mov edx, dword ptr [eax+04h]
jmp 00007F5E64D080A6h
cmp edx, eax
je 00007F5E64D080B2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F5E64D08092h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F5E64D080A9h
mov byte ptr [008211E8h], 00000001h
call 00007F5E64D08580h
call 00007F5E64D0A8FEh
test al, al
jne 00007F5E64D080A6h
xor al, al
pop ebp
ret
call 00007F5E64D1386Eh
test al, al
jne 00007F5E64D080ACh
push 00000000h
call 00007F5E64D0A905h
pop ecx
jmp 00007F5E64D0808Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [008211E9h], 00000000h
je 00007F5E64D080A6h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41f12c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x422800	0x2200
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41ced8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x410000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23fe5	0x24000	False	0.55852593316	data	6.58598139573	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.iXgHkK	0x25000	0x3eac39	0x3eae00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x410000	0xf8d8	0xfa00	False	0.546984375	data	5.65055331195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x420000	0x1ce8	0x1000	False	0.18994140625	data	3.03654885505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pyX$d	0x422000	0x910	0xa00	False	0.881640625	data	7.40228735958	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

USER32.dll

GetSysColorBrush, MessageBeep, MessageBoxA, GetSystemMetrics, SendNotifyMessageA

KERNEL32.dll

TlsSetValue, CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, GetLastError, GetCurrentProcessId, GetCurrentThreadId, GetModuleHandleA, GetProcAddress, MultiByteToWideChar, FreeConsole, GetConsoleWindow, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, FreeEnvironmentStringsW, RaiseException, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, WriteConsoleW, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2022 13:19:19.080195904 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:19.109673977 CET	80	49775	208.95.112.1	192.168.2.6
Mar 21, 2022 13:19:19.109812975 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:19.119479895 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:19.149487019 CET	80	49775	208.95.112.1	192.168.2.6
Mar 21, 2022 13:19:19.292432070 CET	49775	80	192.168.2.6	208.95.112.1
Mar 21, 2022 13:19:58.370439053 CET	80	49775	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2022 13:19:18.970336914 CET	52858	53	192.168.2.6	8.8.8.8
Mar 21, 2022 13:19:18.989157915 CET	53	52858	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 21, 2022 13:19:18.970336914 CET	192.168.2.6	8.8.8.8	0x45cd	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 21, 2022 13:19:18.989157915 CET	8.8.8.8	192.168.2.6	0x45cd	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49775	208.95.112.1	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2022 13:19:19.119479895 CET	1097	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 21, 2022 13:19:19.149487019 CET	1097	IN	HTTP/1.1 200 OK Date: Mon, 21 Mar 2022 12:19:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	1
Start time:	13:18:59
Start date:	21/03/2022
Path:	C:\Users\user\Desktop\AutoInstall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AutoInstall.exe"
Imagebase:	0x400000
File size:	4344320 bytes
MD5 hash:	7700A0D1B07E63F054A730FBF9156EF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exePID: 4876, Parent PID: 6564

General

Target ID:	2
Start time:	13:19:00
Start date:	21/03/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: AppLaunch.exePID: 64, Parent PID: 6564

General

Target ID:	3
Start time:	13:19:02
Start date:	21/03/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0x1050000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AutoInstall.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

Behavior

System Behavior

Analysis Process: AutoInstall.exePID: 6564, Parent PID: 6076

General

Windows Analysis Report
AutoInstall.exe