MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 31. Injector. Classifications: Mal/Generic-S Mal/HTMLGen-A

(1)

MALICIOUS

Classifications: Injector

Threat Names:

Mal/Generic-S Mal/HTMLGen-A Generic.Exploit.Shellcode.RDI.2.848912F9 Gen:Variant.Strictor.46025

Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name 0d2805a84af62c765ac706960cd2a4a1.exe

ID #1077621

MD5 592cbf02a35ee0358194b33c483be874

SHA1 ae04e74a104cd6d2d00331111f0f2596c86eeb2e

SHA256 2c12f9be67bf31375db1b0578920fa37b415ec1a2df56cc1f3dacd9985f60100

File Size 339.00 KB

Report Created 2021-10-26 16:21 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

(2)

OVERVIEW

VMRay Threat Identifiers (17 rules, 47 matches)

Score Category Operation Count Classification

4/5 Defense Evasion Obscures a file's origin 2 -

(Process #2) 0d2805a84af62c765ac706960cd2a4a1.exe tries to delete zone identifier of file "C:\ProgramData\images.exe".

(Process #11) images.exe tries to delete zone identifier of file "C:\Users\RDhJ0CNFevzX\AppData\Roaming\images.exe".

•

4/5 Injection Writes into the memory of another process 1 Injector

(Process #7) images.exe modifies memory of (process #8) cmd.exe.

•

4/5 Injection Modifies control flow of another process 1 Injector

(Process #7) images.exe creates thread in (process #8) cmd.exe.

•

4/5 Antivirus Malicious content was detected by heuristic scan 4 -

Built-in AV detected a memory dump of (process #2) 0d2805a84af62c765ac706960cd2a4a1.exe as "Generic.Exploit.Shellcode.RDI.2.848912F9".

Built-in AV detected a memory dump of (process #2) 0d2805a84af62c765ac706960cd2a4a1.exe as "Gen:Variant.Strictor.46025".

Built-in AV detected a memory dump of (process #7) images.exe as "Generic.Exploit.Shellcode.RDI.2.848912F9".

Built-in AV detected a memory dump of (process #11) images.exe as "Generic.Exploit.Shellcode.RDI.2.848912F9".

•

4/5 Reputation Known malicious file 1 -

Reputation analysis labels the sample itself as "Mal/Generic-S".

•

4/5 Reputation Resolves known malicious domain 1 -

Reputation analysis labels the resolved domain "nan.ydns.eu" as "Mal/HTMLGen-A".

•

2/5 Injection Writes into the memory of a process started from a created or modified executable 3 -

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe modifies memory of (process #2) 0d2805a84af62c765ac706960cd2a4a1.exe.

(Process #4) images.exe modifies memory of (process #7) images.exe.

(Process #10) images.exe modifies memory of (process #11) images.exe.

•

2/5 Injection Modifies control flow of a process started from a created or modified executable 3 -

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe alters context of (process #2) 0d2805a84af62c765ac706960cd2a4a1.exe.

(Process #4) images.exe alters context of (process #7) images.exe.

(Process #10) images.exe alters context of (process #11) images.exe.

•

1/5 Privilege Escalation Enables process privilege 3 -

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe enables process privilege "SeDebugPrivilege".

(Process #4) images.exe enables process privilege "SeDebugPrivilege".

(Process #10) images.exe enables process privilege "SeDebugPrivilege".

•

1/5 Hide Tracks Creates process with hidden window 8 -

X-Ray Vision for Malware - www.vmray.com 2 / 31

(3)

Score Category Operation Count Classification

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe starts (process #2) 0d2805a84af62c765ac706960cd2a4a1.exe with a hidden window.

(Process #2) 0d2805a84af62c765ac706960cd2a4a1.exe starts (process #3) cmd.exe with a hidden window.

(Process #2) 0d2805a84af62c765ac706960cd2a4a1.exe starts (process #4) images.exe with a hidden window.

(Process #4) images.exe starts (process #7) images.exe with a hidden window.

(Process #7) images.exe starts (process #8) cmd.exe with a hidden window.

(Process #11) images.exe starts (process #12) cmd.exe with a hidden window.

•

1/5 Discovery Enumerates running processes 3 -

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe enumerates running processes.

(Process #4) images.exe enumerates running processes.

(Process #10) images.exe enumerates running processes.

•

1/5 Obfuscation Reads from memory of another process 3 -

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe reads from (process #2) 0d2805a84af62c765ac706960cd2a4a1.exe.

(Process #4) images.exe reads from (process #7) images.exe.

(Process #10) images.exe reads from (process #11) images.exe.

•

1/5 Obfuscation Creates a page with write and execute permissions 4 -

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

(Process #4) images.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

•

1/5 Anti Analysis Tries to detect analyzer sandbox 1 -

(Process #2) 0d2805a84af62c765ac706960cd2a4a1.exe is possibly trying to detect analyzer sandbox by checking for patched sleep.

•

1/5 System Modification Modifies application directory 3 -

(Process #2) 0d2805a84af62c765ac706960cd2a4a1.exe modifies "c:\program files\microsoft dn1".

(Process #7) images.exe modifies "c:\program files\microsoft dn1".

(Process #11) images.exe modifies "c:\program files\microsoft dn1".

•

1/5 Network Connection Performs DNS request 1 -

(Process #7) images.exe resolves host name "nan.ydns.eu" to IP "-".

•

1/5 Execution Executes itself 5 -

(Process #1) 0d2805a84af62c765ac706960cd2a4a1.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\0d2805a84af62c765ac706960cd2a4a1.exe.

(Process #2) 0d2805a84af62c765ac706960cd2a4a1.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\0d2805a84af62c765ac706960cd2a4a1.exe.

(Process #4) images.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\0d2805a84af62c765ac706960cd2a4a1.exe.

•

(4)

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1143 Hidden Window

#T1057 Process Discovery

#T1045 Software Packing

#T1497 Virtualization/

Sandbox Evasion

#T1497 Virtualization/

Sandbox Evasion

#T1124 System Time

Discovery

#T1096 NTFS File Attributes

X-Ray Vision for Malware - www.vmray.com 4 / 31

(5)

Sample Information

Analysis Information

ID #1077621

MD5 592cbf02a35ee0358194b33c483be874

SHA1 ae04e74a104cd6d2d00331111f0f2596c86eeb2e

SHA256 2c12f9be67bf31375db1b0578920fa37b415ec1a2df56cc1f3dacd9985f60100

SSDeep 6144:BQIxNYrJYEfv9Ykr7DVLq1YV+8TzAB/KOnTSE0K8LvfDEQXWUtin2H+:yrZfeec1Yf/AwOn3094Kb3+

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

File Name 0d2805a84af62c765ac706960cd2a4a1.exe

File Size 339.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2021-10-26 16:21 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 12

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 40

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

(6)

X-Ray Vision for Malware - www.vmray.com 6 / 31

(7)

Screenshots truncated

(8)

NETWORK

General

DNS

HTTP/S

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

0 bytes total sent

0 bytes total received 0 ports

1 contacted IP addresses

0 URLs extracted 0 files downloaded

0 malicious hosts detected

1 DNS requests for 1 domains 1 nameservers contacted

0 total requests returned errors

0 URLs contacted, 0 servers

0 sessions, 0 bytes sent, 0 bytes received

A nan.ydns.eu NoError 195.133.40.125 NA

X-Ray Vision for Malware - www.vmray.com 8 / 31

(9)

BEHAVIOR

Process Graph

Sample Start #1

0d2805a84af62c765ac706960cd2a4a1.exe #2

0d2805a84af62c765ac706960cd2a4a1.exe Modify Memory

Modify Control Flow Child Process

#3 cmd.exe Child Process

#4 images.exe Child Process

#6 reg.exe Child Process

#7 images.exe Modify Memory

#8 cmd.exe Modify Memory

Create Remote Thread Child Process

Reboot #1 #10

images.exe

#11 images.exe Modify Memory

#12 cmd.exe Child Process

#13 images.exe Child Process

#15 reg.exe Child Process

(10)

Process #1: 0d2805a84af62c765ac706960cd2a4a1.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\0d2805a84af62c765ac706960cd2a4a1.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\0d2805a84af62c765ac706960cd2a4a1.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 51003, Reason: Analysis Target Unmonitor End Time End Time: 115609, Reason: Terminated

Monitor duration 64.61s

Return Code 0

PID 5032

Parent PID 1636

Bitness 32 Bit

C:

\Users\RDhJ0CNFevzX\AppData\Local\Temp\0d2805a84af62c765ac

706960cd2a4a1.exe 339.00 KB 2c12f9be67bf31375db1b0578920fa37b415ec1a2df56cc1f3dacd9985f60

100

File 5

User 1

Process 111

Module 57

- 3

System 111

- 9

X-Ray Vision for Malware - www.vmray.com 10 / 31

(11)

Process #2: 0d2805a84af62c765ac706960cd2a4a1.exe

Injection Information (8)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Dropped Files (1)

Host Behavior

Type Count

ID 2

File Name c:\users\rdhj0cnfevzx\appdata\local\temp\0d2805a84af62c765ac706960cd2a4a1.exe Command Line C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\0d2805a84af62c765ac706960cd2a4a1.exe

Monitor Start Time Start Time: 104515, Reason: Child Process Unmonitor End Time End Time: 125847, Reason: Terminated

Return Code 0

PID 3528

Parent PID 5032

Bitness 32 Bit

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop