MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 14. Injector. Classifications: Mal/Generic-S.

MALICIOUS

Classifications: Injector

Threat Names: Mal/Generic-S Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe

ID #2627093

MD5 7a06ee20a8cf9057c0313c2dd9b52dcd

SHA1 eaee1819a3291b7d08ebcbf33101cc1a5195a082

SHA256 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d

File Size 827.00 KB

Report Created 2021-08-16 16:42 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 14

OVERVIEW

VMRay Threat Identifiers (7 rules, 7 matches)

Score Category Operation Count Classification

4/5 Injection Writes into the memory of another process 1 Injector

(Process #1) 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe modifies memory of (process #3) dialer.exe.

•

4/5 Injection Modifies control flow of another process 1 Injector

(Process #1) 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe creates thread in (process #3) dialer.exe.

•

4/5 Reputation Known malicious file 1 -

Reputation analysis labels the sample itself as "Mal/Generic-S".

•

1/5 Persistence Installs system startup script or application 1 -

(Process #1) 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe adds "C:\Users\Public\Libraries\vvvzgqK.url" to Windows startup via registry.

•

1/5 Hide Tracks Creates process with hidden window 1 -

(Process #1) 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe starts (process #3) dialer.exe with a hidden window.

•

1/5 Obfuscation Creates a page with write and execute permissions 1 -

(Process #1) 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

•

1/5 Obfuscation Resolves API functions dynamically 1 -

(Process #1) 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe resolves 183 API functions by name.

•

- Trusted Known clean file 1 -

File "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\mqlss9sq\kqgzvvvitsjwlcjbmuuyupvmpkziqqu[1]" is a known clean file.

•

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1060 Registry Run Keys / Startup

Folder

#T1112 Modify Registry

#T1143 Hidden Window

#T1045 Software Packing

X-Ray Vision for Malware - www.vmray.com 3 / 14

Sample Information

Analysis Information

ID #2627093

MD5 7a06ee20a8cf9057c0313c2dd9b52dcd

SHA1 eaee1819a3291b7d08ebcbf33101cc1a5195a082

SHA256 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d

SSDeep 12288:WhxUck0fyI/Xv94r0umLKC+pvbIAsrxPz+o8wcF:WhGdkF4r0uvnDIFpP

ImpHash 1abe4551dd4f8ef04deab38d0027e326

File Name 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe

File Size 827.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2021-08-16 16:42 (UTC+2)

Analysis Duration 00:03:41

Termination Reason Timeout

Number of Monitored Processes 2

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 5 / 14

Screenshots truncated

NETWORK

General

DNS

HTTP/S

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

1.28 KB total sent

6.82 KB total received 1 ports 443

1 contacted IP addresses

0 URLs extracted 0 files downloaded

0 malicious hosts detected

0 DNS requests for 0 domains 0 nameservers contacted

0 total requests returned errors

1 URLs contacted, 1 servers

1 sessions, 1.28 KB sent, 6.82 KB received

GET https://onedrive.live.com/download?

cid=1B877C3EDE919037&resid=1B877C3EDE919037%21

176&authkey=AFo5NP0MH9L-foo - - 0 bytes NA

X-Ray Vision for Malware - www.vmray.com 7 / 14

BEHAVIOR

Process Graph

Sample Start #1

9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe

#3 dialer.exe Modify Memory

Create Remote Thread Child Process

Process #1: 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe

Dropped Files (3)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

Network Behavior

Type Count

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 102106, Reason: Analysis Target Unmonitor End Time End Time: 207513, Reason: Terminated

Monitor duration 105.41s

Return Code 1073807364

PID 4524

Parent PID 1604

Bitness 32 Bit

C:\Users\Public\Libraries\Kqgzvvv\Kqgzvvv.exe 827.00 KB 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b2 2d1d

- 566.00 KB b241849e525bf89f9048c79c2f9b3152a2d66717b7a898b9a40c2a2bfd31

a3c3

C:\Users\Public\Libraries\vvvzgqK.url 96 bytes 3990939686b853c7570cd0da8b8302077247bc558733661b203143fd9c8 0019b

Module 404

Keyboard 5

System 13

Registry 11

- 9

Window 2

File 264

Process 2

- 11

- 2

HTTP 2

TCP 1

X-Ray Vision for Malware - www.vmray.com 9 / 14

Process #3: dialer.exe

Injection Information (7)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

ID 3

File Name c:\windows\syswow64\dialer.exe

Command Line C:\Windows\System32\dialer.exe

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 185032, Reason: Child Process Unmonitor End Time End Time: 324053, Reason: Terminated by Timeout

Monitor duration 139.02s

Return Code Unknown

PID 3336

Parent PID 4524

Bitness 32 Bit

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\9325090b7a2b8058a946f11 388db15813a8927708aa54bf 9aa6b5925f2b22d1d.exe

0x92c 0x110000(1114112) 0x123 1

Create Remote Thread

#1: c:

\users\rdhj0cnfevzx\desktop

\9325090b7a2b8058a946f11 388db15813a8927708aa54bf 9aa6b5925f2b22d1d.exe

0x92c 0x110000(1114112) - 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\9325090b7a2b8058a946f11 388db15813a8927708aa54bf 9aa6b5925f2b22d1d.exe

0x92c 0x1a0000(1703936) 0xe 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\9325090b7a2b8058a946f11 388db15813a8927708aa54bf 9aa6b5925f2b22d1d.exe

0x92c 0x1b0000(1769472) 0xd 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\9325090b7a2b8058a946f11 388db15813a8927708aa54bf 9aa6b5925f2b22d1d.exe

0x92c 0x1c0000(1835008) 0x14 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\9325090b7a2b8058a946f11 388db15813a8927708aa54bf 9aa6b5925f2b22d1d.exe

0x92c 0x1d0000(1900544) 0x1ba 1

Create Remote Thread

#1: c:

\users\rdhj0cnfevzx\desktop

\9325090b7a2b8058a946f11 388db15813a8927708aa54bf 9aa6b5925f2b22d1d.exe

0x92c 0x1d0000(1900544) - 1

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

Filename

File Name Category Operations Verdict

URL

URL Category IP Address Country HTTP Methods Verdict

Domain

Domain IP Address Country Protocols Verdict

IP

IP Address Domains Country Protocols Verdict

Registry

Registry Key Operations Parent Process Name Verdict

9325090b7a2b8058a946f113 88db15813a8927708aa54bf9 aa6b5925f2b22d1d

C:

\Users\Public\Libraries\Kqgzvvv\Kqgz vvv.exe, C:

\Users\RDhJ0CNFevzX\Desktop\932 5090b7a2b8058a946f11388db15813a8 927708aa54bf9aa6b5925f2b22d1d.exe

Sample File 827.00 KB application/

vnd.microsoft.portable-

executable Create, Read, Access, Write MALICIOUS

c2d814a34b184b7cdf10e4e7 a4311ff15db99326d6dd8d32 8b53bf9e19ccf858

c:

\users\rdhj0cnfevzx\appdata\local\mic rosoft\windows\inetcache\counters.dat

Modified File 128 bytes application/octet-stream - CLEAN

b241849e525bf89f9048c79c 2f9b3152a2d66717b7a898b9 a40c2a2bfd31a3c3

c:

\users\rdhj0cnfevzx\appdata\local\mic rosoft\windows\inetcache\ie\mqlss9sq

\kqgzvvvitsjwlcjbmuuyupvmpkziqqu[1]

Dropped File 566.00 KB application/octet-stream - CLEAN

3990939686b853c7570cd0d a8b8302077247bc55873366

1b203143fd9c80019b C:\Users\Public\Libraries\vvvzgqK.url Dropped File 96 bytes text/plain Create, Access, Write CLEAN

C:

\Users\RDhJ0CNFevzX\Desktop\9325090b7a2b8058a946f11388db15

813a8927708aa54bf9aa6b5925f2b22d1d.exe Sample File Read, Access CLEAN

0002 0002 00020002

¸ê¥ ¸ê¥ ¸ê¥ Accessed File Access CLEAN

C:\Users\Public\Libraries Accessed File Access CLEAN

C:\Users\Public\Libraries\Kqgzvvv Accessed File Create, Access CLEAN

C:\Users\Public\Libraries\Kqgzvvv\Kqgzvvv.exe Sample File Create, Access, Write CLEAN

C:\Users\Public\Libraries\vvvzgqK.url Dropped File Create, Access, Write CLEAN

https://onedrive.live.com/download?

cid=1B877C3EDE919037&resid=1B877C3EDE9

19037%21176&authkey=AFo5NP0MH9L-foo - 13.107.42.13 - GET CLEAN

onedrive.live.com 13.107.42.13 - HTTP CLEAN

13.107.42.13

l-0004.l-msedge.net, onedrive.live.com, odwebpl.trafficmanager.net.l-0004.dc- msedge.net.l-0004.l-msedge.net, odc-web- geo.onedrive.akadns.net, odc-web- brs.onedrive.akadns.net

United States TCP, DNS, HTTPS CLEAN

HKEY_CURRENT_USER\Software\Borland\Locales access 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa

6b5925f2b22d1d.exe ^CLEAN

HKEY_LOCAL_MACHINE\Software\Borland\Locales access 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa

6b5925f2b22d1d.exe ^CLEAN

HKEY_CURRENT_USER\Software\Borland\Delphi\Locales access 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa

6b5925f2b22d1d.exe ^CLEAN

X-Ray Vision for Malware - www.vmray.com 11 / 14

Registry Key Operations Parent Process Name Verdict

Process

Process Name Commandline Verdict

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current

Version\Run access 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa

6b5925f2b22d1d.exe ^CLEAN

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current

Version\Run\Kqgzvvv access, write 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa

6b5925f2b22d1d.exe ^CLEAN

9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b2 2d1d.exe

"C:

\Users\RDhJ0CNFevzX\Desktop\9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f 2b22d1d.exe"

MALICIOUS

dialer.exe C:\Windows\System32\dialer.exe CLEAN

YARA / AV

No YARA or AV matches available.

X-Ray Vision for Malware - www.vmray.com 13 / 14

ENVIRONMENT

Virtual Machine Information

Analyzer Information

Software Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021) Built-in AV Database Update Release

Date 2021-08-16 10:54:52+00:00

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.33 / 2021-08-02 14:31:04 YARA Built-in Ruleset Version 4.2.2.34

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10 Analysis Report Layout Version 10

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed