MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 16. Classifications: - Mal/Generic-S.

MALICIOUS

Classifications: -

Threat Names: Mal/Generic-S Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name Erodo.exe

ID #3724642

MD5 0d0d64eecf0771dfc73ea6674802c256

SHA1 a9eb93937399030d52ce1641794b0fab1c398724

SHA256 f927fc3dee7de6daefed3b155907078344fbfec8bd3d63ed96013c2c9ae1e78e

File Size 342.50 KB

Report Created 2022-03-02 23:49 (UTC+1)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 16

OVERVIEW

VMRay Threat Identifiers (3 rules, 4 matches)

Score Category Operation Count Classification

4/5 Execution Executes encoded PowerShell command 1 -

(Process #1) erodo.exe executes base64-encoded Powershell command.

•

4/5 Reputation Known malicious file 1 -

Reputation analysis labels the sample itself as "Mal/Generic-S".

•

1/5 Hide Tracks Creates process with hidden window 2 -

(Process #1) erodo.exe starts (process #2) powershell.exe with a hidden window.

(Process #2) powershell.exe starts (process #4) cmd.exe with a hidden window.

•

•

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1086

PowerShell #T1143 Hidden

Window

#T1140 Deobfuscate/

Decode Files or Information

#T1027 Obfuscated

Files or Information

X-Ray Vision for Malware - www.vmray.com 3 / 16

Sample Information

Analysis Information

ID #3724642

MD5 0d0d64eecf0771dfc73ea6674802c256

SHA1 a9eb93937399030d52ce1641794b0fab1c398724

SHA256 f927fc3dee7de6daefed3b155907078344fbfec8bd3d63ed96013c2c9ae1e78e

SSDeep 6144:Pzb2t3laE3iJq/phPjZRijqACqcGHjmaFFq8O7qWj8o9u7KwBP/DGDMDSj:J0L2XCqcGHjZyqQ8rPrGS

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

File Name Erodo.exe

File Size 342.50 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2022-03-02 23:49 (UTC+1)

Analysis Duration 00:02:00

Termination Reason Timeout

Number of Monitored Processes 4

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 5 / 16

Screenshots truncated

NETWORK

General

DNS

HTTP/S

0 bytes total received 0 ports

0 contacted IP addresses

0 URLs extracted 0 files downloaded

0 malicious hosts detected

0 DNS requests for 0 domains 0 nameservers contacted

0 total requests returned errors

0 URLs contacted, 0 servers

0 sessions, 0 bytes sent, 0 bytes received

X-Ray Vision for Malware - www.vmray.com 7 / 16

BEHAVIOR

Process Graph

Sample Start #1

erodo.exe #2

powershell.exe

Child Process #4

cmd.exe

Child Process #5

timeout.exe Child Process

Process #1: erodo.exe

Host Behavior

Type Count

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\erodo.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\Erodo.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 71617, Reason: Analysis Target Unmonitor End Time End Time: 191918, Reason: Terminated by Timeout

Monitor duration 120.30s

Return Code Unknown

PID 2388

Parent PID 1184

Bitness 32 Bit

Process 1

X-Ray Vision for Malware - www.vmray.com 9 / 16

Process #2: powershell.exe

Host Behavior

Type Count

ID 2

File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 115534, Reason: Child Process Unmonitor End Time End Time: 191918, Reason: Terminated by Timeout

Monitor duration 76.38s

Return Code Unknown

PID 2264

Parent PID 2388

Bitness 32 Bit

Module 4

File 31

Environment 14

Registry 2

Process 1

- 13

Process #4: cmd.exe

Host Behavior

Type Count

ID 4

File Name c:\windows\syswow64\cmd.exe

Command Line "C:\Windows\system32\cmd.exe" /c timeout 20

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 168807, Reason: Child Process Unmonitor End Time End Time: 191849, Reason: Terminated

Monitor duration 23.04s

Return Code 0

PID 1008

Parent PID 2264

Bitness 32 Bit

Module 8

Registry 17

File 18

Environment 19

System 1

Process 1

X-Ray Vision for Malware - www.vmray.com 11 / 16

Process #5: timeout.exe

Host Behavior

Type Count

ID 5

File Name c:\windows\syswow64\timeout.exe

Command Line timeout 20

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 169796, Reason: Child Process Unmonitor End Time End Time: 190919, Reason: Terminated

Monitor duration 21.12s

Return Code 0

PID 1312

Parent PID 1008

Bitness 32 Bit

Module 2

System 357

File 142

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

Filename

File Name Category Operations Verdict

Registry

Registry Key Operations Parent Process Name Verdict

f927fc3dee7de6daefed3b155 907078344fbfec8bd3d63ed9 6013c2c9ae1e78e

C:

\Users\RDhJ0CNFevzX\Desktop\Ero

do.exe Sample File 342.50 KB

application/

vnd.microsoft.portable-

executable - MALICIOUS

929590ed92633e841871c6e e7449a6731de5a44d0dada0

b9979eecf03f4783d9 - Embedded File 51.38 KB image/png - CLEAN

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Accessed File Access CLEAN

C:\Windows\system32 Accessed File Access CLEAN

C:\Windows\system32\cmd.exe Accessed File Access CLEAN

C:\Windows\SysWOW64\cmd.exe Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\Desktop Accessed File Access CLEAN

C:\Windows\SysWOW64\timeout.exe Accessed File Access CLEAN

C:

\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co

nfig Accessed File Read, Access CLEAN

C:

\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.co

nfig Accessed File Access CLEAN

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Po

werShell\ScriptBlockLogging access powershell.exe CLEAN

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Po

werShell\ScriptBlockLogging access powershell.exe CLEAN

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Sy

stem access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\DisableUNCCheck read, access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\EnableExtensions read, access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\DelayedExpansion read, access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\DefaultColor read, access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\CompletionChar read, access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\PathCompletionChar read, access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\AutoRun read, access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command Processor access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\DisableUNCCheck read, access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\EnableExtensions read, access cmd.exe CLEAN

X-Ray Vision for Malware - www.vmray.com 13 / 16

Registry Key Operations Parent Process Name Verdict

Process

Process Name Commandline Verdict

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\DelayedExpansion read, access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\DefaultColor read, access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\CompletionChar read, access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\PathCompletionChar read, access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\AutoRun read, access cmd.exe CLEAN

erodo.exe "C:\Users\RDhJ0CNFevzX\Desktop\Erodo.exe" MALICIOUS

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc

YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA== ^SUSPICIOUS

cmd.exe "C:\Windows\system32\cmd.exe" /c timeout 20 CLEAN

timeout.exe timeout 20 CLEAN

YARA / AV

No YARA or AV matches available.

X-Ray Vision for Malware - www.vmray.com 15 / 16

ENVIRONMENT

Virtual Machine Information

Platform Information

Software Information

System Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379) Network Scheme Name Local Gateway

Network Config Name Local Gateway

Platform Version 4.4.1

Dynamic Engine Version 4.4.1 / 01/14/2022 05:06

Static Engine Version 4.4.1.0 / 2022-01-14 04:00:58

AV Exceptions Version 4.4.1.6 / 2021-12-14 15:06:27 Link Detonation Heuristics Version 4.4.1.7 / 2021-12-15 19:11:26

Smart Memory Dumping Rules

Version 4.4.1.6 / 2021-12-14 15:06:27

Signature Trust Store Version 4.4.1.6 / 2021-12-14 15:06:27 VMRay Threat Identifiers Version 4.4.1.12 / 2022-02-21 16:21:57

YARA Built-in Ruleset Version 4.4.1.11

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Hangul Office Not installed

Hangul Office Version Not installed

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

Sample Directory C:\Users\RDhJ0CNFevzX\Desktop

Computer Name XC64ZB

User Domain XC64ZB

User Name RDhJ0CNFevzX

User Profile C:\Users\RDhJ0CNFevzX

Temp Directory C:\Users\RDHJ0C~1\AppData\Local\Temp

System Root C:\Windows