Loading ...

Analysis Report WBKDqSfWLj.exe

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:716914
Start date:19.11.2018
Start time:21:56:02
Joe Sandbox Product:Cloud
Overall analysis duration:0h 5m 24s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:WBKDqSfWLj.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:1
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.evad.winEXE@5/2@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 21
  • Number of non-executed functions: 38
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, conhost.exe, svchost.exe

Detection

StrategyScoreRangeReportingDetection
Threshold640 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample might require command line arguments, analyze it with the command line cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Winlogon Helper DLLProcess Injection1Software Packing1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingSecurity Software Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionFile Deletion1Input CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB259B FindFirstFileA,FindClose,1_2_00DB259B
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeCode function: 2_2_00D3259B FindFirstFileA,FindClose,2_2_00D3259B

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeMutant created: \Sessions\2\BaseNamedObjects\Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}
Sample file is different than original file name gathered from version infoShow sources
Source: WBKDqSfWLj.exe, 00000001.00000002.1213976947.009A0000.00000002.sdmpBinary or memory string: System.OriginalFileName vs WBKDqSfWLj.exe
Source: WBKDqSfWLj.exe, 00000001.00000002.1214215571.00A50000.00000008.sdmpBinary or memory string: originalfilename vs WBKDqSfWLj.exe
Source: WBKDqSfWLj.exe, 00000001.00000002.1214215571.00A50000.00000008.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WBKDqSfWLj.exe
Source: WBKDqSfWLj.exe, 00000001.00000002.1214228725.00A70000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs WBKDqSfWLj.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeFile read: C:\Users\user\Desktop\WBKDqSfWLj.exeJump to behavior
Spawns driversShow sources
Source: unknownDriver loaded: C:\Windows\system32\drivers\WudfPf.sys
Classification labelShow sources
Source: classification engineClassification label: mal64.evad.winEXE@5/2@0/0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB1C33 CreateToolhelp32Snapshot,Thread32First,CloseHandle,GetCurrentProcessId,OpenThread,SuspendThread,CloseHandle,Thread32Next,GetLastError,CloseHandle,GetLastError,1_2_00DB1C33
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB13D0 FindResourceA,LoadResource,LockResource,1_2_00DB13D0
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeFile created: C:\Users\user~1\AppData\Local\Temp\cnwog.exeJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d...........0.(.O.....V.ZJ....T.0.Q.#v..0......."vd.0.&...`.....,.....Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: WBKDqSfWLj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\WBKDqSfWLj.exe 'C:\Users\user\Desktop\WBKDqSfWLj.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cnwog.exe 'C:\Users\user~1\AppData\Local\Temp\cnwog.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeProcess created: C:\Users\user\AppData\Local\Temp\cnwog.exe 'C:\Users\user~1\AppData\Local\Temp\cnwog.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NULJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: WBKDqSfWLj.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Detected packer (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeUnpacked PE file: 1.2.WBKDqSfWLj.exe.400000.1.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB1903 IsBadReadPtr,LoadLibraryA,GetProcAddress,IsBadReadPtr,1_2_00DB1903

Persistence and Installation Behavior:

barindex
Windows Update Standalone Installer command line found (may be used to bypass UAC)Show sources
Source: WBKDqSfWLj.exeMemory string: .exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep
Source: cnwog.exeMemory string: cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep
Source: cnwog.exe, 00000002.00000002.1212803884.00D31000.00000020.sdmpMemory string: HvCLIENT32"%s" /exploit"%s" /uacGlobal\AtomFunsysprep.exelogonui.exeutilman.exeuser32.dllwsprintfAwvsprintfAmsvcrt.dll_vscprintf ComSpec/c del %s >> NULGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}/executable/uac/exploit/runmainadvapi32.dllAddMandatoryAcecmd.exe /C %scmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep\system32\sysprep\cryptbase.dll\system32\sysprep\sysprep.exemakecab.exe /V1 %s %s\cryptbase.msu\cryptbase.dll\%.8x.tmpkernel32.dllIsWow64ProcessWinExecLoadLibraryA.rsrc\uxtheme.dllj
Source: cnwog.exe, 00000002.00000000.1210833158.00D31000.00000020.sdmpMemory string: DTDhD FCLIENT32"%s" /exploit"%s" /uacGlobal\AtomFunsysprep.exelogonui.exeutilman.exeuser32.dllwsprintfAwvsprintfAmsvcrt.dll_vscprintf ComSpec/c del %s >> NULGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}/executable/uac/exploit/runmainadvapi32.dllAddMandatoryAcecmd.exe /C %scmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep\system32\sysprep\cryptbase.dll\system32\sysprep\sysprep.exemakecab.exe /V1 %s %s\cryptbase.msu\cryptbase.dll\%.8x.tmpkernel32.dllIsWow64ProcessWinExecLoadLibraryA.rsrc\uxtheme.dllj
Drops PE filesShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeFile created: C:\Users\user~1\AppData\Local\Temp\cnwog.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NULJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-1574
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-1405
Found evasive API chain checking for user administrative privilegesShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_1-1411
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_2-1241
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB1C33 CreateToolhelp32Snapshot,Thread32First,CloseHandle,GetCurrentProcessId,OpenThread,SuspendThread,CloseHandle,Thread32Next,GetLastError,CloseHandle,GetLastError,1_2_00DB1C33
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-1701
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-1432
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-1303
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-1454
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB259B FindFirstFileA,FindClose,1_2_00DB259B
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeCode function: 2_2_00D3259B FindFirstFileA,FindClose,2_2_00D3259B
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: WBKDqSfWLj.exe, 00000001.00000002.1212775221.00470000.00000004.sdmpBinary or memory string: vmbusres.dll/
Source: WBKDqSfWLj.exe, 00000001.00000002.1212775221.00470000.00000004.sdmpBinary or memory string: vmbusres.dll/:2m
Program exit pointsShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeAPI call chain: ExitProcess graph end nodegraph_1-1565
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeAPI call chain: ExitProcess graph end nodegraph_1-1399
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeAPI call chain: ExitProcess graph end nodegraph_1-1445
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeAPI call chain: ExitProcess graph end nodegraph_2-1229
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeAPI call chain: ExitProcess graph end nodegraph_2-1275

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB1C33 CreateToolhelp32Snapshot,Thread32First,CloseHandle,GetCurrentProcessId,OpenThread,SuspendThread,CloseHandle,Thread32Next,GetLastError,CloseHandle,GetLastError,1_2_00DB1C33
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB1903 IsBadReadPtr,LoadLibraryA,GetProcAddress,IsBadReadPtr,1_2_00DB1903
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB3E80 mov eax, dword ptr fs:[00000030h]1_2_00DB3E80
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeCode function: 2_2_00D33E80 mov eax, dword ptr fs:[00000030h]2_2_00D33E80

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeProcess created: C:\Users\user\AppData\Local\Temp\cnwog.exe 'C:\Users\user~1\AppData\Local\Temp\cnwog.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cnwog.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NULJump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB2604 AllocateAndInitializeSid,_memset,GetModuleHandleA,SetEntriesInAclA,LocalAlloc,LocalAlloc,LocalFree,_memset,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LoadLibraryA,GetProcAddress,LocalAlloc,InitializeAcl,AllocateAndInitializeSid,SetSecurityDescriptorSacl,GetLastError,FreeSid,GetLastError,LocalFree,GetLastError,GetLastError,LocalFree,GetLastError,LocalFree,GetLastError,FreeSid,GetLastError,1_2_00DB2604
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB2604 AllocateAndInitializeSid,_memset,GetModuleHandleA,SetEntriesInAclA,LocalAlloc,LocalAlloc,LocalFree,_memset,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LoadLibraryA,GetProcAddress,LocalAlloc,InitializeAcl,AllocateAndInitializeSid,SetSecurityDescriptorSacl,GetLastError,FreeSid,GetLastError,LocalFree,GetLastError,GetLastError,LocalFree,GetLastError,LocalFree,GetLastError,FreeSid,GetLastError,1_2_00DB2604

Language, Device and Operating System Detection:

barindex
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\WBKDqSfWLj.exeCode function: 1_2_00DB29C6 _memset,GetVersionExA,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,CloseHandle,CloseHandle,GetTokenInformation,CreateWellKnownSid,CheckTokenMembership,GetLastError,CloseHandle,IsUserAnAdmin,CloseHandle,GetLastError,IsUserAnAdmin,1_2_00DB29C6

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716914 Sample: WBKDqSfWLj.exe Startdate: 19/11/2018 Architecture: WINDOWS Score: 64 20 Windows Update Standalone Installer command line found (may be used to bypass UAC) 2->20 22 Deletes itself after installation 2->22 7 WBKDqSfWLj.exe 2 2->7         started        11 WudfPf.sys 2->11         started        process3 file4 18 C:\Users\user~1\AppData\Local\...\cnwog.exe, PE32 7->18 dropped 24 Detected packer (creates a PE file in dynamic memory) 7->24 26 Found evasive API chain (may stop execution after checking mutex) 7->26 28 Found evasive API chain checking for user administrative privileges 7->28 13 cnwog.exe 7->13         started        signatures5 process6 signatures7 30 Found evasive API chain (may stop execution after checking mutex) 13->30 32 Deletes itself after installation 13->32 34 Found evasive API chain checking for user administrative privileges 13->34 16 cmd.exe 13->16         started        process8

Simulations

Behavior and APIs

TimeTypeDescription
21:56:14API Interceptor1x Sleep call for process: WBKDqSfWLj.exe modified
21:56:14API Interceptor1x Sleep call for process: cnwog.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.