Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:1382780
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7084 cmdline: cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml"", CommandLine: cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml"", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5444, ProcessCommandLine: cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml"", ProcessId: 7084, ProcessName: cmd.exe
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml"", CommandLine: cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml"", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5444, ProcessCommandLine: cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml"", ProcessId: 7084, ProcessName: cmd.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: classification engineClassification label: mal48.win@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_03
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ""c:\$windows.~bt\sources\setuphost.exe" /product client /install /package /priority normal /quiet /reportid 2871d66d-99c8-4ca9-932a-b1e007bea7ea.1 /flightdata "ng:1a2026" "/cancelid" "c-6f10a960-131b-461f-bf41-78a5c0c4199a" "/pauseid" "p-6f10a960-131b-461f-bf41-78a5c0c4199a" "/correlationvector" "6vqqppizuku6olc+.4.2.2.3" "/actionlistfile" "c:\windows\softwaredistribution\download\a99074ffb812b7178ce0ca2c278c9f80\actionlist.xml""

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		Path Interception1
Process Injection		1
Process Injection		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1382780 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 29/01/2024 Architecture: WINDOWS Score: 48 10 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->10 12 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->12 6 cmd.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:39.0.0 Ruby
Analysis ID:1382780
Start date and time:2024-01-29 15:45:50 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 21s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.win@2/0@0/0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

No static file info

Network Behavior

No network behavior found

Statistics

CPU Usage

01234s020406080100

Click to jump to process

Memory Usage

01234sMB

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:15:46:36
Start date:29/01/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C ""C:\$WINDOWS.~BT\Sources\SetupHost.Exe" /Product Client /Install /Package /Priority Normal /Quiet /ReportId 2871D66D-99C8-4CA9-932A-B1E007BEA7EA.1 /FlightData "NG:1A2026" "/CancelId" "C-6f10a960-131b-461f-bf41-78a5c0c4199a" "/PauseId" "P-6f10a960-131b-461f-bf41-78a5c0c4199a" "/CorrelationVector" "6VqqppiZuku6olC+.4.2.2.3" "/ActionListFile" "C:\windows\SoftwareDistribution\Download\a99074ffb812b7178ce0ca2c278c9f80\ActionList.xml""
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:15:46:36
Start date:29/01/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly