Play interactive tourEdit tour

Analysis Report http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D

Overview

General Information

Sample URL:http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D
Analysis ID:353068

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

No high impact signatures.

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 2016 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 740 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean0.win@4/1@0/0
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_01
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryRemote System Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 353068 URL: http://9.tlu.dl.delivery.mp... Startdate: 15/02/2021 Architecture: WINDOWS Score: 0 5 cmd.exe 2 2->5         started        process3 7 wget.exe 1 5->7         started        9 conhost.exe 5->9         started       
SourceDetectionScannerLabelLink
http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D0%Avira URL Cloudsafe
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:353068
Start date:15.02.2021
Start time:15:17:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.win@4/1@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Unable to download file
Warnings:
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 104.43.193.48, 40.88.32.150, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, 9.tlu.dl.delivery.mp.microsoft.com, watson.telemetry.microsoft.com, skypedataprdcolcus15.cloudapp.net, cds.f7y3z2w8.hwcdn.net
No simulations
No context
No context
No context
No context
No context
C:\Users\user\Desktop\cmdline.out
Process:C:\Windows\SysWOW64\wget.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):599
Entropy (8bit):5.527078492046677
Encrypted:false
SSDEEP:12:HjUdeeDMDDIspDSNDCY0eedc8eeRsh8eedc8eepst1De5RhkgsmUQrwsf:4deeYDDdpICdee9ee2Cee9ee+txePfk+
MD5:D7BDD46A4FC5B20EA869B1A13F338F55
SHA1:99B87468C83FB1C58AA93CD3FBBD5B7B0D92441C
SHA-256:37E1ABFD8437D7190A5CB7CDEFEE6A86A4C51C925786BEF298C6D9F6CF5EEF7C
SHA-512:C554CAD34CD2D933D6B1789A9FF129F7193A92E7FFCEB14B68AC4A11BE491506234BBDDEBDB1FB5903568BB592022A8375E07B5F73DA6BD4676159483262613A
Malicious:false
Reputation:low
Preview: --2021-02-15 15:18:33-- http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D..Resolving 9.tlu.dl.delivery.mp.microsoft.com (9.tlu.dl.delivery.mp.microsoft.com)... 205.185.216.10, 205.185.216.42..Connecting to 9.tlu.dl.delivery.mp.microsoft.com (9.tlu.dl.delivery.mp.microsoft.com)|205.185.216.10|:80... connected...HTTP request sent, awaiting response... 403 Forbidden..2021-02-15 15:18:33 ERROR 403: Forbidden.....

Static File Info

No static file info

Network Behavior

Download Network PCAP: filteredfull

Snort IDS Alerts

TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
02/15/21-15:18:33.994897TCP1201ATTACK-RESPONSES 403 Forbidden8049739205.185.216.10192.168.2.4
TimestampSource PortDest PortSource IPDest IP
Feb 15, 2021 15:18:29.088980913 CET5299153192.168.2.48.8.8.8
Feb 15, 2021 15:18:29.137986898 CET53529918.8.8.8192.168.2.4
Feb 15, 2021 15:18:30.060862064 CET5370053192.168.2.48.8.8.8
Feb 15, 2021 15:18:30.113598108 CET53537008.8.8.8192.168.2.4
Feb 15, 2021 15:18:31.000587940 CET5172653192.168.2.48.8.8.8
Feb 15, 2021 15:18:31.060560942 CET53517268.8.8.8192.168.2.4
Feb 15, 2021 15:18:32.082618952 CET5679453192.168.2.48.8.8.8
Feb 15, 2021 15:18:32.131289005 CET53567948.8.8.8192.168.2.4
Feb 15, 2021 15:18:33.581793070 CET5653453192.168.2.48.8.8.8
Feb 15, 2021 15:18:33.630352020 CET53565348.8.8.8192.168.2.4
Feb 15, 2021 15:18:33.823318005 CET5662753192.168.2.48.8.8.8
Feb 15, 2021 15:18:33.883471012 CET53566278.8.8.8192.168.2.4
Feb 15, 2021 15:18:34.439888000 CET5662153192.168.2.48.8.8.8
Feb 15, 2021 15:18:34.488948107 CET53566218.8.8.8192.168.2.4
Feb 15, 2021 15:18:35.240544081 CET6311653192.168.2.48.8.8.8
Feb 15, 2021 15:18:35.289196968 CET53631168.8.8.8192.168.2.4
Feb 15, 2021 15:18:36.120799065 CET6407853192.168.2.48.8.8.8
Feb 15, 2021 15:18:36.172341108 CET53640788.8.8.8192.168.2.4

Code Manipulations

Statistics

CPU Usage

02468s020406080100

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

  • File
  • Network

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Start time:15:18:31
Start date:15/02/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D' > cmdline.out 2>&1
Imagebase:0x11d0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Start time:15:18:32
Start date:15/02/2021
Path:C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):true
Commandline:wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cfe995e-cbf1-4feb-8c93-2ddc9af59a47?P13D1613207013&P23D404&P33D2&P43DfYU0%2BIxNSCMSp/zRPdtDif4MidhxVMUS8i8wPIhU67y0MFHZlSYg5k%2BoSGddtALPD9jYIlcCTPchEgFAzHE15A%3D%3D'
Imagebase:0x400000
File size:3895184 bytes
MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Disassembly

Code Analysis