Play interactive tourEdit tour

Analysis Report

Overview

General Information

Analysis ID:431458
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 6448 cmdline: cmd /C 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6522763484430066279,6938161857771423687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3' MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean1.win@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6522763484430066279,6938161857771423687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6522763484430066279,6938161857771423687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3'
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection1Process Injection1OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 431458 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 08/06/2021 Architecture: WINDOWS Score: 1 5 cmd.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:431458
Start date:08.06.2021
Start time:19:04:25
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.win@2/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
Warnings:
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

0102030s020406080100

Click to jump to process

Memory Usage

0102030sMB

Click to jump to process

Behavior

Click to jump to process

System Behavior

Start time:19:05:19
Start date:08/06/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6522763484430066279,6938161857771423687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3'
Imagebase:0x2a0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly