Upload
khangminh22
View
0
Download
0
Embed Size (px)
Citation preview
DYNAMIC ANALYSIS REPORT#1525030
MALICIOUS
Classifications: -
Threat Names:
C2/Generic-A Trojan.GenericKD.44048038
Gen:Variant.Razy.590558
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name file.exe
ID #563495
MD5 ab53cd13ca703591193702730cd94ba2
SHA1 68b4b5aa7974c68dce30ce3e6cdf93951349818b
SHA256 14ba94a3d2b3a62280bdddddb5c9b1bb156c5278a4070137b9fe49fafa8c9d5b
File Size 21.65 KB
Report Created 2021-05-28 10:21 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 22
DYNAMIC ANALYSIS REPORT#1525030
OVERVIEW
VMRay Threat Identifiers (4 rules, 8 matches)
Score Category Operation Count Classification
4/5 Anti Analysis Tries to evade analysis 1 -
(Process #1) file.exe is possibly trying to evade analysis via web time checks.•
4/5 Antivirus Malicious content was detected by heuristic scan 5 -
Built-in AV detected the sample itself as "Trojan.GenericKD.44048038".
Built-in AV detected "Trojan.GenericKD.44048038" in the PCAP of the analysis.
Built-in AV detected "Trojan.GenericKD.44048038" in the request data of URL "www.virustotal.com/vtapi/v2/file/scan".
Built-in AV detected a memory dump of (process #1) file.exe as "Gen:Variant.Razy.590558".
Built-in AV detected a memory dump of (process #1) file.exe as "Trojan.GenericKD.44048038".
•
•
•
•
•
4/5 Reputation Contacts known malicious URL 1 -
Reputation analysis labels the URL "a6281279.yolox.net/gate.php" which was contacted by (process #1) file.exe as "C2/Generic-A".•
1/5 Discovery Enumerates running processes 1 -
(Process #1) file.exe enumerates running processes.•
- Trusted File has embedded known clean URL 13 -
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\k8jxac1q.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\78caa1vi.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\cm04e9iu.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\tae4d3wz.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\z0o08u2a.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\u61xjywr.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8e2iig3a.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ilqnx3tn.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ga8jvvlq.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8p7re3r8.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\to8c1znp.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\a3ecrrfh.htm" is a known clean URL.
URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ajx0k1dk.htm" is a known clean URL.
•
•
•
•
•
•
•
•
•
•
•
•
•
Remarks
Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "47 seconds" to "47.0 milliseconds" to reveal dormant functionality.
X-Ray Vision for Malware - www.vmray.com 2 / 22
DYNAMIC ANALYSIS REPORT#1525030
Mitre ATT&CK Matrix
InitialAccess
Execution PersistencePrivilege
EscalationDefenseEvasion
CredentialAccess
DiscoveryLateral
MovementCollection
Commandand
ControlExfiltration Impact
- - - - - -#T1057Process
Discovery- - - - -
X-Ray Vision for Malware - www.vmray.com 3 / 22
DYNAMIC ANALYSIS REPORT#1525030
Sample Information
Analysis Information
ID 1525030
MD5 ab53cd13ca703591193702730cd94ba2
SHA1 68b4b5aa7974c68dce30ce3e6cdf93951349818b
SHA256 14ba94a3d2b3a62280bdddddb5c9b1bb156c5278a4070137b9fe49fafa8c9d5b
SSDeep 384:bx02c+NiNMhaS9MySYitL93lppji83C8ARDr3QfTQkNEExIstAv3ATefCiigrcLR:62XiNCR9MLYWi8JsOOstAv3ATec460tK
ImpHash 1dddd34c0901a22f800f486f6751a070
Filename file.exe
File Size 21.65 KB
Sample Type Windows Exe (x86-32)
Has Macros
Creation Time 2021-05-28 10:21 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 1
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 30
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 4 / 22
DYNAMIC ANALYSIS REPORT#1525030
NETWORK
General
DNS
HTTP/S
DNS Requests
-
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
7758.09 KB total sent
223.05 KB total received
1 ports 80
3 contacted IP addresses
54 URLs extracted
0 files downloaded
0 malicious hosts detected
0 DNS requests for 0 domains
0 nameservers contacted
0 total requests returned errors
3 URLs contacted, 3 servers
4 sessions, 7758.09 KB sent, 223.05 KB recivied
GET google.com/ 0 bytes N/A
POSTwww.virustotal.com/vtapi/v2/file/scan
0 bytes N/A
POSTa6281279.yolox.net/gate.php
0 bytes N/A
GET
https://about.google/?fg=1&utm_source=google-DE&utm_medium=referral&utm_campaign=hp-header
0 bytes N/A
GET
https://store.google.com/DE?utm_source=hp_header&utm_medium=google_ooo&utm_campaign=GS100042&hl=de-DE
0 bytes N/A
GEThttps://mail.google.com/mail/&ogbl
0 bytes N/A
GEThttps://www.google.de/imghp?hl=de&ogbl
0 bytes N/A
GEThttps://www.google.de/intl/de/about/products
0 bytes N/A
X-Ray Vision for Malware - www.vmray.com 6 / 22
DYNAMIC ANALYSIS REPORT#1525030
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
GET
https://accounts.google.com/ServiceLogin?hl=de&passive=true&continue=https://www.google.com/%3Fgws_rd%3Dssl&ec=GAZAmgQ
0 bytes N/A
GET
https://support.google.com/websearch/answer/106230?hl=de
0 bytes N/A
GET
https://www.google.com/intl/de_de/ads/?subid=ww-ww-et-g-awa-a-g_hpafoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpafooter&fg=1
0 bytes N/A
GET
https://www.google.com/services/?subid=ww-ww-et-g-awa-a-g_hpbfoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpbfooter&fg=1
0 bytes N/A
GEThttps://google.com/search/howsearchworks/?fg=1
0 bytes N/A
GET
https://sustainability.google/intl/de/commitments-europe/?utm_source=googlehpfooter&utm_medium=housepromos&utm_campaign=bottom-footer&utm_content=
0 bytes N/A
GEThttps://policies.google.com/privacy?hl=de&fg=1
0 bytes N/A
GEThttps://policies.google.com/terms?hl=de&fg=1
0 bytes N/A
GEThttps://www.google.com/preferences?hl=de&fg=1
0 bytes N/A
GET
https://support.google.com/websearch/?p=ws_results_help&hl=de&fg=1
0 bytes N/A
GET
https://policies.google.com/technologies/cookies?utm_source=ucbs&hl=de
0 bytes N/A
GET
https://policies.google.com/privacy?hl=de&fg=1&utm_source=ucbs
0 bytes N/A
GET
https://policies.google.com/terms?hl=de&fg=1&utm_source=ucbs
0 bytes N/A
GET
https://myaccount.google.com/?utm_source=OGB&utm_medium=app
0 bytes N/A
GEThttps://www.google.de/webhp
0 bytes N/A
GEThttps://maps.google.de/maps?hl=de
0 bytes N/A
X-Ray Vision for Malware - www.vmray.com 7 / 22
DYNAMIC ANALYSIS REPORT#1525030
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
GEThttps://www.youtube.com/?gl=DE
0 bytes N/A
GEThttps://play.google.com/?hl=de
0 bytes N/A
GEThttps://news.google.com/
0 bytes N/A
GEThttps://mail.google.com/mail/
0 bytes N/A
GEThttps://meet.google.com/?hs=197
0 bytes N/A
GET https://chat.google.com/ 0 bytes N/A
GEThttps://contacts.google.com/?hl=de
0 bytes N/A
GET https://drive.google.com/ 0 bytes N/A
GEThttps://calendar.google.com/calendar
0 bytes N/A
GEThttps://translate.google.de/?hl=de
0 bytes N/A
GEThttps://photos.google.com/?pageId=none
0 bytes N/A
GEThttps://duo.google.com/?usp=duo_ald
0 bytes N/A
GET
https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO
0 bytes N/A
GEThttps://www.google.de/shopping?hl=de&source=og
0 bytes N/A
GEThttps://docs.google.com/document/?usp=docs_alc
0 bytes N/A
GEThttps://docs.google.com/spreadsheets/?usp=sheets_alc
0 bytes N/A
GEThttps://docs.google.com/presentation/?usp=slides_alc
0 bytes N/A
GEThttps://books.google.de/?hl=de
0 bytes N/A
GEThttps://www.blogger.com/
0 bytes N/A
GEThttps://hangouts.google.com/
0 bytes N/A
GET https://keep.google.com/ 0 bytes N/A
GEThttps://jamboard.google.com/?usp=jam_ald
0 bytes N/A
GEThttps://earth.google.com/web/
0 bytes N/A
X-Ray Vision for Malware - www.vmray.com 8 / 22
DYNAMIC ANALYSIS REPORT#1525030
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
GEThttps://www.google.de/save
0 bytes N/A
GET
https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral
0 bytes N/A
GET
https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2
0 bytes N/A
GEThttps://podcasts.google.com/
0 bytes N/A
GEThttps://stadia.google.com/
0 bytes N/A
GEThttps://www.google.com/travel/?dest_src=al
0 bytes N/A
GEThttps://docs.google.com/forms/?usp=forms_alc
0 bytes N/A
GET
https://www.google.com/url?q=https://www.google.com/chrome/%3Fbrand%3DCHZN%26utm_source%3Dde-material-callout%26utm_medium%3Dmaterial-callout%26utm_campaign%3Dedge-search-switch-fast-chrome&source=hpp&id=19020306&ct=7&usg=AFQjCNHchfSnDi67U0c9WQ2wuGhJ9oj24w
0 bytes N/A
GET
https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_84x28dp.png
0 bytes N/A
GET
https://www.google.com/images/hpp/Chrome_Owned_96x96.png
0 bytes N/A
X-Ray Vision for Malware - www.vmray.com 9 / 22
DYNAMIC ANALYSIS REPORT#1525030
BEHAVIOR
Process Graph
Sample Start#1
file.exe
X-Ray Vision for Malware - www.vmray.com 10 / 22
DYNAMIC ANALYSIS REPORT#1525030
Process #1: file.exe
Dropped Files (13)
Filename File Size SHA256 YARA Match
Host Behavior
Type Count
ID 1
Filename c:\users\rdhj0cnfevzx\desktop\file.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\file.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 77461, Reason: Analysis Target
Unmonitor End Time End Time: 318407, Reason: Terminated by Timeout
Monitor Duration 240.95s
Return Code Unknown
PID 3896
Parent PID 2104
Bitness 32 Bit
- 155.90 KB4bab15fab44cd2177975ce078921cba2c2f643aa1cafddde7c15f1f7a3cd9fb3
- 156.09 KB49e3dde1f0e513cc425e3ebb55c47801d8275c27336686b882297fd322b06936
- 157.71 KB56a633df2cad6d3f85c4756e25cc1664c27bdd67c0320a64f6ce32099bd61589
- 156.00 KBa411d6536b79bccf52a7692976f3192f4564b176704c83ea9f343e6a48ae76b0
- 155.91 KBb5b55cab3f88c4d60614a46ea4507048300b5da7ebb97d79fd64a8a5c069b867
- 155.97 KB9d72ec7239c38f6869f8e7c0bbf213b14e471495f1be302389e2333901b73597
- 155.89 KBb32f9cd25c5b15f6272ecfa234629e68018430947beee036d3b97e2f8b5005ae
- 155.94 KBf6e01557696b65a6ad0db672334c8b4c900a87040e41724f3480954a4a2801e5
- 155.91 KB775234e6d8150c4f86c6fda62410977e9499bb00c892d0260b37dd48d426cd06
- 157.08 KB7b6eb0f4115031d5cf8782d456efdd1a28c038118739adda6ab35e321b43f95d
- 155.91 KBf5d96f3c5d3a170090f5267d40d8ca7f0414256e18774416dc7c84fb25354bcc
- 157.50 KBae9b31bfba74a3803517a3eb99a1ca5d2f7bd98778b047c941edb93aa8eb8b0d
- 155.93 KB9f47e73d3fd2137d0a7758e78f7c0dd86e1e597e5d1d12d58f1f725f6d83ca05
Module 1459
File 39
System 795
Process 2661
User 26
X-Ray Vision for Malware - www.vmray.com 11 / 22
DYNAMIC ANALYSIS REPORT#1525030
Network Behavior
Type Count
HTTP 28
TCP 4
X-Ray Vision for Malware - www.vmray.com 12 / 22
DYNAMIC ANALYSIS REPORT#1525030
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
14ba94a3d2b3a62280bdddddb5c9b1bb156c5278a4070137b9fe49fafa8c9d5b
C:\Users\RDhJ0CNFevzX\Desktop\file.exe
Sample File 21.65 KBapplication/vnd.microsoft.portable-executable
MALICIOUS
c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat
Modified File 128 bytes application/octet-stream CLEAN
4bab15fab44cd2177975ce078921cba2c2f643aa1cafddde7c15f1f7a3cd9fb3
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\k8jxac1q.htm
Dropped File 155.90 KB text/html CLEAN
49e3dde1f0e513cc425e3ebb55c47801d8275c27336686b882297fd322b06936
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\78caa1vi.htm
Dropped File 156.09 KB text/html CLEAN
56a633df2cad6d3f85c4756e25cc1664c27bdd67c0320a64f6ce32099bd61589
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\cm04e9iu.htm
Dropped File 157.71 KB text/html CLEAN
a411d6536b79bccf52a7692976f3192f4564b176704c83ea9f343e6a48ae76b0
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\tae4d3wz.htm
Dropped File 156.00 KB text/html CLEAN
b5b55cab3f88c4d60614a46ea4507048300b5da7ebb97d79fd64a8a5c069b867
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\z0o08u2a.htm
Dropped File 155.91 KB text/html CLEAN
9d72ec7239c38f6869f8e7c0bbf213b14e471495f1be302389e2333901b73597
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\u61xjywr.htm
Dropped File 155.97 KB text/html CLEAN
b32f9cd25c5b15f6272ecfa234629e68018430947beee036d3b97e2f8b5005ae
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8e2iig3a.htm
Dropped File 155.89 KB text/html CLEAN
f6e01557696b65a6ad0db672334c8b4c900a87040e41724f3480954a4a2801e5
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ilqnx3tn.htm
Dropped File 155.94 KB text/html CLEAN
775234e6d8150c4f86c6fda62410977e9499bb00c892d0260b37dd48d426cd06
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ga8jvvlq.htm
Dropped File 155.91 KB text/html CLEAN
7b6eb0f4115031d5cf8782d456efdd1a28c038118739adda6ab35e321b43f95d
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8p7re3r8.htm
Dropped File 157.08 KB text/html CLEAN
f5d96f3c5d3a170090f5267d40d8ca7f0414256e18774416dc7c84fb25354bcc
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\to8c1znp.htm
Dropped File 155.91 KB text/html CLEAN
ae9b31bfba74a3803517a3eb99a1ca5d2f7bd98778b047c941edb93aa8eb8b0d
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\a3ecrrfh.htm
Dropped File 157.50 KB text/html CLEAN
X-Ray Vision for Malware - www.vmray.com 13 / 22
DYNAMIC ANALYSIS REPORT#1525030
SHA256 Filenames Category Filesize MIME Type Operations Verdict
Filename
Filename Category Operations Verdict
9f47e73d3fd2137d0a7758e78f7c0dd86e1e597e5d1d12d58f1f725f6d83ca05
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ajx0k1dk.htm
Dropped File 155.93 KB text/html CLEAN
C:\Users\RDhJ0CNFevzX\Desktop\file.exe Accessed File Read, Access CLEAN
C:\Windows\System32\sihost.exe Accessed File Access CLEAN
C:\Windows\System32\taskhostw.exe Accessed File Access CLEAN
C:\Windows\explorer.exe Accessed File Access CLEAN
C:\Windows\System32\RuntimeBroker.exe Accessed File Access CLEAN
C:\ProgramFiles\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeHost.exe
Accessed File Access CLEAN
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Accessed File Access CLEAN
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
Accessed File Access CLEAN
C:\Windows\System32\svchost.exe Accessed File Access CLEAN
C:\Windows\System32\backgroundTaskHost.exe
Accessed File Access CLEAN
C:\Program Files\InternetExplorer\iexplore.exe
Accessed File Access CLEAN
C:\Program Files (x86)\InternetExplorer\iexplore.exe
Accessed File Access CLEAN
C:\Program Files\Windows Photo Viewer\keycivil.exe
Accessed File Access CLEAN
C:\Program Files\Windows PortableDevices\choice.exe
Accessed File Access CLEAN
C:\Program Files\WindowsMail\major_simply_so.exe
Accessed File Access CLEAN
C:\Program Files\WindowsMail\determinen't.exe
Accessed File Access CLEAN
C:\Program Files (x86)\CommonFiles\shoulder-prepare-sure.exe
Accessed File Access CLEAN
C:\Program Files (x86)\ReferenceAssemblies\ipull.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Windows Mail\not.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows NT\task.exe Accessed File Access CLEAN
C:\Program Files (x86)\InternetExplorer\personal.exe
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\grow createletter.exe
Accessed File Access CLEAN
C:\Program Files (x86)\WindowsMail\sit_scene_another.exe
Accessed File Access CLEAN
C:\Program Files\UninstallInformation\drug.exe
Accessed File Access CLEAN
C:\Program Files\Windows PhotoViewer\difficult_these_medical.exe
Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 14 / 22
DYNAMIC ANALYSIS REPORT#1525030
Filename Category Operations Verdict
C:\Program Files (x86)\WindowsDefender\seat.exe
Accessed File Access CLEAN
C:\Program Files (x86)\InternetExplorer\servefearrisk.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft Office\laughsingle.exe
Accessed File Access CLEAN
C:\Program Files (x86)\CommonFiles\kind.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Windows MultimediaPlatform\evidence-bit.exe
Accessed File Access CLEAN
C:\Program Files\ReferenceAssemblies\indicate_foot.exe
Accessed File Access CLEAN
C:\Program Files\UninstallInformation\childoutwork.exe
Accessed File Access CLEAN
C:\Program Files(x86)\Microsoft.NET\near_industry.exe
Accessed File Access CLEAN
C:\Program Files\Windows Mail\fpos.exe Accessed File Access CLEAN
C:\Program Files\Common Files\isspos.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows PhotoViewer\edcsvr.exe
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\mxslipstream.exe
Accessed File Access CLEAN
C:\Program Files\Windows PortableDevices\omnipos.exe
Accessed File Access CLEAN
C:\Program Files (x86)\WindowsNT\spcwin.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Windows PortableDevices\spgagentservice.exe
Accessed File Access CLEAN
C:\Program Files\Windows Sidebar\utg2.exe Accessed File Access CLEAN
C:\Program Files(x86)\MSBuild\creditservice.exe
Accessed File Access CLEAN
C:\Program Files (x86)\ReferenceAssemblies\active-charge.exe
Accessed File Access CLEAN
C:\Program Files (x86)\CommonFiles\yahoomessenger.exe
Accessed File Access CLEAN
C:\Program Files\WindowsJournal\webdrive.exe
Accessed File Access CLEAN
C:\Program Files\Windows PhotoViewer\whatsapp.exe
Accessed File Access CLEAN
C:\Program Files\Windows NT\winscp.exe Accessed File Access CLEAN
C:\Program Files\Windows MultimediaPlatform\thunderbird.exe
Accessed File Access CLEAN
C:\Program Files\WindowsSidebar\trillian.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Windows PhotoViewer\skype.exe
Accessed File Access CLEAN
C:\Program Files (x86)\WindowsDefender\smartftp.exe
Accessed File Access CLEAN
C:\Program Files\Windows PhotoViewer\pidgin.exe
Accessed File Access CLEAN
C:\Program Files (x86)\WindowsDefender\scriptftp.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Windows PortableDevices\accupos.exe
Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 15 / 22
DYNAMIC ANALYSIS REPORT#1525030
Filename Category Operations Verdict
URL
URL Category IP Address Country HTTP Methods Verdict
C:\Program Files\ReferenceAssemblies\afr38.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Windows MediaPlayer\aldelo.exe
Accessed File Access CLEAN
C:\Program Files\MSBuild\ccv_server.exe Accessed File Access CLEAN
C:\Program Files\WindowsMail\centralcreditcard.exe
Accessed File Access CLEAN
C:\Program Files\ReferenceAssemblies\outlook.exe
Accessed File Access CLEAN
C:\Program Files\WindowsDefender\operamail.exe
Accessed File Access CLEAN
C:\Program Files\MSBuild\ncftp.exe Accessed File Access CLEAN
C:\Program Files\WindowsJournal\notepad.exe
Accessed File Access CLEAN
C:\Program Files\Windows Defender\icq.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows PhotoViewer\leechftp.exe
Accessed File Access CLEAN
C:\Program Files (x86)\Windows MediaPlayer\foxmailincmail.exe
Accessed File Access CLEAN
C:\Program Files\WindowsMail\gmailnotifierpro.exe
Accessed File Access CLEAN
C:\Program Files(x86)\Microsoft.NET\flashfxp.exe
Accessed File Access CLEAN
C:\Program Files\MSBuild\fling.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows PhotoViewer\far.exe
Accessed File Access CLEAN
C:\Program Files\Windows NT\filezilla.exe Accessed File Access CLEAN
C:\Program Files\MSBuild\coreftp.exe Accessed File Access CLEAN
C:\Program Files (x86)\MicrosoftOffice\bitkinex.exe
Accessed File Access CLEAN
C:\Program Files (x86)\WindowsMail\barca.exe
Accessed File Access CLEAN
C:\Program Files\Common Files\alftp.exe Accessed File Access CLEAN
C:\Program Files\Microsoft Office15\absolutetelnet.exe
Accessed File Access CLEAN
C:\Program Files\Windows MediaPlayer\3dftp.exe
Accessed File Access CLEAN
C:\Windows\System32\msfeedssync.exe Accessed File Access CLEAN
http://a6281279.yolox.net/gate.php
POST MALICIOUS
http://google.com 142.250.181.238 GET CLEAN
http://www.virustotal.com/vtapi/v2/file/scan
74.125.34.46 POST CLEAN
https://about.google/?fg=1&utm_source=google-DE&utm_medium=referral&utm_campaign=hp-header
GET CLEAN
X-Ray Vision for Malware - www.vmray.com 16 / 22
DYNAMIC ANALYSIS REPORT#1525030
URL Category IP Address Country HTTP Methods Verdict
https://store.google.com/DE?utm_source=hp_header&utm_medium=google_ooo&utm_campaign=GS100042&hl=de-DE
GET CLEAN
https://mail.google.com/mail/&ogbl
GET CLEAN
https://www.google.de/imghp?hl=de&ogbl
GET CLEAN
https://www.google.de/intl/de/about/products
GET CLEAN
https://accounts.google.com/ServiceLogin?hl=de&passive=true&continue=https://www.google.com/%3Fgws_rd%3Dssl&ec=GAZAmgQ
GET CLEAN
https://support.google.com/websearch/answer/106230?hl=de
GET CLEAN
https://www.google.com/intl/de_de/ads/?subid=ww-ww-et-g-awa-a-g_hpafoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpafooter&fg=1
GET CLEAN
https://www.google.com/services/?subid=ww-ww-et-g-awa-a-g_hpbfoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpbfooter&fg=1
GET CLEAN
https://google.com/search/howsearchworks/?fg=1
GET CLEAN
https://sustainability.google/intl/de/commitments-europe/?utm_source=googlehpfooter&utm_medium=housepromos&utm_campaign=bottom-footer&utm_content=
GET CLEAN
https://policies.google.com/privacy?hl=de&fg=1
GET CLEAN
https://policies.google.com/terms?hl=de&fg=1
GET CLEAN
https://www.google.com/preferences?hl=de&fg=1
GET CLEAN
https://support.google.com/websearch/?p=ws_results_help&hl=de&fg=1
GET CLEAN
https://policies.google.com/technologies/cookies?utm_source=ucbs&hl=de
GET CLEAN
https://policies.google.com/privacy?hl=de&fg=1&utm_source=ucbs
GET CLEAN
https://policies.google.com/terms?hl=de&fg=1&utm_source=ucbs
GET CLEAN
https://myaccount.google.com/?utm_source=OGB&utm_medium=app
GET CLEAN
https://www.google.de/webhp GET CLEAN
https://maps.google.de/maps?hl=de
GET CLEAN
X-Ray Vision for Malware - www.vmray.com 17 / 22
DYNAMIC ANALYSIS REPORT#1525030
URL Category IP Address Country HTTP Methods Verdict
https://www.youtube.com/?gl=DE
GET CLEAN
https://play.google.com/?hl=de
GET CLEAN
https://news.google.com GET CLEAN
https://mail.google.com/mail/ GET CLEAN
https://meet.google.com/?hs=197
GET CLEAN
https://chat.google.com GET CLEAN
https://contacts.google.com/?hl=de
GET CLEAN
https://drive.google.com GET CLEAN
https://calendar.google.com/calendar
GET CLEAN
https://translate.google.de/?hl=de
GET CLEAN
https://photos.google.com/?pageId=none
GET CLEAN
https://duo.google.com/?usp=duo_ald
GET CLEAN
https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO
GET CLEAN
https://www.google.de/shopping?hl=de&source=og
GET CLEAN
https://docs.google.com/document/?usp=docs_alc
GET CLEAN
https://docs.google.com/spreadsheets/?usp=sheets_alc
GET CLEAN
https://docs.google.com/presentation/?usp=slides_alc
GET CLEAN
https://books.google.de/?hl=de
GET CLEAN
https://www.blogger.com GET CLEAN
https://hangouts.google.com GET CLEAN
https://keep.google.com GET CLEAN
https://jamboard.google.com/?usp=jam_ald
GET CLEAN
https://earth.google.com/web/
GET CLEAN
https://www.google.de/save GET CLEAN
https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral
GET CLEAN
https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2
GET CLEAN
X-Ray Vision for Malware - www.vmray.com 18 / 22
DYNAMIC ANALYSIS REPORT#1525030
URL Category IP Address Country HTTP Methods Verdict
Domain
Domain IP Address Country Protocols Verdict
https://podcasts.google.com GET CLEAN
https://stadia.google.com GET CLEAN
https://www.google.com/travel/?dest_src=al
GET CLEAN
https://docs.google.com/forms/?usp=forms_alc
GET CLEAN
https://www.google.com/chrome/?brand=CHZN&utm_source=de-material-callout&utm_medium=material-callout&utm_campaign=edge-search-switch-fast-chrome
GET CLEAN
https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_84x28dp.png
GET CLEAN
https://www.google.com/images/hpp/Chrome_Owned_96x96.png
GET CLEAN
google.com 142.250.181.238 HTTP, HTTPS CLEAN
www.google.com HTTPS CLEAN
www.virustotal.com 74.125.34.46 HTTP CLEAN
a6281279.yolox.net HTTP CLEAN
about.google HTTPS CLEAN
store.google.com HTTPS CLEAN
mail.google.com HTTPS CLEAN
www.google.de HTTPS CLEAN
accounts.google.com HTTPS CLEAN
support.google.com HTTPS CLEAN
sustainability.google HTTPS CLEAN
policies.google.com HTTPS CLEAN
myaccount.google.com HTTPS CLEAN
maps.google.de HTTPS CLEAN
www.youtube.com HTTPS CLEAN
play.google.com HTTPS CLEAN
news.google.com HTTPS CLEAN
meet.google.com HTTPS CLEAN
chat.google.com HTTPS CLEAN
contacts.google.com HTTPS CLEAN
drive.google.com HTTPS CLEAN
calendar.google.com HTTPS CLEAN
X-Ray Vision for Malware - www.vmray.com 19 / 22
DYNAMIC ANALYSIS REPORT#1525030
Domain IP Address Country Protocols Verdict
IP
IP Address Domains Country Protocols Verdict
-
Email Address
-
Mutex
-
Registry
-
Process
Process Name Commandline Verdict
translate.google.de HTTPS CLEAN
photos.google.com HTTPS CLEAN
duo.google.com HTTPS CLEAN
docs.google.com HTTPS CLEAN
books.google.de HTTPS CLEAN
www.blogger.com HTTPS CLEAN
hangouts.google.com HTTPS CLEAN
keep.google.com HTTPS CLEAN
jamboard.google.com HTTPS CLEAN
earth.google.com HTTPS CLEAN
artsandculture.google.com HTTPS CLEAN
ads.google.com HTTPS CLEAN
podcasts.google.com HTTPS CLEAN
stadia.google.com HTTPS CLEAN
www.gstatic.com HTTPS CLEAN
172.217.18.100 www.google.com United States HTTP, HTTPS, TCP, DNS CLEAN
74.125.34.46www.virustotal.com, ghs-svc-https-c46.ghs-ssl.googlehosted.com
United States HTTP, TCP, DNS CLEAN
142.250.181.238 google.com United States HTTP, TCP, DNS CLEAN
file.exe "C:\Users\RDhJ0CNFevzX\Desktop\file.exe" SUSPICIOUS
X-Ray Vision for Malware - www.vmray.com 20 / 22
DYNAMIC ANALYSIS REPORT#1525030
YARA / AV
Antivirus (30)
File Type Threat Name Filename Verdict
SAMPLE Trojan.GenericKD.44048038 C:\Users\RDhJ0CNFevzX\Desktop\file.exe MALICIOUS
WEB_REQUEST Trojan.GenericKD.44048038 - MALICIOUS
WEB_REQUEST Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.590558 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.590558 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 21 / 22
DYNAMIC ANALYSIS REPORT#1525030
ENVIRONMENT
Virtual Machine Information
Analyzer Information
Software Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database UpdateRelease Date
2021-05-28 05:53:31+00:00
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 22 / 22