Analysis Report http://cobalten.com/apu.php?zoneid=1543391

Overview

General Information

Sample URL: http://cobalten.com/apu.php?zoneid=1543391
Analysis ID: 324344

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Found WSH timer for Javascript or VBS script (likely evasive script)
Potential browser exploit detected (process start blacklist hit)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: cobalten.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: http://cobalten.com/apu.php?zoneid=1543391 Virustotal: Detection: 6% Perma Link
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ Jump to behavior

Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Windows\System32\wscript.exe Jump to behavior
Source: global traffic HTTP traffic detected: GET /apu.php?zoneid=1543391 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cobalten.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cobalten.com
Source: wscript.exe, 00000007.00000003.701380758.000001BA88B3F000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.899911273.000001BA88B5F000.00000004.00000001.sdmp String found in binary or memory: http://cobalten.com/options?option_args=CN-ZXhIgMmRlNzVmMTY0MmIxNDM5OGJlZjc5ZTZiOTM5OGRkMTIaKmh0dHA6
Source: classification engine Classification label: mal56.win@5/9@1/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9FB0D29-3221-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF7D86A71D5668986C.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6704 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js'
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6704 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js' Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000007.00000002.899337256.000001BA86E60000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000007.00000002.899337256.000001BA86E60000.00000002.00000001.sdmp
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ Jump to behavior
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324344 URL: http://cobalten.com/apu.php... Startdate: 29/11/2020 Architecture: WINDOWS Score: 56 15 Multi AV Scanner detection for domain / URL 2->15 17 Multi AV Scanner detection for submitted file 2->17 6 iexplore.exe 4 57 2->6         started        process3 process4 8 iexplore.exe 26 6->8         started        11 wscript.exe 6->11         started        dnsIp5 13 cobalten.com 139.45.196.83, 49730, 49731, 80 RETN-ASEU Netherlands 8->13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
139.45.196.83
 unknown Netherlands
9002 RETN-ASEU true

Contacted Domains

Name IP Active
cobalten.com 139.45.196.83 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://cobalten.com/apu.php?zoneid=1543391 true
    		unknown
    0 true low