Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scan 4405.vbs

Overview

General Information

Sample Name:Scan 4405.vbs
Analysis ID:632579
MD5:5e8adfeca0bdc8322938f25e46efa629
SHA1:bd6dad1a8d3335216e53217773b798c553cdfae1
SHA256:ab87133662dddfbede53d3bbb558cb5f0720ffdd42136358c1a30f1d9919aba7
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found potential dummy code loops (likely to delay analysis)
Potential malicious VBS script found (suspicious strings)
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 8880 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Scan 4405.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Scan 4405.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0x17e0b:$s1: .CreateObject("WScript.Shell")
  • 0x17fa7:$p1: powershell.exe

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

System Summary

barindex
Potential malicious VBS script found (suspicious strings)
Source: Initial file: STEGHE.ShellExecute vicilinaf, espressoe & chr(34) & DRIVHUS & chr(34), vbnullstring, vbnullstring, 0
Source: Scan 4405.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: Scan 4405.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: mal48.evad.winVBS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Scan 4405.vbs"
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior

Anti Debugging

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 85% for more than 60s
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts121
Scripting		1
DLL Side-Loading		1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts121
Scripting		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Scan 4405.vbs5%VirustotalBrowse
Scan 4405.vbs2%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
dual-a-0001.dc-msedge.net0%VirustotalBrowse
e-0009.e-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
dual-a-0001.dc-msedge.net
13.107.22.200
truefalseunknown
e-0009.e-msedge.net
13.107.5.88
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:632579
Start date and time: 23/05/202220:29:092022-05-23 20:29:09 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 14m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Scan 4405.vbs
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:Suspected Instruction Hammering
Number of analysed new started processes analysed:29
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.evad.winVBS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .vbs
  • Adjust boot time
  • Enable AMSI

Warnings

  • Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, MusNotificationUx.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 40.117.96.136, 20.54.122.82, 20.82.207.122
  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, wdcpalt.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, login.live.com, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, img-prod-cms-rt-microsoft-com.akamaized.net, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
e-0009.e-msedge.net000424913.vbsGet hashmaliciousBrowse
  • 13.107.5.88
Order list. Norway.vbsGet hashmaliciousBrowse
  • 13.107.5.88
SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exeGet hashmaliciousBrowse
  • 13.107.5.88
CPfUbF38MW.exeGet hashmaliciousBrowse
  • 13.107.5.88
SecuriteInfo.com.Artemis2A130FA40314.26375.exeGet hashmaliciousBrowse
  • 13.107.5.88
PAGOS_TR.EXEGet hashmaliciousBrowse
  • 13.107.5.88
Drawings and artwork.vbsGet hashmaliciousBrowse
  • 13.107.5.88
unpacked.dllGet hashmaliciousBrowse
  • 13.107.5.88
DEZM1IJeDy.dllGet hashmaliciousBrowse
  • 13.107.5.88
Bank Details.exeGet hashmaliciousBrowse
  • 13.107.5.88
SecuriteInfo.com.Variant.Tedy.117589.31971.exeGet hashmaliciousBrowse
  • 13.107.5.88
njUIPPVrud.exeGet hashmaliciousBrowse
  • 13.107.5.88
k04sKtfoKn.dllGet hashmaliciousBrowse
  • 13.107.5.88
YH9rOirMvU.exeGet hashmaliciousBrowse
  • 13.107.5.88
Invoice_VC85262241.xllGet hashmaliciousBrowse
  • 13.107.5.88
SD 2477.exeGet hashmaliciousBrowse
  • 13.107.5.88
fax - Payment -A.xllGet hashmaliciousBrowse
  • 13.107.5.88
PO2136634.xllGet hashmaliciousBrowse
  • 13.107.5.88
WWVN_INVOICE_8363567453.vbsGet hashmaliciousBrowse
  • 13.107.5.88
ShipmentReceipt_Notification_2022march05PDF.vbsGet hashmaliciousBrowse
  • 13.107.5.88
dual-a-0001.dc-msedge.netOrder list. Norway.vbsGet hashmaliciousBrowse
  • 131.253.33.200
ekli siparis.exeGet hashmaliciousBrowse
  • 131.253.33.200
vbc.exeGet hashmaliciousBrowse
  • 131.253.33.200
SecuriteInfo.com.Trojan.DownLoader44.60969.20360.exeGet hashmaliciousBrowse
  • 131.253.33.200
CPfUbF38MW.exeGet hashmaliciousBrowse
  • 131.253.33.200
https://bit.ly/3aiiYjrGet hashmaliciousBrowse
  • 131.253.33.200
SecuriteInfo.com.W32.AIDetect.malware2.23312.exeGet hashmaliciousBrowse
  • 131.253.33.200
Nova narudzba u prilogu.exeGet hashmaliciousBrowse
  • 131.253.33.200
http://4rsm4nd8zbmg7pvafc0q8v.hair%5C%5C#gPwjc8qeJg0jZDmpGet hashmaliciousBrowse
  • 13.107.22.200
JXPtP7tXBS.exeGet hashmaliciousBrowse
  • 131.253.33.200
WfMfXJYfU5.exeGet hashmaliciousBrowse
  • 131.253.33.200
SecuriteInfo.com.W32.AIDetectNet.01.7510.exeGet hashmaliciousBrowse
  • 131.253.33.200
SecuriteInfo.com.Variant.Ulise.361632.3042.exeGet hashmaliciousBrowse
  • 131.253.33.200
FQEazFkwS3.exeGet hashmaliciousBrowse
  • 131.253.33.200
Form - May 17, 2022.lnkGet hashmaliciousBrowse
  • 131.253.33.200
8fm35kW2EG.exeGet hashmaliciousBrowse
  • 131.253.33.200
Electronic form.lnkGet hashmaliciousBrowse
  • 131.253.33.200
New Folder.lnkGet hashmaliciousBrowse
  • 131.253.33.200
rrmix.exeGet hashmaliciousBrowse
  • 131.253.33.200
U637.lnkGet hashmaliciousBrowse
  • 131.253.33.200

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):5.680075831434168
TrID:
  • Visual Basic Script (13500/0) 100.00%
File name:Scan 4405.vbs
File size:98906
MD5:5e8adfeca0bdc8322938f25e46efa629
SHA1:bd6dad1a8d3335216e53217773b798c553cdfae1
SHA256:ab87133662dddfbede53d3bbb558cb5f0720ffdd42136358c1a30f1d9919aba7
SHA512:f0b733424fd4e3ceb971c46280ac54a32f0e4180f84c61c8c07e623eeae83ad86971384ac97fd95e8172c2e2aba87cc0c7a20f937f5079d5371a72666e9acd72
SSDEEP:1536:hxs1Mwn50M7Sp5riTA4455Ib0BDKAhhIO7M5j3CCj41Rf58IKiAQIBq9:IpCXp4C5IQN5hOO7M5DK1Rf5JKLQIk9
TLSH:A5A3709CA7D2DDBB66C4CB647DAF4B035D4694E198FE01F7244A28D6A41C7F08E2E803
File Content Preview:'Skyldfr Medal Finan Westerl FURUNCLESK MICRON DISPOSSE noncan LIZARYOCTA Mjavdefens Monitering Misalp eksklu Pelsvrker ..'UNENTHUSED lyophobic Ozonl Tortonian3 datas Bugtnin Tabskont coronet Trowelerha Retina5 NODDYEK maksi CRINALWI tachylyti Piet Undef4

File Icon

Icon Hash:e8d69ece869a9ec4

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:20:33:28
Start date:23/05/2022
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Scan 4405.vbs"
Imagebase:0x7ff7387f0000
File size:170496 bytes
MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Disassembly

No disassembly