Windows Analysis Report
Chrom#U0435.U#U0440dat#U0435.zip

Overview

General Information

Sample Name: Chrom#U0435.U#U0440dat#U0435.zip
Analysis ID: 736959
MD5: c4971c73424f2728ef8771d8dcc5d7bc
SHA1: 00636308cac7b4d8dadd2590042ff1bbeb702e43
SHA256: 26106b07597873612b6cffd05d7f46564db4a2f90964c49906191bf0c8d7b180

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Source: unknown HTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49695 version: TLS 1.2

Networking

barindex
Source: C:\Windows\System32\wscript.exe Network Connect: 188.138.69.102 443
Source: Traffic Snort IDS: 2039597 ET TROJAN SocGholish CnC Domain in DNS Lookup (portraits .studio-94-photography .com) 192.168.2.3:56466 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2039597 ET TROJAN SocGholish CnC Domain in DNS Lookup (portraits .studio-94-photography .com) 192.168.2.3:53158 -> 1.1.1.1:53
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown TCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknown HTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49695 version: TLS 1.2
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engine Classification label: mal56.evad.winZIP@2/0@0/11
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js"
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Chrom#U0435.U#U0440dat#U0435.zip Joe Sandbox Cloud Basic: Detection: clean Score: 2 Perma Link
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\wscript.exe Network Connect: 188.138.69.102 443
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs