Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
excel-udf-host.win32.new.bundle

Overview

General Information

Sample name:excel-udf-host.win32.new.bundle
Analysis ID:1403078
MD5:37e76885fa6a967dc5a7e84afb326bcc
SHA1:552f078f2991992f390da456b98f895836d46b34
SHA256:be3e59fa645a45c15d3a053c7eff056b71b1428598b12977a00df39c520c2274
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • wscript.exe (PID: 7056 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\excel-udf-host.win32.new.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\excel-udf-host.win32.new.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\excel-udf-host.win32.new.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\excel-udf-host.win32.new.js", ProcessId: 7056, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\excel-udf-host.win32.new.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\excel-udf-host.win32.new.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\excel-udf-host.win32.new.js", ProcessId: 7056, ProcessName: wscript.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
Source: classification engineClassification label: sus22.winBUNDLE@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping2
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		Boot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
excel-udf-host.win32.new.bundle5%ReversingLabsScript-JS.Exploit.NeutrinoEK

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1403078
Start date and time:2024-03-05 00:58:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:excel-udf-host.win32.new.bundle
Detection:SUS
Classification:sus22.winBUNDLE@1/0@0/0
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: excel-udf-host.win32.new.bundle

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):5.251335133964849
TrID:
  • Java Script (8504/1) 100.00%
File name:excel-udf-host.win32.new.bundle
File size:322'348 bytes
MD5:37e76885fa6a967dc5a7e84afb326bcc
SHA1:552f078f2991992f390da456b98f895836d46b34
SHA256:be3e59fa645a45c15d3a053c7eff056b71b1428598b12977a00df39c520c2274
SHA512:b479cec3c4ed31826d574e62cc7d4a1e13cf30b69bc4d3246bd44f13182defb1aa9f034ed5a473ac4f3f268eb956608d68c6c15b5ef013e40ae0d832de7d994c
SSDEEP:3072:H/Eesht3ZC0x82bCLNp6qIz1FTZU8jUwXWyTah4awqndnUUi2Yp/Ll4ehMNPW:H/EJt3ZCcXbkNp6PQKl4DPW
TLSH:5464298CF765B432439B30B6A02F210FE3375459640DD478F209C5DA6CFA98AA267F79
File Content Preview:var OSFPerformance,CustomFunctionMappings,Microsoft,Strings;!function(e){e.now=function(){return"undefined"!=typeof performance&&performance.now?performance.now():0},e.getTotalJSHeapSize=function(){return"undefined"!=typeof performance&&performance.memory

File Icon

Icon Hash:68d69b8bb6aa9a86