Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:1545199
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 3200 cmdline: cmd /C ""C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 3136 cmdline: "C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft" MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean1.win@4/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		11
Process Injection		11
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1545199 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 30/10/2024 Architecture: WINDOWS Score: 1 5 cmd.exe 1 2->5         started        process3 7 wscript.exe 5->7         started        9 conhost.exe 5->9         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1545199
    Start date and time:2024-10-30 08:27:57 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 36s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowscmdlinecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:CLEAN
    Classification:clean1.win@4/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Stop behavior analysis, all processes terminated

    Warnings

    • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.t-msedge.netOrden de Compra.xlam.xlsxGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    Orden de compra.xlam.xlsxGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    608017382513614877.jsGet hashmaliciousStrela DownloaderBrowse
    • 13.107.246.45
    PO-004976.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    Orden de Compra No. 434565344657.xlam.xlsxGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    ORDEN7873097067.xlam.xlsxGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    DHL TRACKING.exeGet hashmaliciousFormBookBrowse
    • 13.107.246.45
    https://trvelocity.petra-dee.org/index.php/campaigns/ao946pbrfq631/track-url/lk782m0eyna84/24e9f9ecc31181de7c43e9793836ee263a7fcd94%20%20office365_event_type%20alertGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    cotizaci#U00f2n.xlam.xlsxGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    AWB-M09CT560.docx.docGet hashmaliciousUnknownBrowse
    • 13.107.246.45

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    No static file info

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 30, 2024 08:28:55.999530077 CET1.1.1.1192.168.2.60x76c3No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Oct 30, 2024 08:28:55.999530077 CET1.1.1.1192.168.2.60x76c3No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:03:28:46
    Start date:30/10/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd /C ""C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft""
    Imagebase:0x1c0000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:1
    Start time:03:28:46
    Start date:30/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:2
    Start time:03:28:47
    Start date:30/10/2024
    Path:C:\Windows\SysWOW64\wscript.exe
    Wow64 process (32bit):true
    Commandline:"C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"
    Imagebase:0x820000
    File size:147'456 bytes
    MD5 hash:FF00E0480075B095948000BDC66E81F0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    No disassembly