Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:561475
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Cscript Visual Basic Script Execution
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Sigma detected: GatherNetworkInfo.vbs Script Usage

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7140 cmdline: cmd /C "cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs" MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cscript.exe (PID: 4416 cmdline: cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: frack113: Data: Command: cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs, CommandLine: cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: cmd /C "cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7140, ProcessCommandLine: cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs, ProcessId: 4416
Source: Process startedAuthor: blueteamer8699: Data: Command: cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs, CommandLine: cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: cmd /C "cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7140, ProcessCommandLine: cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs, ProcessId: 4416

Jbx Signature Overview

  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\SysWOW64\cscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs"
Source: classification engineClassification label: clean2.win@4/0@0/0
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbsJump to behavior
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbsJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Scripting		Path Interception11
Process Injection		11
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Scripting		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 561475 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 27/01/2022 Architecture: WINDOWS Score: 2 5 cmd.exe 1 2->5         started        process3 7 cscript.exe 1 5->7         started        9 conhost.exe 5->9         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:561475
Start date:27.01.2022
Start time:14:47:07
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.win@4/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 23.211.6.115
  • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

No static file info

Network Behavior

No network behavior found

Statistics

CPU Usage

0102030s020406080100

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

  • File
  • Registry

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:48:01
Start date:27/01/2022
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C "cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs"
Imagebase:0x2a0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:14:48:01
Start date:27/01/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff61de10000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:2
Start time:14:48:02
Start date:27/01/2022
Path:C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):true
Commandline:cscript.exe C:\WINDOWS\system32\gatherNetworkInfo.vbs
Imagebase:0x13c0000
File size:143360 bytes
MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly