Windows
Analysis Report
Chrom#U0435.U#U0440dat#U0435.zip
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
- wscript.exe (PID: 888 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\alfred o\AppData\ Local\Temp \Temp1_Chr om#U0435.U #U0440dat# U0435.zip\ AutoUpdate r.js" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
- wscript.exe (PID: 6516 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\alfred o\AppData\ Local\Temp \Temp1_Chr om#U0435.U #U0440dat# U0435.zip\ AutoUpdate r.js" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
- cleanup
Timestamp: | 192.168.2.31.1.1.153158532039597 11/03/22-12:35:25.057076 |
SID: | 2039597 |
Source Port: | 53158 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.31.1.1.156466532039597 11/03/22-12:35:01.413784 |
SID: | 2039597 |
Source Port: | 56466 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Network Connect: |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File read: | ||
Source: | File read: | ||
Source: | File read: | ||
Source: | File read: |
Source: | Joe Sandbox Cloud Basic: | Perma Link |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Window found: | ||
Source: | Window found: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: |
Source: | Key value queried: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Scripting | Path Interception | 11 Process Injection | 11 Process Injection | OS Credential Dumping | 2 System Information Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Scripting | LSASS Memory | 1 Remote System Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
188.138.69.102 | unknown | Germany | 8972 | GD-EMEA-DC-SXB1DE | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 736959 |
Start date and time: | 2022-11-03 12:34:09 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Chrom#U0435.U#U0440dat#U0435.zip |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip) |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.evad.winZIP@2/0@0/11 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.68, 20.190.160.14, 40.126.32.138, 20.190.160.20, 40.126.32.74, 20.190.160.22, 40.126.32.134
- Excluded domains from analysis (whitelisted): fs.microsoft.com, prda.aadg.msidentity.com, login.live.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
File type: | |
Entropy (8bit): | 7.989712194941986 |
TrID: |
|
File name: | Chrom#U0435.U#U0440dat#U0435.zip |
File size: | 35984 |
MD5: | c4971c73424f2728ef8771d8dcc5d7bc |
SHA1: | 00636308cac7b4d8dadd2590042ff1bbeb702e43 |
SHA256: | 26106b07597873612b6cffd05d7f46564db4a2f90964c49906191bf0c8d7b180 |
SHA512: | c7ee9f54aa268876a41bd80531f73d7ebe64b872045d575e42dd2219fd2a0f8d3d35273ee2eb71aacfa4c25f2e333e764a69c69b8b9b6c9b10f327993aa5b043 |
SSDEEP: | 768:2O4RfJ6aSiQdlwKFiPXG/fv4OnPQKvUprXo4RiixFcSinbIS3LzQS:2FRR6aSnrFiP2/fv4On1soIxWBn87S |
TLSH: | 47F2F12C494935ACC1E32A3A527947880F96E3635433E0AF972D9D6177EB2E56C83234 |
File Content Preview: | PK........%YcU~e.`............AutoUpdater.js...w.I.0........I%.[.. ....*$ ).5."|AB..Z.....kn...d...=...iR....mn....h....7.7...**6._uY.....Ku._U....N.......vr.*U.*g:+....o..l..Q........sVlo..Og.....s.....d./.........:...........;....+i.6..e:........8~f..0. |
Icon Hash: | f4ccccccccccccdc |