Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DNSCCB.msc

Overview

General Information

Sample name:DNSCCB.msc
Analysis ID:1501495
MD5:d81e6c0ef9688e67df94753896b2a762
SHA1:6290a85f1d5a2a0717ecbbc273dbe3d071de65f4
SHA256:b397b438c6e5e6a6f24525d266c27a992e7cd355d80f70ead090649115b7fa03

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Creates a window with clipboard capturing capabilities
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Classification

Process Tree

  • System is w10x64
  • mmc.exe (PID: 7624 cmdline: "C:\Windows\system32\mmc.exe" "C:\Users\user\Desktop\DNSCCB.msc" MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\mmc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: classification engineClassification label: clean1.winMSC@1/0@0/0
Source: C:\Windows\System32\mmc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\MMCJump to behavior
Source: C:\Windows\System32\mmc.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\mmc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: mmcbase.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: mmcndmgr.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: filemgmt.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mmc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C5F432A-EF40-4669-9974-9671D4FC2E12}\InprocServer32Jump to behavior
Source: C:\Windows\System32\mmc.exeWindow found: window name: msctls_updown32Jump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mmc.exeWindow / User API: threadDelayed 3510Jump to behavior
Source: C:\Windows\System32\mmc.exeWindow / User API: threadDelayed 6490Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Application Window Discovery		Remote Services1
Clipboard Data		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1501495
Start date and time:2024-08-30 00:41:53 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:DNSCCB.msc
Detection:CLEAN
Classification:clean1.winMSC@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .msc

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: DNSCCB.msc

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:XML 1.0 document, ASCII text, with CRLF line terminators
Entropy (8bit):2.766007672464546
TrID:
  • Generic XML (ASCII) (5005/1) 100.00%
File name:DNSCCB.msc
File size:71'842 bytes
MD5:d81e6c0ef9688e67df94753896b2a762
SHA1:6290a85f1d5a2a0717ecbbc273dbe3d071de65f4
SHA256:b397b438c6e5e6a6f24525d266c27a992e7cd355d80f70ead090649115b7fa03
SHA512:6329c802c658a418e5e3537bb28889136a171d6d20f6c3fae118e972632bd049c838a74ccf5f03e53fceaff98bf08b018161eced026504f7379f096c4257e695
SSDEEP:192:4PFFFIvnRK0RmSyRYnGDgvgCgAg8gQgcg05gagtgOfgm/gJ+g4gNg7tnRJvDR1T5:saorRJaRSLBI92vxGOWPnQB+I
TLSH:02630B72ACC14BEAD37A648052ACFF60DE483BA791D86017B04E78935FB58B0974793D
File Content Preview:<?xml version="1.0"?><MMC_ConsoleFile ConsoleVersion="3.0" ProgramMode="Author">.. <ConsoleFileID>{39EF80EA-83AC-4403-A7D6-189C399184E6}</ConsoleFileID>.. <FrameState ShowStatusBar="true">.. <WindowPlacement ShowCommand="SW_SHOWNORMAL">.. <Point

File Icon

Icon Hash:faeae8cfddb290c0

Static OLE Info

General

Document Type:Text
Number of OLE Files:1

OLE File "DNSCCB.msc"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:False
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:True

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:18:42:45
Start date:29/08/2024
Path:C:\Windows\System32\mmc.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\mmc.exe" "C:\Users\user\Desktop\DNSCCB.msc"
Imagebase:0x7ff61e4a0000
File size:1'953'280 bytes
MD5 hash:58C9E5172C3708A6971CA0CBC80FE8B8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

No disassembly