Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 310931 Sample Name: 44S5D444F55G8222Y55UU44S4S.vbs Cookbook: default.jbs Time: 07:32:12 Date: 07/11/2020 Version: 31.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report 44S5D444F55G8222Y55UU44S4S.vbs 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Data Obfuscation: 5 Persistence and Installation Behavior: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 11 General 11 File Icon 12 Network Behavior 12 TCP Packets 12 HTTP Request Dependency Graph 12 HTTP Packets 12 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: wscript.exe PID: 6124 Parent PID: 3388 14 Copyright null 2020 Page 2 of 15 General 14 File Activities 14 File Created 14 File Written 14 Registry Activities 15 Analysis Process: wscript.exe PID: 5560 Parent PID: 6124 15 General 15 File Activities 15 Disassembly 15 Code Analysis 15 Copyright null 2020 Page 3 of 15 Analysis Report 44S5D444F55G8222Y55UU44S4S.vbs Overview General Information Detection Signatures Classification Sample 44S5D444F55G8222Y55U Name: U44S4S.vbs AAnntttiiivviiirrruuss ddeettteecctttiiioonn fffoorrr UURRLL oorrr ddoomaaiiinn Analysis ID: 310931 MAnuutlllitttviii iArAuVVs SSdcecataenncnnteieorrrn dd feeotttree cUctttRiiiooLnn offfoor rrrd ssouumbbamin… MD5: 75de44228bea09… SMSyyusslttteie AmV pp Srrroocccaeenssnsse crc oodnnennteeccttttisos ntttoo f onnree stttwwuobormrr… SHA1: e95857291d694e… Ransomware VSVByBsSStcecrrmriiipp ttpt prpoeecrrrfeffoosrrrsm csso onobnbffefuucsstcsca atttotee dnd e cctaawlllllolssr … Miner Spreading SHA256: 2bfdb7103140e24… QVBuueSerrciiereisps tss peeennrssfioittirivvmee s BB oIIObfSSu s IIncnaffooterrmd aactatiioollnsn Quueerrriiieess sseennssiiitttiiivvee BBIIIOSS IIInnfffoorrrmaatttiiioonn … mmaallliiiccciiioouusss Tags: vbs malicious Evader Phishing sssuusssppiiiccciiioouusss WQuiiinneddroioewwss ss SeSnhhseeilltlllil v SSecc rBrriiipIpOttt HSHo oIsnsttft o ddrrrmroopapstsi o VVnBB … suspicious Most interesting Screenshot: cccllleeaann clean CWCooinndtttaaoiiinwnss ccSaahppeaalblb Siiillliiictttiiireeipss t t ttoHo oddseettt tedecrcottt pvvisiirrr tttVuuaBa… Exploiter Banker CCrroreenaattatteeinss s aa c pparrrpooaccbeeislsistsi e iiinsn stsouu sdsppeeetenncddte evddi r mtuoao… FCFooreuuanntdde sW aSS pHHr o tttiicimeeserrsr fffioonrrr s JJuaasvvpaaessnccdrrriiieppdttt oomrrr oVV… Spyware Trojan / Bot Adware IIFInnottteuerrnrnndee ttWt PPSrrroHovv iitididmeerrer srs efeoeernn J iiainnv cacoosncnnrniepectc ttotiiioor nnV… Score: 80 Range: 0 - 100 JIJnaatvevaarn ///e VVt BPBSrSoccvrrriiipdptett frffii illsleee wewniiittth hin vv eceorrryyn nlllooenncggti ossn… Whitelisted: false MJaoovnnaiiit tto/o rVrrssB ccSeecrrrtrttaiapiiintn f rrirleegg wiiissitttrrhryy v kkeeeryyss l o/// nvvgaa lllusu… Confidence: 100% QMuouenerriritiieoesrss s sceeennrsstaiiitttiiivnve er e Ogppiseetrrrayat ttikiinneggy sSS y/y svsttateelmu … TQTrrruiiieessr i tettoos lllosoeaandds mitiiivissess iiiOnnggp eDDrLaLLtLisnsg System UTUrssieess atao k klnonoaowdw nmn wiwsesebibn bgbr rrDoowLwLsseserrr uusseerrr aaggee… Startup Uses a known web browser user age System is w10x64 wscript.exe (PID: 6124 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\44S5D444F55G8222Y55UU44S4S.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) wscript.exe (PID: 5560 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\D68.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview • AV Detection Copyright null 2020 Page 4 of 15 • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for URL or domain Multi AV Scanner detection for submitted file Data Obfuscation: VBScript performs obfuscated calls to suspicious functions Persistence and Installation Behavior: Windows Shell Script Host drops VBS files Malware Analysis System Evasion: Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) HIPS / PFW / Operating System Protection Evasion: System process connects to network (likely due to code injection or exploit) Mitre Att&ck Matrix Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows DLL Side- Process Masquerading 1 OS Query Registry 1 Remote Data from Exfiltration Ingress Tool Eavesdrop on Accounts Management Loading 1 Injection 1 1 1 Credential Services Local Over Other Transfer 1 Insecure Instrumentation 1 1 Dumping System Network Network Medium Communication Default Scripting 2 2 1 Boot or DLL Side- Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Non- Exploit SS7 to Accounts Logon Loading 1 Evasion 2 Memory Discovery 2 1 Desktop Removable Over Application Redirect Phone Initialization Protocol Media Bluetooth Layer Calls/SMS Scripts Protocol 2 Domain PowerShell 1 Logon Script Logon Script Process Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 1 Account Evasion 2 Admin Shares Network Exfiltration Layer Track Device Manager Shared Protocol 1 2 Location Drive Local At (Windows) Logon Script Logon Script Scripting 2 2 1 NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Discovery 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Logon Obfuscated Files or LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Information 1 Secrets Discovery 1 1 2 Transfer Channels Device Size Limits Communication Copyright null 2020 Page 5 of 15 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Launchd Rc.common Rc.common DLL Side-Loading 1 Cached System Owner/User VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery Capture Over C2 Communication Denial of Removable Credentials Channel Service Media Behavior Graph Hide Legend Behavior Graph Legend: ID: 310931 Sample: 44S5D444F55G8222Y55UU44S4S.vbs Process Startdate: 07/11/2020 Architecture: WINDOWS Signature Score: 80 Created File DNS/IP Info Antivirus detection Multi AV Scanner detection started Is Dropped for URL or domain for submitted file Is Windows Process Number of created Registry Values wscript.exe Number of created Files 3 2 Visual Basic Delphi dropped Java C:\Users\Public\D68.vbs, ASCII .Net C# or VB.NET started C, C++ or other language Is malicious Queries sensitive BIOS VBScript performs obfuscated Information (via WMI, Windows Shell Script calls to suspicious Win32_Bios & Win32_BaseBoard, Host drops VBS files Internet functions often done to detect virtual machines) wscript.exe 6 104.41.57.9, 49715, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States System process connects to network (likely due to code injection or exploit) Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2020 Page 6 of 15 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link 44S5D444F55G8222Y55UU44S4S.vbs 17% Virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link 104.41.57.9/lp1 0% Avira URL Cloud safe 104.41.57.9/bd21.php 2% Virustotal Browse 104.41.57.9/bd21.php 100% Avira URL Cloud malware 104.41.57.9/s 0% Avira URL Cloud safe Copyright null 2020 Page 7 of 15 Source Detection Scanner Label Link 104.41.57.9/m/lp1 0% Avira URL Cloud safe 104.41.57.9/lp1a 0% Avira URL Cloud safe 104.41.57.9/ 0% Avira URL Cloud safe Domains and IPs Contacted Domains No contacted domains info Contacted URLs Name Malicious Antivirus Detection Reputation 104.41.57.9/bd21.php true 2%, Virustotal, Browse unknown Avira URL Cloud: malware URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation 104.41.57.9/lp1 wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .245871543.0000016B21B20000.00 000004.00000001.sdmp 104.41.57.9/s wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .242422439.0000016B21B02000.00 000004.00000001.sdmp 104.41.57.9/m/lp1 wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .233165119.0000016B239B2000.00 000004.00000001.sdmp, wscript.exe, 00000001.00000003.2293777