MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 18. Classifications: - VB:Trojan.VBS.Agent.BON.

(1)

MALICIOUS

Classifications: -

Threat Names: VB:Trojan.VBS.Agent.BON Verdict Reason: -

Sample Type VBScript

File Name a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs

ID #835085

MD5 fab4721f2b9af521133a31ecb1f13c1d

SHA1 a58d5ddc1b3bf43f95285288422f80e5dc856c7e

SHA256 a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d

File Size 59.52 KB

Report Created 2021-08-08 10:17 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | windows_script_file

X-Ray Vision for Malware - www.vmray.com 1 / 18

(2)

OVERVIEW

VMRay Threat Identifiers (8 rules, 23 matches)

Score Category Operation Count Classification

4/5 Defense Evasion Tries to detect the presence of antivirus software 2 -

(Process #3) wscript.exe tries to detect antivirus software via WMI query: "select * from antivirusproduct".

(Process #9) wscript.exe tries to detect antivirus software via WMI query: "select * from antivirusproduct".

•

4/5 Antivirus Malicious content was detected by heuristic scan 1 -

Built-in AV detected the sample itself as "VB:Trojan.VBS.Agent.BON".

•

2/5 Persistence Installs system startup script or application 8 -

(Process #1) cscript.exe adds "wscript.exe //B "C:\Users\RDHJ0C~1\AppData\Local\Temp\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs"" to Windows startup via registry.

(Process #1) cscript.exe adds "c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\windows\start

menu\programs\startup\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs" to Windows startup folder.

(Process #3) wscript.exe adds "wscript.exe //B "C:\Users\RDHJ0C~1\AppData\Local\Temp\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs"" to Windows startup via registry.

(Process #3) wscript.exe adds "c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\windows\start

•

2/5 Discovery Collects hardware properties 2 -

(Process #3) wscript.exe queries hardware properties via WMI.

(Process #9) wscript.exe queries hardware properties via WMI.

•

2/5 Discovery Queries OS version via WMI 2 -

(Process #3) wscript.exe queries OS version via WMI.

(Process #9) wscript.exe queries OS version via WMI.

•

2/5 Network Connection Tries to connect using an uncommon port 1 -

(Process #3) wscript.exe tries to connect to TCP port 7772 at 79.134.225.117.

•

1/5 Discovery Executes WMI query 6 -

(Process #3) wscript.exe executes WMI query: select * from win32_logicaldisk.

(Process #3) wscript.exe executes WMI query: select * from win32_operatingsystem.

(Process #3) wscript.exe executes WMI query: select * from antivirusproduct.

(Process #9) wscript.exe executes WMI query: select * from win32_logicaldisk.

(Process #9) wscript.exe executes WMI query: select * from win32_operatingsystem.

(Process #9) wscript.exe executes WMI query: select * from antivirusproduct.

•

1/5 Network Connection All network connection attempts failed 1 -

Host "79.134.225.117" is unavailable.

•

(3)

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1047 Windows Management Instrumentation

#T1060 Registry Run Keys / Startup

Folder

#T1112 Modify Registry

#T1082 System Information

Discovery

#T1065 Uncommonly

Used Port

#T1063 Security Software Discovery

X-Ray Vision for Malware - www.vmray.com 3 / 18

(4)

Sample Information

Analysis Information

ID #835085

MD5 fab4721f2b9af521133a31ecb1f13c1d

SHA1 a58d5ddc1b3bf43f95285288422f80e5dc856c7e

SHA256 a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d

SSDeep 768:cRLwy499w1CxmxqGjKlkYhQy68f2Sg5H/6nGloT5B6d4FzB/HxRJEnARJ2S8ImjL:CV6nGr

File Name a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs

File Size 59.52 KB

Sample Type VBScript

Has Macros

Creation Time 2021-08-08 10:17 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 6

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 1

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

(5)

X-Ray Vision for Malware - www.vmray.com 5 / 18

(6)

Screenshots truncated

(7)

NETWORK

General

DNS

HTTP/S

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

0 bytes total sent

0 bytes total received 1 ports 7772

1 contacted IP addresses

0 URLs extracted 0 files downloaded

0 malicious hosts detected

0 DNS requests for 0 domains 0 nameservers contacted

0 total requests returned errors

1 URLs contacted, 1 servers

1 sessions, 0 bytes sent, 0 bytes received

post http://79.134.225.117:7772/is-ready - - 0 bytes NA

X-Ray Vision for Malware - www.vmray.com 7 / 18

(8)

BEHAVIOR

Process Graph

Sample Start #1

cscript.exe

#3 wscript.exe Child Process

Reboot #1

#9 wscript.exe

#12 wscript.exe

#13 wscript.exe

#14

wscript.exe

Child Process

(9)

Process #1: cscript.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

ID 1

File Name c:\windows\system32\cscript.exe

Command Line "C:\Windows\System32\CScript.exe" "C:\Users\RDHJ0C~1\Desktop\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs"

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 51803, Reason: Analysis Target Unmonitor End Time End Time: 76703, Reason: Terminated

Monitor duration 24.90s

Return Code 0

PID 3452

Parent PID 1652

Bitness 64 Bit

C:

\Users\RDHJ0C~1\AppData\Local\Temp\a47d7b707c294ed01ee81f7a

b899076756168d0ddbf578dbfe63c48a5165078d.vbs 59.52 KB a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165 078d

Module 32

System 13

Registry 34

File 8

- 1

Window 1

COM 9

Process 1

X-Ray Vision for Malware - www.vmray.com 9 / 18

(10)

Process #3: wscript.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

Network Behavior

Type Count

ID 3

File Name c:\windows\system32\wscript.exe

Command Line "C:\Windows\System32\wscript.exe" //B "C:

\Users\RDHJ0C~1\AppData\Local\Temp\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs"

Monitor Start Time Start Time: 75133, Reason: Child Process Unmonitor End Time End Time: 98537, Reason: Terminated

Return Code 1073807364

PID 2960

Parent PID 3452

Bitness 64 Bit

- 0 bytes e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852

b855

Module 30

System 30

Registry 44

- 1

Window 1

COM 57

File 11

- 8

HTTP 2

TCP 1

(11)

Process #9: wscript.exe

Host Behavior

Type Count

Network Behavior

Type Count

ID 9

Monitor Start Time Start Time: 163823, Reason: Autostart

Unmonitor End Time End Time: 291901, Reason: Terminated by Timeout

Return Code Unknown

PID 3044

Parent PID 1476

Bitness 64 Bit

Module 30

System 88

Registry 71

- 1

Window 1

COM 297

File 31

- 48

HTTP 12

X-Ray Vision for Malware - www.vmray.com 11 / 18

(12)

Process #12: wscript.exe

Host Behavior

Type Count

ID 12

Monitor Start Time Start Time: 167562, Reason: Autostart Unmonitor End Time End Time: 168332, Reason: Terminated

Return Code 1

PID 2892

Parent PID 1476

Bitness 64 Bit

Module 13

System 5

Registry 27

- 1

Window 1

COM 2

File 1

(13)

Process #13: wscript.exe

Host Behavior

Type Count

ID 13

Command Line "C:\Windows\System32\WScript.exe" "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.vbs"

Monitor Start Time Start Time: 168333, Reason: Autostart Unmonitor End Time End Time: 172172, Reason: Terminated

Return Code 0

PID 796

Parent PID 1476

Bitness 64 Bit

Module 31

System 12

Registry 33

- 1

Window 1

COM 9

File 6

Process 1

X-Ray Vision for Malware - www.vmray.com 13 / 18

(14)

Process #14: wscript.exe

Host Behavior

Type Count

ID 14

Monitor Start Time Start Time: 171643, Reason: Child Process Unmonitor End Time End Time: 172735, Reason: Terminated

Return Code 1

PID 3084

Parent PID 796

Bitness 64 Bit

Module 13

System 5

Registry 27

- 1

Window 1

COM 2

File 1

(15)

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

Filename

File Name Category Operations Verdict

URL

URL Category IP Address Country HTTP Methods Verdict

IP

IP Address Domains Country Protocols Verdict

Registry

Registry Key Operations Parent Process Name Verdict

a47d7b707c294ed01ee81f7a b899076756168d0ddbf578db fe63c48a5165078d

C:

\Users\RDhJ0CNFevzX\Desktop\a47 d7b707c294ed01ee81f7ab8990767561 68d0ddbf578dbfe63c48a5165078d.vbs, C:\Users\RDHJ0C~1\Desktop\a47d...

...8dbfe63c48a5165078d.vbs, C:

\Users\RDHJ0C~1\AppData\Local\Te mp\a47d7b707c294ed01ee81f7ab8990 76756168d0ddbf578dbfe63c48a516507 8d.vbs

Sample File 59.52 KB text/x-vbscript Access, Create, Write MALICIOUS

C:\Windows\System32\CScript.exe Accessed File Access CLEAN

C:

\Users\RDHJ0C~1\Desktop\a47d7b707c294ed01ee81f7ab899076756

168d0ddbf578dbfe63c48a5165078d.vbs Sample File Access CLEAN

C:

\Users\RDHJ0C~1\AppData\Local\Temp\a47d7b707c294ed01ee81f7a

b899076756168d0ddbf578dbfe63c48a5165078d.vbs Sample File Access, Create, Write CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a47d7b707c294ed01ee81f7ab899076756168d 0ddbf578dbfe63c48a5165078d.vbs

Sample File Access, Create, Write CLEAN

C:\Windows\System32\wscript.exe Accessed File Access CLEAN

C:\Windows\System32\WScript.exe Accessed File Access CLEAN

http://79.134.225.117:7772/is-ready - 79.134.225.117 - post CLEAN

79.134.225.117 - Switzerland TCP SUSPICIOUS

HKEY_CURRENT_USER\software\microsoft\windows\currentversi on\run\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c4

8a5165078d access, write wscript.exe, cscript.exe SUSPICIOUS

HKEY_CURRENT_USER\Software\Microsoft\Windows Script

Host\Settings access, create wscript.exe, cscript.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script

Host\Settings access, create wscript.exe, cscript.exe CLEAN

Host\Settings\IgnoreUserSettings access, read wscript.exe, cscript.exe CLEAN

Host\Settings\Enabled access, read wscript.exe, cscript.exe CLEAN

Host\Settings\LogSecuritySuccesses access, read wscript.exe, cscript.exe CLEAN

X-Ray Vision for Malware - www.vmray.com 15 / 18

(16)

Registry Key Operations Parent Process Name Verdict

Process

Process Name Commandline Verdict

Host\Settings\TrustPolicy access, read wscript.exe, cscript.exe CLEAN

Host\Settings\UseWINSAFER access, read wscript.exe, cscript.exe CLEAN

Host\Settings\TrustPolicy access, read wscript.exe, cscript.exe CLEAN

Host\Settings\UseWINSAFER access, read wscript.exe, cscript.exe CLEAN

Host\Settings\Timeout access, read wscript.exe, cscript.exe CLEAN

Host\Settings\DisplayLogo access, read wscript.exe, cscript.exe CLEAN

Host\Settings\Timeout access, read wscript.exe, cscript.exe CLEAN

Host\Settings\DisplayLogo access, read wscript.exe, cscript.exe CLEAN

HKEY_CLASSES_ROOT\.vbs access, read wscript.exe, cscript.exe CLEAN

HKEY_CLASSES_ROOT\VBSFile\ScriptEngine access, read wscript.exe, cscript.exe CLEAN

HKEY_LOCAL_MACHINE\software\a47d7b707c294ed01ee81f7ab899

076756168d0ddbf578dbfe63c48a5165078d access, create, read, write wscript.exe, cscript.exe CLEAN

HKEY_CURRENT_USER\software\microsoft\windows\currentversi

on\run access, create wscript.exe, cscript.exe CLEAN

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi

on\run access, create wscript.exe, cscript.exe CLEAN

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi on\run\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c4

8a5165078d access, write wscript.exe, cscript.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting access wscript.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Defa

ult Impersonation Level access, read wscript.exe CLEAN

cscript.exe "C:\Windows\System32\CScript.exe" "C:

\Users\RDHJ0C~1\Desktop\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a51650 78d.vbs"

SUSPICIOUS

wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:

\Users\RDHJ0C~1\AppData\Local\Temp\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe6 3c48a5165078d.vbs"

SUSPICIOUS

wscript.exe

"C:\Windows\System32\WScript.exe" "C:

\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\Startup\a47d7b707c294ed01ee81f7ab899076756168d0ddbf578dbfe63c48a5165078d.v bs"

SUSPICIOUS

(17)

YARA / AV

Antivirus (1)

File Type Threat Name File Name Verdict

Sample File VB:Trojan.VBS.Agent.BON

C:

\Users\RDhJ0CNFevzX\Desktop\a47d7b707c294ed01ee81f7ab89907 6756168d0ddbf578dbfe63c48a5165078d.vbs

MALICIOUS

X-Ray Vision for Malware - www.vmray.com 17 / 18

(18)

ENVIRONMENT

Virtual Machine Information

Analyzer Information

Software Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021) Built-in AV Database Update Release

Date 2021-08-08 04:22:09+00:00

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.31 / 2021-07-19 18:52:40 YARA Built-in Ruleset Version 4.2.2.32

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10 Analysis Report Layout Version 10

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed