ID: 1542248

Sample Name: Scripts.zip

Cookbook:
defaultwindowsinteractivecookbook.jbs
Time: 17:37:11
Date: 25/10/2024
Version: 41.0.0 Charoite
 Table of Contents

Table of Contents 2
Windows Analysis Report Scripts.zip 3
Overview 3
General Information 3
Detection 3
Signatures 3
Classification 3
Process Tree 3
Malware Configuration 3
Yara Signatures 3
Sigma Signatures 3
Suricata Signatures 4
Joe Sandbox Signatures 4
Boot Survival 4
Mitre Att&ck Matrix 4
Behavior Graph 4
Screenshots 5
Thumbnails 5
Antivirus, Machine Learning and Genetic Malware Detection 6
Initial Sample 6
Dropped Files 6
Unpacked PE Files 6
Domains 6
URLs 6
Domains and IPs 7
Contacted Domains 7
World Map of Contacted IPs 7
General Information 7
Warnings 7
Simulations 7
Behavior and APIs 7
Joe Sandbox View / Context 8
IPs 8
Domains 8
ASNs 8
JA3 Fingerprints 8
Dropped Files 8
Created / dropped Files 8
Static File Info 8
General 8
File Icon 8
Network Behavior 8
Statistics 9
Behavior 9
System Behavior 9
Analysis Process: rundll32.exePID: 6972, Parent PID: 804 9
General 9
Analysis Process: OpenWith.exePID: 3588, Parent PID: 804 9
General 9
File Activities 10
Registry Activities 10
Analysis Process: notepad.exePID: 2212, Parent PID: 3588 10
General 10
File Activities 10
Registry Activities 10
Key Created 10
Key Value Created 10
Analysis Process: notepad.exePID: 1904, Parent PID: 4380 11
General 11
File Activities 11
Analysis Process: notepad.exePID: 5080, Parent PID: 4380 11
General 11
File Activities 11
Disassembly 12

Copyright Joe Security LLC 2024 Page 2 of 12

 Windows Analysis Report
Scripts.zip

Overview

General Information Detection Signatures Classification

Sample name: Scripts.zip
Sets file extension default program …
Analysis ID: 1542248
Creates a process in suspended mo…
MD5: 1bd6e701796c…

SHA1: Queries the volume information (nam…

e54da49bb1d7…

SHA256: c7458230f00ee…
Ransomware

Miner Spreading

Infos: malicious
malicious

malicious

Evader Phishing

suspicious
suspicious

suspicious

clean
clean

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 21

Range: 0 - 100

Whitelisted: false

Confidence: 80%

Process Tree
System is w10x64_ra
rundll32.exe (PID: 6972 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6}
-Embedding MD5: EF3179D498793BF4234F708D3BE28633)
OpenWith.exe (PID: 3588 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
notepad.exe (PID: 2212 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Scripts\Scripts\Scripts_Envio_01\01_PFI_PIGNORA_TABLE.sql MD5:
27F71B12CB585541885A31BE22F61C83)
notepad.exe (PID: 1904 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Scripts\Scripts\Scripts_Envio_02\06_Seguridad.sql MD5:
27F71B12CB585541885A31BE22F61C83)
notepad.exe (PID: 5080 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Scripts\Scripts\Scripts_Envio_03\7_SP_GRABAR_SEG_ACCESOS_HIS.sql
MD5: 27F71B12CB585541885A31BE22F61C83)
cleanup

Malware Configuration
⊘ No configs have been found

Yara Signatures
⊘ No yara matches

Sigma Signatures
⊘ No Sigma rule has matched

Copyright Joe Security LLC 2024 Page 3 of 12

 Suricata Signatures
⊘ No Suricata rule has matched

Joe Sandbox Signatures

Boot Survival

Sets file extension default program settings to executables

Mitre Att&ck Matrix

Command
Resource Initial Privilege Defense Credential Lateral
Reconnai… Execution Persisten… Discovery Collection and Exfiltration Impact
Developm… Access Escalation Evasion Access Movement
Control

Gather Acquire Valid Windows 1 1 1 1 OS 1 Remote Data from Data Exfiltration Abuse
Victim Infrastructur Accounts Managemen DLL Side- Process Masqueradi Credential File and Services Local Obfuscation Over Other Accessibility
Identity e t Loading Injection ng Dumping Directory System Network Features
Information Instrumentat Discovery Medium
ion

Credentials Domains Default Scheduled Boot or 1 1 LSASS 1 1 Remote Data from Junk Data Exfiltration Network
Accounts Task/Job Logon DLL Side- Rundll32 Memory System Desktop Removable Over Denial of
Initialization Loading Information Protocol Media Bluetooth Service
Scripts Discovery

Email DNS Server Domain At Logon Script Logon Script 1 1 Security Query SMB/Windo Data from Steganogra Automated Data
Addresses Accounts (Windows) (Windows) Process Account Registry ws Admin Network phy Exfiltration Encrypted
Injection Manager Shares Shared for Impact
Drive

Employee Virtual Local Cron Login Hook Login Hook 1 NTDS System Distributed Input Protocol Traffic Data
Names Private Accounts DLL Side- Network Component Capture Impersonati Duplication Destruction
Server Loading Configuratio Object on
n Discovery Model

Behavior Graph

Copyright Joe Security LLC 2024 Page 4 of 12

 Hide Legend
Legend:
Process
Signature

Behavior Graph Created File

ID: 1542248 DNS/IP Info

Sample: Scripts.zip Is Dropped
Startdate: 25/10/2024 Is Windows Process
Architecture: WINDOWS
Number of created Registry Values
Score: 21
Number of created Files

started started started Visual Basic

started

Delphi
OpenWith.exe notepad.exe notepad.exe Java rundll32.exe

.Net C# or VB.NET

28 9 C, C++ or other language

Is malicious

Internet

Sets file extension

default program settings started
to executables

notepad.exe

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2024 Page 5 of 12

 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample

⊘ No Antivirus matches

Dropped Files

⊘ No Antivirus matches

Unpacked PE Files

⊘ No Antivirus matches

Domains

⊘ No Antivirus matches

URLs

⊘ No Antivirus matches

Copyright Joe Security LLC 2024 Page 6 of 12

 Domains and IPs
Contacted Domains

⊘ No contacted domains info

World Map of Contacted IPs

⊘ No contacted IP infos

General Information
Joe Sandbox version: 41.0.0 Charoite

Analysis ID: 1542248

Start date and time: 2024-10-25 17:37:11 +02:00

Joe Sandbox product: CloudBasic

Overall analysis duration: 0h 4m 9s

Hypervisor based Inspection enabled: false

Report type: light

Cookbook file name: defaultwindowsinteractivecookbook.jbs

Analysis system description: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip
23.01

Number of analysed new started processes 25

analysed:

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabled

EGA enabled
AMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Sample name: Scripts.zip

Detection: SUS

Classification: sus21.winZIP@6/0@0/0

EGA Information: Failed

HCA Information: Successful, ratio: 100%

Number of executed functions: 0
Number of non-executed functions: 0

Cookbook Comments: Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, Microsoft.Photos.exe, SgrmBroker.exe, conhost.exe,
svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.c om, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyz ed, report is missing behavior information
Report size getting too big, t oo many NtOpenKeyEx calls found.
Report size getting too big, t oo many NtProtectVirtualMemory calls found.
Report size getting too big, t oo many NtQueryValueKey calls found.
VT rate limit hit for: Scripts.zip

Simulations
Behavior and APIs
Time Type Description

11:38:41 API Interceptor 1x Sleep call for process: OpenWith.exe modified

11:38:55 API Interceptor 1x Sleep call for process: notepad.exe modified

Copyright Joe Security LLC 2024 Page 7 of 12

 Joe Sandbox View / Context
IPs

⊘ No context

Domains

⊘ No context

ASNs

⊘ No context

JA3 Fingerprints

⊘ No context

Dropped Files

⊘ No context

Created / dropped Files

⊘ No created / dropped files found

Static File Info

General
File type: Zip archive data, at least v2.0 to extract, compression method=store

Entropy (8bit): 7.848320309889995

TrID: ZIP compressed archive (8000/1) 100.00%

File name: Scripts.zip

File size: 86'223 bytes

MD5: 1bd6e701796c839198341741d98cbffe

SHA1: e54da49bb1d7de8be6a5834050240eeceeaa32f6

SHA256: c7458230f00eeb1091c835454895befd9104cecbcd42debd3bb007569ee1263a

SHA512: 8fbd143042a6f2035f1088ebfa016d63c0e0c31b664413f1957abfcd37955c43e169b0b9746578f1d3aa8f132729881ae5c2d24b772ee975c7cc060f7ae0084e

SSDEEP: 1536:+AlWpaDE1EZd0Nxy4D9zwppiy8AvMHWyp9xLDhcSPMSsy6iWrsnidO:gd1qdigpifAk2AbHyTivnH

TLSH: 2183F2039F48CA34DC0FD275A61409C282398D519059F283F7BFCACA9E4F79A1F5A54E

File Content PK.........sYY................Scripts/Scripts_Envio_01.zipPK........BB.Y'[email protected].....&}.....K.5..!....T.

Preview: ..o..D.Z7..f~....fY2......SJl..].Q]....j.].I.b.......x%./.;...3B=........t[................'...........

File Icon

Icon Hash: 1c1c1e4e4ececedc

Network Behavior
⊘ No network behavior found

Copyright Joe Security LLC 2024 Page 8 of 12

 Statistics

Behavior

• rundll32.exe
• OpenWith.exe
• notepad.exe
• notepad.exe
• notepad.exe

Click to jump to process

System Behavior

Analysis Process: rundll32.exe PID: 6972, Parent PID: 804

General
Target ID: 0

Start time: 11:37:48

Start date: 25/10/2024

Path: C:\Windows\System32\rundll32.exe

Wow64 process (32bit): false

Commandline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Imagebase: 0x7ff7eb370000

File size: 71'680 bytes

MD5 hash: EF3179D498793BF4234F708D3BE28633

Has elevated privileges: false

Has administrator false

privileges:

Programmed in: C, C++ or other language

Reputation: high

Has exited: true

Analysis Process: OpenWith.exe PID: 3588, Parent PID: 804

General
Target ID: 10

Start time: 11:38:40

Start date: 25/10/2024

Path: C:\Windows\System32\OpenWith.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\OpenWith.exe -Embedding

Imagebase: 0x7ff6aecc0000

File size: 123'984 bytes

MD5 hash: E4A834784FA08C17D47A1E72429C5109

Has elevated privileges: false

Copyright Joe Security LLC 2024 Page 9 of 12

 Has administrator false
privileges:

Programmed in: C, C++ or other language

Reputation: high

Has exited: true

File Activities
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

File Path Access Attributes Options Completion Count Source Address Symbol

File Path Offset Length Completion Count Source Address Symbol

Registry Activities
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Key Path Completion Count Source Address Symbol

Key Path Name Type Data Completion Count Source Address Symbol

Source
Key Path Name Type Old Data New Data Completion Count Symbol
Address

Analysis Process: notepad.exe PID: 2212, Parent PID: 3588

General
Target ID: 12

Start time: 11:38:50

Start date: 25/10/2024

Path: C:\Windows\System32\notepad.exe

Wow64 process (32bit): false

Commandline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Scripts\Scripts\Scripts_Envio_01\01_PFI_PIGNORA_TABLE.sql

Imagebase: 0x7ff7cda80000

File size: 201'216 bytes

MD5 hash: 27F71B12CB585541885A31BE22F61C83

Has elevated privileges: false

Has administrator false

privileges:

Programmed in: C, C++ or other language

Reputation: moderate

Has exited: true

File Activities
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

File Path Offset Length Completion Count Source Address Symbol

Registry Activities
Key Created
Key Path Completion Count Source Address Symbol

HKEY_CURRENT_USER\Software\Microsoft\Notepad success or wait 1 7FF7CDA90605 RegCreateKeyW

Key Value Created

Key Path Name Type Data Completion Count Source Address Symbol

HKEY_CURRENT_USER\SOFTW fWindowsOnlyE dword 0 success or wait 1 7FF7CDA90636 RegSetValueEx

ARE\Microsoft\Notepad OL W

HKEY_CURRENT_USER\SOFTW fPasteOriginalE dword 0 success or wait 1 7FF7CDA90636 RegSetValueEx

ARE\Microsoft\Notepad OL W

HKEY_CURRENT_USER\SOFTW fReverse dword 0 success or wait 1 7FF7CDA90636 RegSetValueEx

ARE\Microsoft\Notepad W

Copyright Joe Security LLC 2024 Page 10 of 12

 Key Path Name Type Data Completion Count Source Address Symbol

HKEY_CURRENT_USER\SOFTW fWrapAround dword 0 success or wait 1 7FF7CDA90636 RegSetValueEx

ARE\Microsoft\Notepad W

HKEY_CURRENT_USER\SOFTW fMatchCase dword 0 success or wait 1 7FF7CDA90636 RegSetValueEx

ARE\Microsoft\Notepad W

HKEY_CURRENT_USER\SOFTW iWindowPosX dword 234 success or wait 1 7FF7CDA90497 RegSetValueEx

ARE\Microsoft\Notepad W

HKEY_CURRENT_USER\SOFTW iWindowPosY dword 234 success or wait 1 7FF7CDA90497 RegSetValueEx

ARE\Microsoft\Notepad W

HKEY_CURRENT_USER\SOFTW iWindowPosDX dword 960 success or wait 1 7FF7CDA90497 RegSetValueEx

ARE\Microsoft\Notepad W

HKEY_CURRENT_USER\SOFTW iWindowPosDY dword 717 success or wait 1 7FF7CDA90497 RegSetValueEx

ARE\Microsoft\Notepad W

Analysis Process: notepad.exe PID: 1904, Parent PID: 4380

General
Target ID: 17

Start time: 11:39:16

Start date: 25/10/2024

Path: C:\Windows\System32\notepad.exe

Wow64 process (32bit): false

Commandline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Scripts\Scripts\Scripts_Envio_02\06_Seguridad.sql

Imagebase: 0x7ff7cda80000

File size: 201'216 bytes

MD5 hash: 27F71B12CB585541885A31BE22F61C83

Has elevated privileges: false

Has administrator false

privileges:

Programmed in: C, C++ or other language

Reputation: moderate

Has exited: true

File Activities
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

File Path Offset Length Completion Count Source Address Symbol

Analysis Process: notepad.exe PID: 5080, Parent PID: 4380

General
Target ID: 23

Start time: 11:39:51

Start date: 25/10/2024

Path: C:\Windows\System32\notepad.exe

Wow64 process (32bit): false

Commandline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Scripts\Scripts\Scripts_Envio_03\7_SP_GRABAR_SEG_ACCESOS_HIS.sql

Imagebase: 0x7ff7cda80000

File size: 201'216 bytes

MD5 hash: 27F71B12CB585541885A31BE22F61C83

Has elevated privileges: false

Has administrator false

privileges:

Programmed in: C, C++ or other language

Reputation: moderate

Has exited: false

File Activities
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

File Path Offset Length Completion Count Source Address Symbol

Copyright Joe Security LLC 2024 Page 11 of 12

 Disassembly
⊘ No disassembly

Copyright Joe Security LLC 2024 Page 12 of 12