Windows Analysis Report config_xml.js

Overview

General Information

Sample Name: config_xml.js
Analysis ID: 491729
MD5: 21ec939eb873eda0ac91bf0c4dbb2a6e
SHA1: 4b88725c8b4f09edccf7cc70557c26c6a5d34ccf
SHA256: cc6f27e54cac322380736bc5c7153a4ac07ce4466f69e06d780dba9e8b27a2b8
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Program does not show much activity (idle)
Java / VBScript file with very long strings (likely obfuscated code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Source: wscript.exe, 00000000.00000002.666056971.00000287402E5000.00000004.00000040.sdmp String found in binary or memory: http://ns.ad
Source: wscript.exe, 00000000.00000002.665941348.000002873FFBA000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.666105863.0000028741DD0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.665639824.000002873FFDF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.666056971.00000287402E5000.00000004.00000040.sdmp, config_xml.js String found in binary or memory: http://www.techsmith.com/xmp/tsc/

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: config_xml.js Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: clean1.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 491729 Sample: config_xml.js Startdate: 27/09/2021 Architecture: WINDOWS Score: 1 4 wscript.exe 2->4         started       
No contacted IP infos