Windows Analysis Report
Scan 4405.vbs

Overview

General Information

Sample Name: Scan 4405.vbs
Analysis ID: 632579
MD5: 5e8adfeca0bdc8322938f25e46efa629
SHA1: bd6dad1a8d3335216e53217773b798c553cdfae1
SHA256: ab87133662dddfbede53d3bbb558cb5f0720ffdd42136358c1a30f1d9919aba7
Tags: vbs
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found potential dummy code loops (likely to delay analysis)
Potential malicious VBS script found (suspicious strings)
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage

Classification

System Summary
barindex
Potential malicious VBS script found (suspicious strings)
Source: Initial file: STEGHE.ShellExecute vicilinaf, espressoe & chr(34) & DRIVHUS & chr(34), vbnullstring, vbnullstring, 0
Yara signature match
Source: Scan 4405.vbs, type: SAMPLE Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Java / VBScript file with very long strings (likely obfuscated code)
Source: Scan 4405.vbs Initial sample: Strings found which are bigger than 50
Abnormal high CPU Usage
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal48.evad.winVBS@1/0@0/0
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Scan 4405.vbs"
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 85% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632579 Sample: Scan 4405.vbs Startdate: 23/05/2022 Architecture: WINDOWS Score: 48 8 Potential malicious VBS script found (suspicious strings) 2->8 5 wscript.exe 2->5         started        process3 signatures4 10 Found potential dummy code loops (likely to delay analysis) 5->10
No contacted IP infos