Edit tour
Windows
Analysis Report
Scan 4405.vbs
Overview
General Information
| Sample Name: | Scan 4405.vbs |
| Analysis ID: | 632579 |
| MD5: | 5e8adfeca0bdc8322938f25e46efa629 |
| SHA1: | bd6dad1a8d3335216e53217773b798c553cdfae1 |
| SHA256: | ab87133662dddfbede53d3bbb558cb5f0720ffdd42136358c1a30f1d9919aba7 |
| Tags: | vbs |
| Infos: |  |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found potential dummy code loops (likely to delay analysis)
Potential malicious VBS script found (suspicious strings)
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage
Classification
- System is w10x64
wscript.exe (PID: 6384 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\Scan 4405.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth |
|
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
System Summary |   |
|---|
| Source: | Initial file: | ||
| Source: | Matched rule: | ||
| Source: | Initial sample: | ||
| Source: | Process Stats: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Window found: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Process Stats: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 121 Scripting | Path Interception | Path Interception | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 121 Scripting | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 2 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | Virustotal | Browse | ||
| 2% | ReversingLabs | Win32.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox Version: | 34.0.0 Boulder Opal |
| Analysis ID: | 632579 |
| Start date and time: 23/05/202219:40:23 | 2022-05-23 19:40:23 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 7m 20s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Scan 4405.vbs |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 21 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal48.evad.winVBS@1/0@0/0 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 23.213.168.66, 51.104.136.2, 51.11.168.232
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, settings-prod-neu-2.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, settings-prod-uks-1.uksouth.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, atm-settingsfe-prod-geo.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.680075831434168 |
| TrID: |
|
| File name: | Scan 4405.vbs |
| File size: | 98906 |
| MD5: | 5e8adfeca0bdc8322938f25e46efa629 |
| SHA1: | bd6dad1a8d3335216e53217773b798c553cdfae1 |
| SHA256: | ab87133662dddfbede53d3bbb558cb5f0720ffdd42136358c1a30f1d9919aba7 |
| SHA512: | f0b733424fd4e3ceb971c46280ac54a32f0e4180f84c61c8c07e623eeae83ad86971384ac97fd95e8172c2e2aba87cc0c7a20f937f5079d5371a72666e9acd72 |
| SSDEEP: | 1536:hxs1Mwn50M7Sp5riTA4455Ib0BDKAhhIO7M5j3CCj41Rf58IKiAQIBq9:IpCXp4C5IQN5hOO7M5DK1Rf5JKLQIk9 |
| TLSH: | A5A3709CA7D2DDBB66C4CB647DAF4B035D4694E198FE01F7244A28D6A41C7F08E2E803 |
| File Content Preview: | 'Skyldfr Medal Finan Westerl FURUNCLESK MICRON DISPOSSE noncan LIZARYOCTA Mjavdefens Monitering Misalp eksklu Pelsvrker ..'UNENTHUSED lyophobic Ozonl Tortonian3 datas Bugtnin Tabskont coronet Trowelerha Retina5 NODDYEK maksi CRINALWI tachylyti Piet Undef4 |
 | |
| Icon Hash: | e8d69ece869a9ec4 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 19:41:38 |
| Start date: | 23/05/2022 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7db660000 |
| File size: | 163840 bytes |
| MD5 hash: | 9A68ADD12EB50DDE7586782C3EB9FF9C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
⊘No disassembly