Windows Analysis Report
PUMP mt310143121.vbs

Overview

General Information

Sample Name: PUMP mt310143121.vbs
Analysis ID: 715071
MD5: 41ad96654d44ef375097eeeb83818cf7
SHA1: 20dae7bc9d6dc2c5f947de3f871d617fb36e6edc
SHA256: 28bf271ec1576c0e7d1b2a243de952bb70c25711cdc9c2d4494002a3e2f346ca
Tags: GuLoadervbs
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Found potential dummy code loops (likely to delay analysis)
Potential malicious VBS script found (suspicious strings)
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage

Classification

System Summary
barindex
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Strygeorke.ShellExecute Flogste, "-NoExit -E" & Sammentr(110) & Sammentr(99) & "oded" & "Command " & chr(34) & Ambulating58 & chr(34), "", "", 0
Yara signature match
Source: 00000000.00000003.248640699.000002222676D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Java / VBScript file with very long strings (likely obfuscated code)
Source: PUMP mt310143121.vbs Initial sample: Strings found which are bigger than 50
Abnormal high CPU Usage
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal56.evad.winVBS@1/0@0/0
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Createobject("Scripting.Dictionary")Set Flogste0 = Createobject("Scripting.Dictionary")Set Flogste0 = Createobject("Scripting.Dictionary")Set Flogste0 = Createobject("Scripting.Dictionary")Bonavi.RegWrite deliz,Bazookaern,curicSet Flogste0 = Createobject("Scripting.Dictionary")Set Flogste0 = Createobject("Scripting.Dictionary")Set Flogste0 = Createobject("Scripting.Dictionary"
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 85% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715071 Sample: PUMP mt310143121.vbs Startdate: 03/10/2022 Architecture: WINDOWS Score: 56 8 Potential malicious VBS script found (suspicious strings) 2->8 5 wscript.exe 1 2->5         started        process3 signatures4 10 VBScript performs obfuscated calls to suspicious functions 5->10 12 Found potential dummy code loops (likely to delay analysis) 5->12
No contacted IP infos