Edit tour

Windows Analysis Report
ORDER_001.vbs

Overview

General Information

Sample name:	ORDER_001.vbs
Analysis ID:	1523163
MD5:	2da95c45a16570fe5a54d7d69c0a4660
SHA1:	47686ceac80fef7a3b5402ca2f72e09d1b5827f8
SHA256:	3e18c135dee79e6de78802901e67f1115d4c39ba4a197981543169fed415181f
Tags:	vbsuser-abuse_ch
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Sigma detected: WScript or CScript Dropper

Found WSH timer for Javascript or VBS script (likely evasive script)

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6320 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs", ProcessId: 6320, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs", ProcessId: 6320, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: wscript.exe, 00000000.00000002.4617158163.0000017068E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.4617158163.0000017068E89000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.4617158163.0000017068E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: wscript.exe, 00000000.00000002.4617158163.0000017068F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5b77d2ef9b

Source: ORDER_001.vbs

Initial sample: Strings found which are bigger than 50

Source: wscript.exe, 00000000.00000002.4617158163.0000017068F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n.aeCo.HusBapTol.aiUnwordE (Tr$SaVSyaUdlExiL dUdaS wordAdaCebU l AeM ).r ');Rewordfrdighedsflelsens (Mewordropolens 'Tr[SvNSyeDaword,e.TuSTee urwordxword . covSwordi rcNeeB PC oNoiNonA wordGuMGra wordnwordxword . c,aThgude .rAi]Sn:Ac:ArSsaeeycwordxword . couTarwordxword . cuiMawordWiyKaP,ar no Sword,ro cIno OlB. Du= o Se[NoNSveAfwordT..wordrSVeeS c ruQur BiBywordDiyLePO r eoSkword xoPrcdeo flBjT y,opM e ]Di:R : TU l.ys o1.g2 H ');$Evaporeringerne=$shearer[0];$Syresalwords=(Mewordropolens 'Un$Big ULsao,pbB.A Elgo: nHIny ,g rSwo pUnhBaYLswordkoeIn=TiNR ESwordwwordxword . ci- eO MBDojW,e LC iwordSh a sTiy ,sDiwordMueNoMSo.SlnBje TSh.PhW BeUnb,acAnL ,I .EUbNPeTCy ');Rewordfrdighedsflelsens ($Syresalwords);Rewordfrdighedsflelsens (Mewordropolens ' G$ H UyCogNorGroUdp hwordxword . c ySdwordIneRe.ceHM eMia SdA,eInrBes.i[S.$ lSHeaBhmkrm Te in Ls HwordBiy kDenMui nJegIneD,niwordsQu] a=S $ DApians mpByo osS.i Rwordwordxword . c,i aob,n sP.nU,uS mnam SeO r ,ewordxword . cor iwordxword . conN gSysre ');$Nonconfirmawordion118=Mewordropolens 'S,$.lHKoyGugM r aoB p vh Cy ,word reHe. eDAfoA wTinRel o Za Pd pwordxword . c ai,elCre n(La$ nERev eaP,p oSvr ce Trdui On Mg ,ePorB nCeeU , a$MaA,rlSusI iMadJeiL.gUfh,eeS dals akPirReamivSee anineA ) D ';$Alsidighedskravene=$Plisshrerne;Rewordfrdighedsflelsens (Mewordropolens 'Re$DeG rLB,oDobTha .LQu: IPUneTeaS,RUnL SiUdkUnEd =sp(CeTudEchsUnwordUn-KoPSwordaDkwordReHCr wordxword . c$ iaRel aS.qI D eI mGLihBeeGrd DSChKP,r BAi v rESpnSwordEBe)Op ');while (!$Pearlike) {Rewordfrdighedsflelsens (Mewordropolens 'de$HogUrlHuoTab,ya Tl s:BaO uwordxword . ciwordArcS.h eaSkr CmGae fd a=A $BrwordSmr HuEpeM, ') ;Rewordfrdighedsflelsens $Nonconfirmawordion118;Rewordfrdighedsflelsens (Mewordropolens 'O S ,word saD r .wordmi-V SU.l ,eAdeDipw S4 ');Rewordfrdighedsflelsens (MewordroporB nCe
Source: wscript.exe, 00000000.00000003.2143121862.000001706B056000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2129902609.0000017068F23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145657324.000001706B060000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2130162482.000001706ADEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.4617443544.000001706AEC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2146391333.000001706B060000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145248851.000001706B05C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2129723315.000001706ADC1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.4617568963.000001706B060000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2143761707.000001706B05B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2129864207.000001706ADC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Arbejdsvgring = Arbejdsvgring & ".Sln"
Source: wscript.exe, 00000000.00000003.2143247519.000001706B037000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .Sln@
Source: wscript.exe, 00000000.00000002.4617443544.000001706AF87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rdropolens ' y$seg kl ,oHyb aaS lIn:Tas ShBreGaa rrU,eUnrSk= .$DaEBhvcoaB,pS.oSnr oeCorSpiHjnUng ,eArr en.aeCo.HusBapTol.aiUnwordE (Tr$SaVSyaUdlExiL dUdaS wordAdaCebU l AeM ).r ');Rewordfrdighedsflelsens (Mewordropolens 'Tr[SvNSyeDaword,e.TuSTee urwordxword . covSwordi rcNeeB PC oNoiNonA wordGuMGra wordnwordxword . c,aThgude .rAi]Sn:Ac:ArSsaeeycwordxword . couTarwordxword . cuiMawordWiyKaP,ar no Sword,ro cIno OlB. Du= o Se[NoNSveAfwordT..wordrSVeeS c ruQur BiBywordDiyLePO r eoSkword xoPrcdeo flBjT y,opM e ]Di:R : TU l.ys o1.g2 H ');$Evaporeringerne=$shearer[0];$Syresalwords=(Mewordropolens 'Un$Big ULsao,pbB.A Elgo: nHIny ,g rSwo pUnhBaYLswordkoeIn=TiNR ESwordwwordxword . ci- eO MBDojW,e LC iwordSh a sTiy ,sDiwordMueNoMSo.SlnBje TSh.PhW BeUnb,acAnL ,I .EUbNPeTCy ');Rewordfrdighedsflelsens ($Syresalwords);Rewordfrdighedsflelsens (Mewordropolens ' G$ H UyCogNorGroUdp hwordxword . c ySdwordIneRe.ceHM eMia SdA,eInrBes.i[S.$ lSHeaBhmkrm Te in Ls HwordBiy kDenMui nJegIneD,niwordsQu] a=S $ DApians mpByo osS.i Rwordwordxword . c,i aob,n sP.nU,uS mnam SeO r ,ewordxword . cor iwordxword . conN gSysre ');$Nonconfirmawordion118=Mewordropolens 'S,$.lHKoyGugM r aoB p vh Cy ,word reHe. eDAfoA wTinRel o Za Pd pwordxword . c ai,elCre n(La$ nERev eaP,p oSvr ce Trdui On Mg ,ePorB nCeeU , a$MaA,rlSusI iMadJeiL.gUfh,eeS dals akPirReamivSee anineA ) D ';$Alsidighedskravene=$Plisshrerne;Rewordfrdighedsflelsens (Mewordropolens 'Re$DeG rLB,oDobTha .LQu: IPUneTeaS,RUnL SiUdkUnEd =sp(CeTudEchsUnwordUn-KoPSwordaDkwordReHCr wordxword . c$ iaRel aS.qI D eI mGLihBeeGrd DSChKP,r BAi v rESpnSwordEBe)Op ');while (!$Pearlike) {Rewordfrdighedsflelsens (Mewordropolens 'de$HogUrlHuoTab,ya Tl s:BaO uwordxword . ciwordArcS.h eaSkr CmGae fd a=A $BrwordSmr HuEpeM, ') ;Rewordfrdighedsflelsens $Nonconfirmawordion118;Rewordfrdighedsflelsens (Mewordropolens 'O S ,word saD r .wordmi-V SU.l ,eAdeDipw S4 ');Rewordfrdighedsflelsens (Mewordropolens 'Nu$ Kg nlBro ebBraUmlG :DeP geS awordxword . clrHalRei Sk .eB =wordxword . c.(BiTpoe IsS word e- UPPoa wordxword . cword Sh L $D AOvlNos iG dSpiS gS h wordegid.esBokPrrRea SvCrepanCheUn)To ') ;Rewordfrdighedsflelsens (Mewordropolens 'Te$Crg.vl voK.bwordxword . cia SlPr: SPoword,naChbDelLee aswordewordN oDelO eCun m=Ta$G gR,l eoSvbP,a GlKl:.owordxword . cBeiwordxword . c l,mnr,u kmSam Se,rrUneAywordwordes I+S +Tw%As$Mos phNeeBoaCorAme lrSk. cAnoLouPin Iwordwordxword . c ') ;$Evaporeringerne=$shearer[$Swordableswordolen];}$Hovedhensynenes=288326;$wordxword . culdwordidsbeskfwordigelse=28742;Rewordfrdighedsflelsens (Mewordropolens '.h$Leg .lSuowordxword . crbOvaAll.e:GaKUpo TlHeoS nHai,os RaPowordUnoPyrSworde BnBesBr Co= B OvG heL word -IsCR o SnLewordDieA n owordTo S$AfA elknsO,i dSpiCrgI ha eD dM.sTokPhr wordxword . ca,ivN eExnPse e ');Rewordfrdighedsflelsens (Mewordropolens 'Zo$SwordgAml SoUnb Ca.wordl E:D O BuSuword,riH s sL uTre dGr S =Ra a[OvS RySos,iwordBrePamSk. mCC.o onDiv ,eL,rKnwordCl]Sword:wordxword . cr:c.wo

Source: classification engine

Classification label: sus22.winVBS@1/2@0/0

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs"

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 1460

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: wscript.exe, 00000000.00000002.4617158163.0000017068F66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.4617443544.000001706AF87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141288275.000001706AF87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142292945.000001706AF87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141871319.000001706AF87000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	21 Scripting	Valid Accounts	Windows Management Instrumentation	21 Scripting	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ORDER_001.vbs	3%	ReversingLabs	Win32.Dropper.Generic
ORDER_001.vbs	3%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	1%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	87.248.204.0	true	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523163
Start date and time:	2024-10-01 07:49:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ORDER_001.vbs
Detection:	SUS
Classification:	sus22.winVBS@1/2@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 87.248.204.0, 93.184.221.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:49:57	API Interceptor	1x Sleep call for process: wscript.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	46.228.146.0
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	41.63.96.128
	Snc2ZNvAZP.pdf	Get hash	malicious	Unknown	Browse	87.248.205.0
	https://cpanel.whitewestinghouse.com.py/	Get hash	malicious	Unknown	Browse	87.248.204.0
	https://www.givingday.communityschoolnaples.org/	Get hash	malicious	Unknown	Browse	46.228.146.128
	https://metaamaassilogg.gitbook.io/	Get hash	malicious	Unknown	Browse	87.248.204.0
	https://krakennylog.gitbook.io/us/	Get hash	malicious	HTMLPhisher	Browse	87.248.205.0
	https://metasdask-login.gitbook.io/us	Get hash	malicious	HTMLPhisher	Browse	87.248.205.0
	https://att-100184.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	87.248.204.0
	https://b12thgst9.weeblysite.com/	Get hash	malicious	Unknown	Browse	87.248.205.0

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	2.9844219596585932
Encrypted:	false
SSDEEP:	6:kK57D9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:YD9LNkPlE99SNxAhUe/
MD5:	54C7B012B3F907B976E54DB7543AE229
SHA1:	A358DA0D914EAEA83F40B59409FB08E80E8F74BA
SHA-256:	BFC0AD56835C3FA02AE264A925715757937E65E177DDDF8F623BF175C52CB536
SHA-512:	501F5BAD3C51568B7EA9AA8D421E8FF41BC0F6B4F8EC56D977CA0F9827C40903B21C9EA21291B255BEE18FA5752CD3EB644279D89A63E5AEF8CF8560CDE76E89
Malicious:	false
Reputation:	low
Preview:	p...... ..........I.....(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.2314432397951105
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	ORDER_001.vbs
File size:	170'912 bytes
MD5:	2da95c45a16570fe5a54d7d69c0a4660
SHA1:	47686ceac80fef7a3b5402ca2f72e09d1b5827f8
SHA256:	3e18c135dee79e6de78802901e67f1115d4c39ba4a197981543169fed415181f
SHA512:	98ad196a6bfde7706d054f6f5a95fa646e7d8625e403627f188bc291202bb18dc01be8223ea8ceb03df85c678518ab92a417d58d80035a7f623daeb4e3436bb7
SSDEEP:	3072:dfSS2STehMCUzYthJshBKhA3s7kUHuXSk4HvzA6EE6RH1OexwQU+qKJ58mkkgNv9:dfSS2SihDUzYtPshBKhA3hUHuXSk4Pz3
TLSH:	EBF351B7CE063515AF993F815825EF6185B321B232321539C69FD7D87083AAC86FDE81
File Content Preview:	..........Mhedsbehovenesfore = "Meike" & "Cohomology" ..............Const Tritonerne135 = "vrangvilliges militrbataljon."..Const Taktlst = -34359..Const Omsejlings = &H3519..Const Peritonaeum = &H2AB1..Const Haspicol = "Nonadjustive, pupated"..Const Badmi

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 07:50:40.546320915 CEST	53	53460	162.159.36.2	192.168.2.6
Oct 1, 2024 07:50:41.049633026 CEST	53	53699	1.1.1.1	192.168.2.6

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 07:49:57.292449951 CEST	1.1.1.1	192.168.2.6	0xc5a3	No error (0)	windowsupdatebg.s.llnwi.net		87.248.204.0	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:49:56
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs"
Imagebase:	0x7ff79c9a0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER_001.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Network Behavior

UDP Packets

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wscript.exePID: 6320, Parent PID: 4004

General

Chronological Activities

Disassembly

Windows Analysis Report
ORDER_001.vbs