Windows Analysis Report
FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs

Overview

General Information

Sample name: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs
Analysis ID: 1524800
MD5: 4369ed90bc7fa07789bd41b3be7ca95b
SHA1: 5ce66b652029364496886c36bcc945a4a1d89d08
SHA256: 9af2116f48bf8770c286118e8570378987ccb3d76c214790deb92f9b2b7ae4a2
Tags: vbsuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Creates processes via WMI
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Java / VBScript file with very long strings (likely obfuscated code)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs Virustotal: Detection: 15% Perma Link
Source: Binary string: powershell.pdbUGP source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe.1.dr
Source: Binary string: powershell.pdb source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe.1.dr

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs Initial sample: Strings found which are bigger than 50
Sample file is different than original file name gathered from version info
Source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe.1.dr Binary or memory string: OriginalFilenamePowerShell.EXEj% vs FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs
Source: classification engine Classification label: mal60.winVBS@3/1@0/0
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs"
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs Virustotal: Detection: 15%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs Static file information: File size 1957209 > 1048576
Source: Binary string: powershell.pdbUGP source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe.1.dr
Source: Binary string: powershell.pdb source: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe.1.dr

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\cmd.exe Dropped PE file which has not been started: C:\Users\user\Desktop\FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs.exe Jump to dropped file
Source: wscript.exe, 00000000.00000003.1855782478.00000255C35A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tus
Source: wscript.exe, 00000000.00000003.1855782478.00000255C35A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:)
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524800 Sample: FQ____RM quotation_JPEG IMA... Startdate: 03/10/2024 Architecture: WINDOWS Score: 60 17 Multi AV Scanner detection for submitted file 2->17 19 Sigma detected: WScript or CScript Dropper 2->19 7 wscript.exe 1 2->7         started        process3 signatures4 21 Windows Scripting host queries suspicious COM object (likely to drop second stage) 7->21 23 Creates processes via WMI 7->23 10 cmd.exe 2 7->10         started        process5 file6 15 FQ____RM quotation...hatsApp.BZ2.vbs.exe, PE32 10->15 dropped 13 conhost.exe 10->13         started        process7
No contacted IP infos