Windows Analysis Report
test.vbs.vbs

Overview

General Information

Sample name: test.vbs.vbs
(renamed file extension from danger to vbs)
Original sample name: test.vbs.danger
Analysis ID: 1526552
MD5: 274895d62060a2f6f5e0f146c9e22cd9
SHA1: 4466866f1f63a99ee7d29c3a130e1109da3a9cd2
SHA256: 4077b86ad73b0cecbae507e90b1de2283a796d3bfcad7bcf48a0d557df67c01b
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Java / VBScript file with very long strings (likely obfuscated code)
Source: test.vbs.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: sus22.winVBS@1/0@0/0
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs.vbs"
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1526552 Sample: test.vbs.danger Startdate: 06/10/2024 Architecture: WINDOWS Score: 22 7 Sigma detected: WScript or CScript Dropper 2->7 5 wscript.exe 2->5         started        process3
No contacted IP infos