presentation#_63605.vbs
This report is generated from a file or URL submitted to this webservice on July 31st 2020 22:12:52 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 13/59 Antivirus vendors marked sample as malicious (22% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 13/59 Antivirus vendors marked sample as malicious (22% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 2
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"xh,d605,vK,UA,HL,122,AgOm,eU,P,vK,120,127,d605,UA,vK,120,vK,aQ,aQ,eU,aQ,d605,nj,122,HL,JUL,d605,aQ,123,xT,xT,vK,xT,eU,d605,vK,avwB,HL,120,eU,xh,eU,F,122,dYd,HL,F,eU,YVh,d605,cDJ,HL,120,122,xh,123,F,YVh,d605,125,120,dYd,F,xT,d605,HFv,QVv,F,YVh,d605,A,123,F,P,122,dYd,HL,F,HFv)
Execute(freak(UAb)):
REM vigil apprentice adaptation, 7212926 finger starch norm suspensor yawn Narbonne655 PDP ambition antique Humphrey nolo Claudia, confocal
' storefront. 2465981 bellyaching thereabouts plane there cobalt seedbed oppose collage Warburton Bilbao bid devolve replica398 Angora hamlet kick venial fishery chaplain demitted hater Hanoi surge Sirius eighteen over getaway discomfit gridiron counterpart
Gfgg=Array(A,123,F,P,122,dYd,HL,F,d605,124,gTj,vK,tt,wO,Gn,G,HFv,QVv,HL,cDJ,QVv,dYd,b,121,wO,Gn,CEx,F,HL,F,eU,CEx,G,HFv,Xpwm,d605,121,127,F,vK,xT,HL,xT,123,eU,d605,avwB,123,F,YVh,vK,xh,eU,F,122,vK,aQ,KCnA,d605,yXVX,P,nJVw,123,xT,AgOm,d605,eU,F,122,AgOm,123,121,dYd,vK,121,122,dYd,P,d605,YVh,dYd,vK,xh,vK,xT,F,eU,122,dYd" (Indicator: "ntice")
"REM vigil apprentice adaptation, 7212926 finger starch norm suspensor yawn Narbonne655 PDP ambition antique Humphrey nolo Claudia, confocal" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\presentation#_63605.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1064 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Informative 3
-
General
-
Logged script engine calls
- details
-
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "Msxml2.ServerXMLHTTP.6.0.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Logged script engine calls
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "wscript.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\scrrun.dll"
"wscript.exe" touched file "C:\Windows\System32\wbem\wbemdisp.tlb"
"wscript.exe" touched file "C:\Windows\System32\stdole2.tlb"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
"wscript.exe" touched file "C:\Windows\system32\en\KERNELBASE.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\netmsg.dll"
"wscript.exe" touched file "C:\Windows\System32\en-US\winhttp.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\en-US\msxml6r.dll.mui"
"wscript.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"wscript.exe" touched file "C:\Windows\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Opens the MountPointManager (often used to detect additional infection locations)
File Details
presentation#_63605.vbs
- Filename
- presentation#_63605.vbs
- Size
- 835KiB (855280 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 7b340e434f877ab08ffad13da73885d8c676917a99046a0013f419e93cf1d322
- MD5
- 0ff63c4ace0522d66733e8c9bd84513d
- SHA1
- 3e3b03f14ab2ea89b2cc83cdbda5ee09cd7eb27e
- ssdeep
- 6144:rvq+I3kU7gOd9v/1MDZ+/v7UcUzpi2qWdjVhQNHBlVLKmI9zaquKHUwrXnZ:r9IF8OWz5ldjrQrfRYagRrnZ
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\presentation#_63605.vbs" (PID: 1752)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Not all sources for indicator ID "api-55" are available in the report