WSF Downloads Payload that Sets-up a Server to Accept Incoming Connections | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-12-11 17:42 (UTC+1)
VM Analysis Duration Time 00:02:23
Execution Successful True
Sample Filename 2999babb0c6ca9fcc1aa03ad5606043d70f45a1495820c7a22250a584d371d70.wsf
Command Line Parameters False
Prescript False
Number of Processes 18
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 41
VTI Rule Type Scripts
Tags
#malware
Remarks
Critical The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration.
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The operating system was rebooted during the analysis.
Screenshots
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xf80 Analysis Target High (Elevated) cscript.exe "C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF" -
#3 0xbec Child Process High (Elevated) 84526935.scr "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr" /S #1
#4 0xcc4 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat" "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr"" #3
#6 0xd80 Child Process High (Elevated) cmd.exe cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr"" #4
#7 0xd68 Child Process High (Elevated) chakmcat.exe "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr" #6
#8 0xd84 Child Process High (Elevated) svchost.exe C:\Windows\system32\svchost.exe #7
#9 0x728 Injection Medium explorer.exe C:\Windows\Explorer.EXE #8
#10 0x85c Injection Medium runtimebroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding #9
#11 0xef0 Child Process Medium cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1" #9
#13 0xf7c Child Process Medium nslookup.exe nslookup myip.opendns.com resolver1.opendns.com #11
#14 0xd34 Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1" #9
#16 0xd24 Child Process Medium winmail.exe "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE #9
#17 0x2d4 Autostart Medium chakmcat.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe" -
#18 0x998 Child Process Medium svchost.exe C:\Windows\system32\svchost.exe #17
#19 0x2b4 Injection Medium explorer.exe C:\Windows\Explorer.EXE #18
#20 0x190 Child Process Medium runonce.exe C:\Windows\SysWOW64\runonce.exe /Run6432 #19
#21 0x11c Child Process Medium onenotem.exe "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr #19
#22 0x6e0 Injection Medium runtimebroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding #19
Sample Information
ID #20551
MD5 Hash Value 0f0e9fe1d73ea9c0587fb9b1489207f0
SHA1 Hash Value aa6cbb4f448a3e7654bc7272936239f176e05712
SHA256 Hash Value 2999babb0c6ca9fcc1aa03ad5606043d70f45a1495820c7a22250a584d371d70
Filename 2999babb0c6ca9fcc1aa03ad5606043d70f45a1495820c7a22250a584d371d70.wsf
File Size 94.99 KB (97272 bytes)
File Type Windows Script File
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-12-08 12:07
Internet Explorer Version 11.0.10240.16384
Chrome Version 58.0.3029.110
Firefox Version 53.0.3
Flash Version 25.0.0.148
Java Version 8.0.1310.11
VM Name win10_64
VM Architecture x86 64-bit
VM OS Windows 10 Threshold 1
VM Kernel Version 10.0.10240.16384 (c68ee22f-dcf6-4778-95c5-4a862be16567)
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image