WSF Downloads Payload that Sets-up a Server to Accept Incoming Connections | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-12-11 17:42 (UTC+1) |
| VM Analysis Duration Time | 00:02:23 |
| Execution Successful |
|
| Sample Filename | 2999babb0c6ca9fcc1aa03ad5606043d70f45a1495820c7a22250a584d371d70.wsf |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 18 |
| Termination Reason | Timeout |
| Reputation Enabled |
|
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 41 |
| VTI Rule Type | Scripts |
|
The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration. |
|
|
The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration. |
|
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
|
|
The operating system was rebooted during the analysis. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0xf80 | Analysis Target | High (Elevated) | cscript.exe | "C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF" | - |
| #3 | 0xbec | Child Process | High (Elevated) | 84526935.scr | "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr" /S | #1 |
| #4 | 0xcc4 | Child Process | High (Elevated) | cmd.exe | C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat" "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr"" | #3 |
| #6 | 0xd80 | Child Process | High (Elevated) | cmd.exe | cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr"" | #4 |
| #7 | 0xd68 | Child Process | High (Elevated) | chakmcat.exe | "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr" | #6 |
| #8 | 0xd84 | Child Process | High (Elevated) | svchost.exe | C:\Windows\system32\svchost.exe | #7 |
| #9 | 0x728 | Injection | Medium | explorer.exe | C:\Windows\Explorer.EXE | #8 |
| #10 | 0x85c | Injection | Medium | runtimebroker.exe | C:\Windows\System32\RuntimeBroker.exe -Embedding | #9 |
| #11 | 0xef0 | Child Process | Medium | cmd.exe | cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1" | #9 |
| #13 | 0xf7c | Child Process | Medium | nslookup.exe | nslookup myip.opendns.com resolver1.opendns.com | #11 |
| #14 | 0xd34 | Child Process | Medium | cmd.exe | cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1" | #9 |
| #16 | 0xd24 | Child Process | Medium | winmail.exe | "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE | #9 |
| #17 | 0x2d4 | Autostart | Medium | chakmcat.exe | "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe" | - |
| #18 | 0x998 | Child Process | Medium | svchost.exe | C:\Windows\system32\svchost.exe | #17 |
| #19 | 0x2b4 | Injection | Medium | explorer.exe | C:\Windows\Explorer.EXE | #18 |
| #20 | 0x190 | Child Process | Medium | runonce.exe | C:\Windows\SysWOW64\runonce.exe /Run6432 | #19 |
| #21 | 0x11c | Child Process | Medium | onenotem.exe | "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr | #19 |
| #22 | 0x6e0 | Injection | Medium | runtimebroker.exe | C:\Windows\System32\RuntimeBroker.exe -Embedding | #19 |
| ID | #20551 |
| MD5 Hash Value | 0f0e9fe1d73ea9c0587fb9b1489207f0 |
| SHA1 Hash Value | aa6cbb4f448a3e7654bc7272936239f176e05712 |
| SHA256 Hash Value | 2999babb0c6ca9fcc1aa03ad5606043d70f45a1495820c7a22250a584d371d70 |
| Filename | 2999babb0c6ca9fcc1aa03ad5606043d70f45a1495820c7a22250a584d371d70.wsf |
| File Size | 94.99 KB (97272 bytes) |
| File Type | Windows Script File |
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2017-12-08 12:07 |
| Internet Explorer Version | 11.0.10240.16384 |
| Chrome Version | 58.0.3029.110 |
| Firefox Version | 53.0.3 |
| Flash Version | 25.0.0.148 |
| Java Version | 8.0.1310.11 |
| VM Name | win10_64 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 10 Threshold 1 |
| VM Kernel Version | 10.0.10240.16384 (c68ee22f-dcf6-4778-95c5-4a862be16567) |
