popup

Report - INSYy.wsf

Generic Malware Antivirus
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.07 09:26 Machine s1_win7_x6402
Filename INSYy.wsf
Type XML b^_ document, ASCII text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
8.2
ZERO API file : clean
VT API (file)
md5 1571f34482e30885cf9ac9ef10df739b
sha256 67fed322837b12ee99c217a280e4df42c2c4177b0753bb7f98a85b835b5e664b
ssdeep 24:D6f0pm6Y+6P6e6+6h67R86K6cF6hg6n+626YEM6aPq/nM4:WbDR5vSq/M4
imphash
impfuzzy
  Network IP location

Signature (19cnts)

Level Description
danger The processes wscript.exe
watch Communicates with host for which no DNS query was performed
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch One or more non-whitelisted processes were created
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice One or more potentially interesting buffers were extracted
notice Poweshell is sending data to a remote host
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info PowershellDI Extract Download/Invoke calls from powershell script scripts

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://141.98.6.105:222/r.png
whois
DE CMCS 141.98.6.105 malware
http://141.98.6.105:222/m.txt
whois
DE CMCS 141.98.6.105 mailcious
141.98.6.105
whois
DE CMCS 141.98.6.105 mailcious

Suricata ids

ET HUNTING Terse Request for .txt - Likely Hostile
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
ET HUNTING [TW] Likely Hex Executable String

Similarity measure (PE file only) - Checking for service failure