popup

Report - 2.wsf

Generic Malware Antivirus AntiDebug AntiVM PNG Format MSOffice File JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.04.09 16:50 Machine s1_win7_x6401
Filename 2.wsf
Type XML 1.0 document, ASCII text, with CRLF line terminators
AI Score Not founds Behavior Score
8.4
ZERO API file : clean
VT API (file) 4 detected (Detected, Eldorado)
md5 70e7a78686df6013aa8fabe63d2827b8
sha256 03b7e42b01fc8c91ff90d3ccfdb564960abc12ffa954ea7425f004b1d8dc1b3d
ssdeep 6:TMVBd/6nXT+q9NqhdF4ZbdF/z7fBhkfuWRXjs962pys5zMeq:TMHdCXaqahH4JL1Wf7T32N5zMeq
imphash
impfuzzy
  Network IP location

Signature (20cnts)

Level Description
danger The processes wscript.exe
watch Creates a suspicious Powershell process
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice File has been identified by 4 AntiVirus engines on VirusTotal as malicious
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (13cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://toolkit-nokia-network-alert.trycloudflare.com/error_log.txt
whois
US CLOUDFLARENET 104.16.231.132 clean
https://toolkit-nokia-network-alert.trycloudflare.com/AutoRun.inf
whois
US CLOUDFLARENET 104.16.231.132 clean
https://toolkit-nokia-network-alert.trycloudflare.com/deci.zip
whois
US CLOUDFLARENET 104.16.231.132 clean
https://toolkit-nokia-network-alert.trycloudflare.com/
whois
US CLOUDFLARENET 104.16.231.132 clean
https://toolkit-nokia-network-alert.trycloudflare.com/b.txt
whois
US CLOUDFLARENET 104.16.231.132 44968 mailcious
www.healyconsultants.com
whois
Unknown 162.159.134.42 clean
numbers-queensland-rec-thumbs.trycloudflare.com
whois
US CLOUDFLARENET 104.16.231.132 mailcious
toolkit-nokia-network-alert.trycloudflare.com
whois
US CLOUDFLARENET 104.16.230.132 malware
162.159.134.42
whois
Unknown 162.159.134.42 mailcious
104.16.231.132
whois
US CLOUDFLARENET 104.16.231.132 malware
104.16.230.132
whois
US CLOUDFLARENET 104.16.230.132 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI

Similarity measure (PE file only) - Checking for service failure