MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1547.001 Registry Run Keys / Startup Folder
This script, identified as Win.Worm.Mantan-1 by ClamAV, attempts to achieve persistence by copying itself to multiple locations and writing entries to the registry Run keys, specifically 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32' and 'HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL'. It also attempts to spread by copying itself to network shares and potentially via email. The script constructs URLs from embedded strings, such as 'http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf', which are likely used for downloading additional payloads.
Heuristics 4
-
ClamAV: Win.Worm.Mantan-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Mantan-1
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf
- http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4j
- http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3V
- http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqweras
- http://www.mirc.com
Open this report in the interactive analyzer, or submit your own file for analysis.