Click to jump to signature section
Source: https://apllicam.com/operational-resoufrces | Avira URL Cloud: Label: malware |
Source: https://apllicam.com/operational-resoufrces.)Settings | Avira URL Cloud: Label: malware |
Source: unknown | HTTPS traffic detected: 104.21.48.77:443 -> 192.168.2.22:49161 version: TLS 1.0 |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.21.48.77 443 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Domain query: apllicam.com | |
Source: Joe Sandbox View | ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS |
Source: Joe Sandbox View | JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d |
Source: global traffic | HTTP traffic detected: GET /operational-resoufrces HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: apllicam.com |
Source: unknown | HTTPS traffic detected: 104.21.48.77:443 -> 192.168.2.22:49161 version: TLS 1.0 |
Source: global traffic | HTTP traffic detected: GET /operational-resoufrces HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: apllicam.com |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: unknown | DNS traffic detected: queries for: apllicam.com |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 16:00:45 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HSJzhonlX5e3FPMc4oqUc%2Fl5mi9Gq1nR2rEmqwjOvbJLqpw4uVTI4aVgYPrdFLtLGIkEBYIym8XgB165e0CsQWygyXjg6ZYoQfuTrf96OfHKeQJiHD2HUQtzD49LSQA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 86b8d5bdcf12083e-IADalt-svc: h3=":443"; ma=86400 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0% |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0- |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com05 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.entrust.net03 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.entrust.net0D |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: wscript.exe, 00000000.00000003.339652121.0000000003DA3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.339610229.0000000003D9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.339778135.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://apllicam.com/operational-resoufrces |
Source: wscript.exe, 00000000.00000003.339765030.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339865650.00000000002BC000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://apllicam.com/operational-resoufrces.)Settings |
Source: wscript.exe, 00000000.00000003.339610229.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.339999872.0000000003DC3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: unknown | Network traffic detected: HTTP traffic on port 49161 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49161 |
Source: 892016_Past Invoice_03_26_2024_48118858_756483.wsf | Static file information: Suspicious name |
Source: C:\Windows\System32\wscript.exe | COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID | Jump to behavior |
Source: 892016_Past Invoice_03_26_2024_48118858_756483.wsf | Initial sample: Strings found which are bigger than 50 |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: credssp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: bcrypt.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: classification engine | Classification label: mal80.evad.winWSF@1/0@2/1 |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.21.48.77 443 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Domain query: apllicam.com | |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |