Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:33888
Start time:17:48:16
Joe Sandbox Product:CloudBasic
Start date:10.10.2017
Overall analysis duration:0h 6m 13s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:mzN17oSU6p (renamed file extension from none to js)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal72.evad.expl.winJS@31/21@1/1
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 20
  • Number of non-executed functions: 67
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 96%)
  • Quality average: 86.3%
  • Quality standard deviation: 24.4%
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe, csc.exe


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: mzN17oSU6p.jsvirustotal: Detection: 8%Perma Link

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: powershell.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: chocolatey.org
Urls found in memory or binary dataShow sources
Source: powershell.exeString found in binary or memory: file://
Source: powershell.exeString found in binary or memory: file:///
Source: powershell.exeString found in binary or memory: file:///c:/programdata/hc5ip.ps1
Source: powershell.exeString found in binary or memory: file:///c:/programdata/hc5ip.ps1x
Source: powershell.exeString found in binary or memory: file:///c:/users/herb%20blackburn/appdata/local/temp/iafs4i6h.ps1
Source: powershell.exeString found in binary or memory: file:///c:/windows/as
Source: powershell.exeString found in binary or memory: file:///c:/windows/assem:
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_32/system.transactions/2.0.0.0__b77a5c561934e089/system.transactions
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.jscript/8.0.0.0__b03f5f7f11d50a3a/microsoft.jscript.d
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.management/1.0.0.0__31bf3856ad364
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.consolehost/1.0.0.0__31bf3856ad364e35/micr
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.security/1.0.0.0__31bf3856ad364e35/microso
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.wsman.management/1.0.0.0__31bf3856ad364e35/microsoft.
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/system.configuration.install/2.0.0.0__b03f5f7f11d50a3a/system.c
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/system.core/3.5.0.0__b77a5c561934e089/system.core.dll
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/system.directoryservices/2.0.0.0__b03f5f7f11d50a3a/system.direc
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/system.management.automation/1.0.0.0__31bf3856ad364e35/system.m
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/system.management/2.0.0.0__b03f5f7f11d50a3a/system.management.d
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/system.xml/2.0.0.0__b77a5c561934e089/system.xml.dll
Source: powershell.exeString found in binary or memory: file:///c:/windows/assembly/gac_msil/system/2.0.0.0__b77a5c561934e089/system.dll
Source: powershell.exeString found in binary or memory: file:///c:/windows/microsoft.net/framework/v2.0.50727/
Source: powershell.exeString found in binary or memory: file:///c:/windows/microsoft.net/framework/v2.0.50727/mscorlib.dll
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/1j
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/cj
Source: powershell.exeString found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/en-us/microsoft.powershell.commands.management.re
Source: powershell.exeString found in binary or memory: file:///c:s
Source: powershell.exeString found in binary or memory: http://
Source: wscript.exe, powershell.exe, mzN17oSU6p.js, Hc5Ip.ps1.1.drString found in binary or memory: http://127.0.0.1:5555/
Source: powershell.exeString found in binary or memory: http://127.0.0.1:5555/l
Source: powershell.exeString found in binary or memory: http://127.0.0.1:5555/z2ew6duf.asp?ts&ip=
Source: powershell.exe, mzN17oSU6p.js, Hc5Ip.ps1.1.drString found in binary or memory: http://api.ipify.org/
Source: powershell.exeString found in binary or memory: http://certificates.godaddy.com/repository/0
Source: powershell.exeString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: powershell.exeString found in binary or memory: http://certs.godaddy.com/repository/1301
Source: powershell.exeString found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: powershell.exeString found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: powershell.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exeString found in binary or memory: http://crl.godaddy.com/gdig2s1-499.crl0
Source: powershell.exeString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0f
Source: powershell.exeString found in binary or memory: http://crl.godaddy.com/gdroot.crl0f
Source: powershell.exeString found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: powershell.exeString found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: powershell.exeString found in binary or memory: http://crl.usertru
Source: powershell.exeString found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: powershell.exeString found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: powershell.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: wscript.exe, mzN17oSU6p.jsString found in binary or memory: http://icanhazip.com/
Source: powershell.exeString found in binary or memory: http://java.com/
Source: powershell.exeString found in binary or memory: http://java.com/help
Source: powershell.exeString found in binary or memory: http://java.com/http://java.com/
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exeString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exeString found in binary or memory: http://ocsp.entrust.net0d
Source: powershell.exeString found in binary or memory: http://ocsp.godaddy.com/0
Source: powershell.exeString found in binary or memory: http://ocsp.godaddy.com/02
Source: powershell.exeString found in binary or memory: http://ocsp.godaddy.com/05
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponse
Source: powershell.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: powershell.exeString found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: powershell.exeString found in binary or memory: http://www.us
Source: powershell.exeString found in binary or memory: http://www.usertrust.com
Source: powershell.exeString found in binary or memory: http://www.usertrust.com1
Source: powershell.exeString found in binary or memory: https://certs.godaddy.com/repository/0
Source: powershell.exeString found in binary or memory: https://chocolatey.org
Source: powershell.exe, Hc5Ip.ps1.1.drString found in binary or memory: https://chocolatey.org/7za.exe
Source: powershell.exeString found in binary or memory: https://chocolatey.org/7za.exet
Source: powershell.exeString found in binary or memory: https://secure.comodo.com/cps0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeFile created: C:\Users\user\AppData\Local\Temp\d25je5re.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\7za.exe
Installs new ROOT certificatesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Data Obfuscation:

barindex
Compiles C# or VB.Net codeShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d25je5re.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d25je5re.cmdline'
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_00471C24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00471C24
PE file contains sections with non-standard namesShow sources
Source: 7za.exe.4.drStatic PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0046B890 push eax; ret 6_2_0046B8AE
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_00459590 push ecx; mov dword ptr [esp], ecx6_2_00459591
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0046CC80 push eax; ret 6_2_0046CCAE
Powershell starts a process from the temp directoryShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1'
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1'

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0040B174 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,6_2_0040B174
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0040B6E9 __EH_prolog,FindFirstFileW,GetCurrentDirectoryW,6_2_0040B6E9
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Uses new MSVCR DllsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdb source: wscript.exe
Source: Binary string: mscorlib.pdb source: powershell.exe
Source: Binary string: xnc:\Users\user\AppData\Local\Temp\d25je5re.pdb source: csc.exe
Source: Binary string: Display this usage messageSSpecify debug information file name (default: output file name with .pdb extension)5### Visual C# 2005 Compiler Defect Report, created %s source: csc.exe
Source: Binary string: mscorrc.pdb source: powershell.exe
Source: Binary string: i87C:\Users\user\AppData\Local\Temp\d25je5re.pdb source: powershell.exe
Source: Binary string: c:\Users\user\AppData\Local\Temp\d25je5re.pdb source: powershell.exe, d25je5re.dll.19.dr
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe
Source: Binary string: msado15.pdb source: wscript.exe
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe
Source: Binary string: msado15.pdb`Cr source: wscript.exe
Source: Binary string: scrrun.pdb source: wscript.exe
Source: Binary string: C:\Windows\mscorlib.pdb' source: powershell.exe
Source: Binary string: wwnc:\Users\user\AppData\Local\Temp\d25je5re.pdb source: csc.exe
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe
Source: Binary string: c:\Users\user\AppData\Local\Temp\d25je5re.pdb7 source: powershell.exe, d25je5re.dll.19.dr
Source: Binary string: wscript.pdbN source: wscript.exe
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.expl.winJS@31/21@1/1
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1
Found command line outputShow sources
Source: C:\Windows\System32\taskkill.exeConsole Write: ...........w..0.............P....>............................X...........&.e.........&.n.....&.B.......Z...........(...
Source: C:\Windows\System32\taskkill.exeConsole Write: ...........w..0.....(...H.......|?............................!.........D...d...........n...D...B.......X...........4...
Source: C:\Windows\System32\taskkill.exeConsole Write: ...........w..0.....@...p........?..................................$...D...c...........n...D...B.......V...............
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process where Name='cscript.exe' or Name='wscript.exe'
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "iexplore.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: mzN17oSU6p.jsVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mzN17oSU6p.js'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1' | find /v '' >> 'C:\Users\HERBBL~1\AppData\Local\Temp\computer.log'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1'
Source: unknownProcess created: C:\Windows\System32\find.exe find /v ''
Source: unknownProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe' x -o'C:\Users\HERBBL~1\AppData\Local\Temp\E6lu3ZvtrsVM' -y 'C:\Users\HERBBL~1\AppData\Local\Temp\ts.zip'
Source: unknownProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe' x -o'C:\Users\user\AppData\Roaming\d3yfUaI97' -y 'C:\Users\HERBBL~1\AppData\Local\Temp\t.zip'
Source: unknownProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe' x -o'C:\Users\user\AppData\Roaming\d3yfUaI97' -y 'C:\Users\HERBBL~1\AppData\Local\Temp\s.zip'
Source: unknownProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im iexplore.exe
Source: unknownProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im firefox.exe
Source: unknownProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im chrome.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1' | find /v '' >> 'C:\Users\HERBBL~1\AppData\Local\Temp\computer.log'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1'
Source: unknownProcess created: C:\Windows\System32\find.exe find /v ''
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d25je5re.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RES6963.tmp' 'c:\Users\user\AppData\Local\Temp\CSC6944.tmp'
Source: unknownProcess created: C:\Windows\System32\wermgr.exe 'C:\Windows\system32\wermgr.exe' '-outproc' '3496' '1472'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1' | find /v '' >> 'C:\Users\HERBBL~1\AppData\Local\Temp\computer.log'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im iexplore.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im firefox.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im chrome.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1' | find /v '' >> 'C:\Users\HERBBL~1\AppData\Local\Temp\computer.log'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /v ''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe' x -o'C:\Users\HERBBL~1\AppData\Local\Temp\E6lu3ZvtrsVM' -y 'C:\Users\HERBBL~1\AppData\Local\Temp\ts.zip'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe' x -o'C:\Users\user\AppData\Roaming\d3yfUaI97' -y 'C:\Users\HERBBL~1\AppData\Local\Temp\t.zip'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe 'C:\Users\HERBBL~1\AppData\Local\Temp\7za.exe' x -o'C:\Users\user\AppData\Roaming\d3yfUaI97' -y 'C:\Users\HERBBL~1\AppData\Local\Temp\s.zip'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /v ''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d25je5re.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe 'C:\Windows\system32\wermgr.exe' '-outproc' '3496' '1472'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RES6963.tmp' 'c:\Users\user\AppData\Local\Temp\CSC6944.tmp'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Contains functionality to communicate with device driversShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0040BACB: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,6_2_0040BACB
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: String function: 00407A18 appears 152 times
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: String function: 0046B890 appears 623 times
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: mzN17oSU6p.jsInitial sample: Strings found which are bigger than 50
PE file does not import any functionsShow sources
Source: d25je5re.dll.19.drStatic PE information: No import functions for PE file found
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Wscript starts Powershell (via cmd or directly)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1' | find /v '' >> 'C:\Users\HERBBL~1\AppData\Local\Temp\computer.log'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1' | find /v '' >> 'C:\Users\HERBBL~1\AppData\Local\Temp\computer.log'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\Hc5Ip.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\HERBBL~1\AppData\Local\Temp\IAFS4I6h.ps1'

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exe, cmd.exe, powershell.exe, find.exe, wermgr.exeBinary or memory string: Progman
Source: wscript.exe, cmd.exe, powershell.exe, find.exe, wermgr.exeBinary or memory string: Program Manager
Source: powershell.exeBinary or memory string: Shell_TrayWndX
Source: wscript.exe, cmd.exe, powershell.exe, find.exe, wermgr.exeBinary or memory string: Shell_TrayWnd
Uses taskkill to terminate processesShow sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im iexplore.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im firefox.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im chrome.exe
Found C# or VB.Net code to silently install a certificate (surpess security dialog)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\d25je5re.0.cs

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0046E6AA SetUnhandledExceptionFilter,6_2_0046E6AA
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0046E6BC SetUnhandledExceptionFilter,6_2_0046E6BC
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation
Checks if the current process is being debuggedShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_00471C24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00471C24
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0040B174 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,6_2_0040B174
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0040B6E9 __EH_prolog,FindFirstFileW,GetCurrentDirectoryW,6_2_0040B6E9
Contains functionality to query system informationShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0040C5F4 GetSystemInfo,6_2_0040C5F4
Program exit pointsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeAPI call chain: ExitProcess graph end nodegraph_6-54587
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeAPI call chain: ExitProcess graph end nodegraph_6-54586
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 500
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d25je5re.dll
Found large amount of non-executed APIsShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeAPI coverage: 6.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 3136Thread sleep time: -360000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3276Thread sleep time: -4611686018427385s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3280Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3280Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3280Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\taskkill.exe TID: 3388Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\taskkill.exe TID: 3436Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\taskkill.exe TID: 3460Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_USERS\Software\Microsoft\SystemCertificates\Root
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 104.20.74.28 443

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificatesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 Blob

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0040C756 GetSystemTime,SystemTimeToFileTime,6_2_0040C756
Contains functionality to query windows versionShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\7za.exeCode function: 6_2_0046CF4C EntryPoint,GetVersion,6_2_0046CF4C
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 33888 Sample:  mzN17oSU6p Startdate:  10/10/2017 Architecture:  WINDOWS Score:  72 1 wscript.exe 3 main->1      started     8691sig Wscript starts Powershell (via cmd or directly) 8582sig Powershell starts a process from the temp directory 8752sig Suspicious powershell command line found 85815sig Powershell starts a process from the temp directory 87515sig Suspicious powershell command line found 8604sig Found C# or VB.Net code to silently install a certificate (surpess security dialog) 7784sig Installs new ROOT certificates 86017sig Found C# or VB.Net code to silently install a certificate (surpess security dialog) 77817sig Installs new ROOT certificates d1e473141 chocolatey.org 104.20.74.28, 443 CLOUDFLARENET-CloudFlareIncUS United States d1e455137 chocolatey.org d1e79975 7za.exe, PE32 d1e473235 d25je5re.dll, PE32 1->8691sig 2reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. 1->2reduced      started     2 cmd.exe 1 1->2      started     15 cmd.exe 1->15      started     9 taskkill.exe 1->9      started     2->8582sig 2->8752sig 4 powershell.exe 12 9 2->4      started     5 find.exe 2->5      started     15->85815sig 15->87515sig 17 powershell.exe 15->17      started     18 find.exe 15->18      started     4->8604sig 4->7784sig 4->d1e473141 4->d1e455137 4->d1e79975 dropped 6reduced Processes exeeded maximum capacity for this level. 1 process has been hidden. 4->6reduced      started     6 7za.exe 4->6      started     7 7za.exe 4->7      started     17->86017sig 17->77817sig 19 csc.exe 17->19      started     21 wermgr.exe 17->21      started     19->d1e473235 dropped 20 cvtres.exe 19->20      started     process1 signatures1 process2 signatures2 process4 dnsIp4 fileCreated4 signatures4 process6 fileCreated6 process20 fileCreated1 fileCreated2 fileCreated20

Simulations

Behavior and APIs

TimeTypeDescription
17:48:12API Interceptor227x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms
17:48:32API Interceptor3x Sleep call for process: taskkill.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
mzN17oSU6p.js9%virustotalBrowse

Dropped Files

SourceDetectionCloudLink
C:\Users\user\AppData\Local\Temp\7za.exe0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\7za.exe0%metadefenderBrowse

Domains

SourceDetectionCloudLink
chocolatey.org0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\7za.exePlanilha-Nova.vbs1d77b09519f616e6fe6ae3b61f2b71dc1a9ed67e807809a5c3b212472527a697maliciousBrowse
    092016.js6d9308a954a5dbd5cd2de6af9b16e7571468b98b8ebdf349b14e2a86ee5206c2maliciousBrowse

      Screenshot