Source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"} |
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs |
ReversingLabs: Detection: 13% |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Joe Sandbox ML: detected |
Source: Malware configuration extractor |
URLs: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin |
Source: AZTEKERNES.exe, 00000003.00000002.762956347.000000000078A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs |
Initial sample: Strings found which are bigger than 50 |
Source: AZTEKERNES.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_004013E8 |
3_2_004013E8 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_0040954B |
3_2_0040954B |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE91AF |
3_2_02AE91AF |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AEAB15 |
3_2_02AEAB15 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE9AA6 |
3_2_02AE9AA6 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE4C08 |
3_2_02AE4C08 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE247B |
3_2_02AE247B |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE4E71 |
3_2_02AE4E71 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE2A45 |
3_2_02AE2A45 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE2A50 |
3_2_02AE2A50 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE8DDD |
3_2_02AE8DDD |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE81DB |
3_2_02AE81DB |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE4D6E |
3_2_02AE4D6E |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE4D43 |
3_2_02AE4D43 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE91AF NtAllocateVirtualMemory, |
3_2_02AE91AF |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Process Stats: CPU usage > 98% |
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs |
ReversingLabs: Detection: 13% |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
|
Source: C:\Windows\System32\ipconfig.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew |
|
Source: C:\Windows\System32\ipconfig.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01 |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' |
Source: C:\Windows\System32\wscript.exe |
File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Jump to behavior |
Source: classification engine |
Classification label: mal92.troj.evad.winVBS@9/1@0/0 |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Anti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IWshShell3.Exec("ipconfig.exe /release");IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshShell3.ExpandEnvironmentStrings("%temp%");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IHost.Sleep("5000");IWshShell3.Run("ipconfig.exe /renew", "0", "true") |
Source: Yara match |
File source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY |
Source: AZTEKERNES.exe.0.dr |
Static PE information: real checksum: 0x22529 should be: 0x22f38 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_00411684 push esi; retn 000Ch |
3_2_00411BF9 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_00407A58 pushad ; ret |
3_2_00407A93 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_0040980C push esp; iretd |
3_2_00409980 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_00405E17 push edi; iretd |
3_2_00405E18 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_004098A9 push esp; iretd |
3_2_00409980 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_00404531 pushad ; ret |
3_2_00404532 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE5486 push esi; iretd |
3_2_02AE63BC |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE5480 push ebp; iretd |
3_2_02AE5484 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE6222 push edi; ret |
3_2_02AE6223 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE5A21 push esi; iretd |
3_2_02AE63BC |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE1656 push es; ret |
3_2_02AE1682 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE11A4 push ebp; retf |
3_2_02AE1163 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE21B0 push cs; retf |
3_2_02AE21B9 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE63E9 push esi; iretd |
3_2_02AE63BC |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE5DFC push edx; retf |
3_2_02AE5DFD |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE112C push ebp; retf |
3_2_02AE1163 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE1F3B push cs; retf |
3_2_02AE1F43 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE630A push esi; iretd |
3_2_02AE63BC |
Source: initial sample |
Static PE information: section name: .text entropy: 6.83637943712 |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
Source: C:\Windows\System32\wscript.exe |
File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Jump to dropped file |
Source: C:\Windows\System32\wscript.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_0040784E rdtsc |
3_2_0040784E |
Source: C:\Windows\System32\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE89A8 mov eax, dword ptr fs:[00000030h] |
3_2_02AE89A8 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AE8F0C mov eax, dword ptr fs:[00000030h] |
3_2_02AE8F0C |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_0040784E rdtsc |
3_2_0040784E |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Code function: 3_2_02AEAB15 RtlAddVectoredExceptionHandler, |
3_2_02AEAB15 |
Source: C:\Windows\System32\wscript.exe |
File created: AZTEKERNES.exe.0.dr |
Jump to dropped file |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew |
Jump to behavior |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp |
Binary or memory string: SProgram Managerl |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |