{"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}
Source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"} |
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs | ReversingLabs: Detection: 13% |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Joe Sandbox ML: detected |
Source: Malware configuration extractor | URLs: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin |
Source: AZTEKERNES.exe, 00000003.00000002.762956347.000000000078A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs | Initial sample: Strings found which are bigger than 50 |
Source: AZTEKERNES.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_004013E8 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_0040954B |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE91AF |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AEAB15 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE9AA6 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE4C08 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE247B |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE4E71 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE2A45 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE2A50 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE8DDD |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE81DB |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE4D6E |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE4D43 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE91AF NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Process Stats: CPU usage > 98% |
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs | ReversingLabs: Detection: 13% |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
Source: C:\Windows\System32\ipconfig.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew |
Source: C:\Windows\System32\ipconfig.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01 |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Jump to behavior |
Source: classification engine | Classification label: mal92.troj.evad.winVBS@9/1@0/0 |
Source: C:\Windows\System32\wscript.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IWshShell3.Exec("ipconfig.exe /release");IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshShell3.ExpandEnvironmentStrings("%temp%");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IHost.Sleep("5000");IWshShell3.Run("ipconfig.exe /renew", "0", "true") |
Source: Yara match | File source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY |
Source: AZTEKERNES.exe.0.dr | Static PE information: real checksum: 0x22529 should be: 0x22f38 |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_00411684 push esi; retn 000Ch |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_00407A58 pushad ; ret |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_0040980C push esp; iretd |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_00405E17 push edi; iretd |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_004098A9 push esp; iretd |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_00404531 pushad ; ret |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE5486 push esi; iretd |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE5480 push ebp; iretd |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE6222 push edi; ret |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE5A21 push esi; iretd |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE1656 push es; ret |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE11A4 push ebp; retf |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE21B0 push cs; retf |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE63E9 push esi; iretd |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE5DFC push edx; retf |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE112C push ebp; retf |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE1F3B push cs; retf |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE630A push esi; iretd |
Source: initial sample | Static PE information: section name: .text entropy: 6.83637943712 |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Jump to dropped file |
Source: C:\Windows\System32\wscript.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_0040784E rdtsc |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE89A8 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AE8F0C mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_0040784E rdtsc |
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe | Code function: 3_2_02AEAB15 RtlAddVectoredExceptionHandler, |
Source: C:\Windows\System32\wscript.exe | File created: AZTEKERNES.exe.0.dr | Jump to dropped file |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp | Binary or memory string: SProgram Managerl |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.