Receipt#35934291690503868185621.vbs
This report is generated from a file or URL submitted to this webservice on October 3rd 2019 15:43:33 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Stealer/Phishing
-
Scans for artifacts that may help identify the target
Touched instant messenger related registry keys - Persistence
- Schedules a task to be executed at a specific time and date
- Fingerprint
- Scans for artifacts that may help identify the target
- Evasive
- Marks file for deletion
- Network Behavior
- Contacts 5 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
Installation/Persistance
-
Schedules a task to be executed at a specific time and date
- details
-
Process "schtasks.exe" with commandline "/End /tn \Microsoft\Windows\Wininet\CacheTask" (Show Process)
Process "schtasks.exe" with commandline "/Run /tn \Microsoft\Windows\Wininet\CacheTask" (Show Process) - source
- Monitored Target
- relevance
- 8/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"regsvr32.exe" wrote 1500 bytes to a remote process "%WINDIR%\System32\rundll32.exe" (Handle: 404)
"regsvr32.exe" wrote 4 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 404)
"regsvr32.exe" wrote 32 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 404)
"regsvr32.exe" wrote 52 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 404)
"rundll32.exe" wrote 32 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 436)
"rundll32.exe" wrote 52 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 436)
"rundll32.exe" wrote 4 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 436)
"rundll32.exe" wrote 1500 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 436)
"rundll32.exe" wrote 4 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 452)
"rundll32.exe" wrote 32 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 452)
"rundll32.exe" wrote 52 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 452)
"rundll32.exe" wrote 1500 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 452) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Schedules a task to be executed at a specific time and date
-
Spyware/Information Retrieval
-
Scans for artifacts that may help identify the target
- details
-
"rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\MSNMESSENGER")
"rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\MESSENGERSERVICE")
"rundll32.exe" (Path: "HKCU\IDENTITIES\{6B98DEEC-0236-47CC-B7C9-E29165F3C001}\SOFTWARE\MICROSOFT\MESSENGERSERVICE")
"rundll32.exe" (Path: "HKCU\SOFTWARE\YAHOO\PAGER")
"rundll32.exe" (Path: "HKCU\SOFTWARE\GOOGLE\GOOGLE TALK\ACCOUNTS") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Touched instant messenger related registry keys
- details
-
"rundll32.exe" (Path: "HKCU\SOFTWARE\CAMFROG\CLIENT")
"rundll32.exe" (Path: "HKCU\SOFTWARE\YAHOO\PAGER")
"rundll32.exe" (Path: "HKCU\SOFTWARE\GOOGLE\GOOGLE TALK\ACCOUNTS")
"rundll32.exe" (Path: "HKCU\SOFTWARE\PALTALK") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Scans for artifacts that may help identify the target
-
Unusual Characteristics
-
Contains native function calls
- details
-
NtSetInformationProcess@NTDLL.DLL from rundll32.exe (PID: 3744) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3744) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3744) (Show Stream)
NtSetInformationProcess@NTDLL.DLL from rundll32.exe (PID: 3344) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3344) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3344) (Show Stream)
NtSetInformationProcess@NTDLL.DLL from rundll32.exe (PID: 3076) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3076) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Script file shows a combination of malicious behavior
- details
-
The script produces internet activity
is obfuscated and drops files - source
- Indicator Combinations
- relevance
- 7/10
-
Contains native function calls
-
Suspicious Indicators 21
-
Anti-Detection/Stealthyness
-
Possibly tries to hide a process launching it with different user credentials
- details
- ImpersonateLoggedOnUser@ADVAPI32.DLL from wscript.exe (PID: 2232) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Queries kernel debugger information
- details
-
"regsvr32.exe" at 00037337-00003900-00000105-111642088417
"rundll32.exe" at 00038393-00003744-00000105-148391587507
"rundll32.exe" at 00043729-00003344-00000105-281929349463
"rundll32.exe" at 00044012-00003076-00000105-290786654923 - source
- API Call
- relevance
- 6/10
-
Possibly tries to hide a process launching it with different user credentials
-
Environment Awareness
-
Contains ability to measure performance
- details
- rdtsc (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query CPU information
- details
-
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"regsvr32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"rundll32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"schtasks.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"regsvr32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to measure performance
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
FindResourceExW@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "rundll32.exe" read file "%APPDATA%\Mozilla\Firefox\profiles.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"3ED95979.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"hHcmfJLZu.txt" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 132.108.136.103 on port 443 is sent without HTTP header
TCP traffic to 47.168.247.94 on port 443 is sent without HTTP header
TCP traffic to 195.123.220.45 on port 443 is sent without HTTP header
TCP traffic to 195.123.246.209 on port 443 is sent without HTTP header
TCP traffic to 31.244.102.117 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
- ",E8,M4,m2,d1,I2,i,O7,e2,j3,H4,C3,I1,T9,n2,n4,A,X8,R,T9,p,O6,r7,z8,S3,R9,X,z,d9,M1,N8,O6,v2,H3,A4,d3,i,R,T3,x3,I3,Q2,T8,l,n8,u,k3,Z4,b8,m9,u6,R,r4,f8,M,K5,f6,k3,R2,z5,Z6,r,C5,D9,g3,f3,u9,s1,A4,p5,k3,v1,g6,G1,g4,n2,y9,H,b,P8,j,M9,B1,t,b6,w1,V7,Z4,i9,S5,b2,n,y1,t5,b1,P1,n7,j1,r6,J7,D9,i6,x9,r4,y,m5,T7,p3,T,C3,B2,B,L8,z,E9,U8,Y2,T9,h4,V1,m2,i,M,Y1,r1,v1,t6,y6,s7,E4,V2,N1,v3,O2,A5,G1,L8,j1,U4,I1,U4,l5,u8,S4,X7,u,y4,T6,f5,T3,d5)::oLEZJuVCmD=arRAY(Y7,I1,r3,Q4,p2,r1,b,b1,u8,I6,r8,D9,m2,o9,O9,d5,J,S,o5,X4,x1,i,Q,W4,Q7,V9,B2,i4,X,V7,t5,f9,R,O,K5,K1,v1,u2,T9,a,D7,E6,a1,g5,O2,s4,g4,J2,N5,U3,w,W3,x2,u1,l,C8,U7,j2,B4,f6,y1,Q9,B,J3,U5,H3,o5,B,e9,R5,W4,q8,q,U7,Z2,F3,r3,y4,J1,i4,o7,J1,S5,O8,u3,p8,E,J7,M8,F1,i5,t7,u2,a6,e,i2,K6,h,d5,K4,e6,Y3,f1,Y2,J3,f6,m8,k5,V7,X6,K7,S5,t7,D8,R7,g,z,L1,x1,y,Z1,H4,j8,o7,t4,m1,j,r1,s6,y6,c3,P8,P1,i1,s1,S5,r1,p2,r2,M3,t,x7,t8,r6,J9,y1,L7,M1,H2,I4,S7,A,J4,R6,x5,g2,i5,O6,O6,J1,i9,e8,F2,P3,b5,i2,o5,A3,e1,N3,i7,A6,D2,Z4,S8,Z5,X7,q,r2,g3,b,V3,I1,R6,B9,N5,H4,c6,R6,s9,w4,H7,N1,A8,p7,m5,b4,B1,x3,J7,l9,F" (Indicator: "cmd=")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
System Destruction
-
Marks file for deletion
- details
- "%WINDIR%\System32\rundll32.exe" marked "%TEMP%\hHcmfJLZu.txt" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "rundll32.exe" opened "%TEMP%\hHcmfJLZu.txt" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "c04e6b7720546c77e0656c77b5386d770000000000d0787600000000c5ea78760000000088ea787600000000e968857582286d77ee296d7700000000d2698575000000007dbb78760000000009be857500000000ba18787600000000" to virtual address "0x75CD1000" (part of module "NSI.DLL")
"regsvr32.exe" wrote bytes "b830122872ffe0" to virtual address "0x75C91368" (part of module "WS2_32.DLL")
"regsvr32.exe" wrote bytes "48124175" to virtual address "0x754283C0" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8114175" to virtual address "0x754283E0" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8114175" to virtual address "0x754283C4" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "48124175" to virtual address "0x75428364" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8110000" to virtual address "0x75411408" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "b840132872ffe0" to virtual address "0x75411248" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "68130000" to virtual address "0x75C91680" (part of module "WS2_32.DLL")
"regsvr32.exe" wrote bytes "48124175" to virtual address "0x75428348" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8114175" to virtual address "0x75428368" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "c04e6b7720546c77e0656c77b5386d770000000000d0787600000000c5ea78760000000088ea787600000000e968857582286d77ee296d7700000000d2698575000000007dbb78760000000009be857500000000ba18787600000000" to virtual address "0x75CD1000" (part of module "NSI.DLL")
"regsvr32.exe" wrote bytes "f8110000" to virtual address "0x754112CC" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8114175" to virtual address "0x7542834C" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "60122872" to virtual address "0x7614E324" (part of module "WININET.DLL")
"regsvr32.exe" wrote bytes "b8c0152872ffe0" to virtual address "0x754111F8" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "48120000" to virtual address "0x7541139C" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "48120000" to virtual address "0x754112DC" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "48124175" to virtual address "0x754283DC" (part of module "SSPICLI.DLL")
"rundll32.exe" wrote bytes "fae66877e1a66d772e716d77ee296d7785e268776da06d7726e46877d16d6d77003d6b77804b6b7700000000ad37c9758b2dc975b641c97500000000" to virtual address "0x74A11000" (part of module "WSHTCPIP.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"regsvr32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"rundll32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 28
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from rundll32.exe (PID: 3744) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from rundll32.exe (PID: 3344) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from rundll32.exe (PID: 3076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from rundll32.exe (PID: 3744) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from rundll32.exe (PID: 3344) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from rundll32.exe (PID: 3076) (Show Stream)
GetLocalTime@kernel32.dll (Show Stream)
GetLocalTime@kernel32.dll (Show Stream)
GetLocalTime@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetVersionExA@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetUserDefaultUILanguage@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
EnumSystemLocalesW@kernel32.dll (Show Stream)
EnumSystemLocalesW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@kernel32.dll (Show Stream)
GetDiskFreeSpaceW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@kernel32.dll directly followed by "cmp edx, 05h" and "jne 0040EC02h" (Show Stream)
Found API call GetVersion@kernel32.dll directly followed by "cmp byte ptr [00545C0Ch], 00h" and "je 0040C332h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetProcessHeap@KERNEL32.DLL from wscript.exe (PID: 2232) (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"regsvr32.exe" queries volume information of "C:\" at 00037337-00003900-0000010C-111614912061
"rundll32.exe" queries volume information of "C:\" at 00038393-00003744-0000010C-148368596034
"rundll32.exe" queries volume information of "C:\" at 00043729-00003344-0000010C-287812173043
"rundll32.exe" queries volume information of "C:\" at 00044012-00003076-0000010C-296786752643 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"regsvr32.exe" queries volume information of "C:\" at 00037337-00003900-0000010C-111614912061
"rundll32.exe" queries volume information of "C:\" at 00038393-00003744-0000010C-148368596034
"rundll32.exe" queries volume information of "C:\" at 00043729-00003344-0000010C-287812173043
"rundll32.exe" queries volume information of "C:\" at 00044012-00003076-0000010C-296786752643 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP"; Key: "UNINSTALLSTRING"; Value: "00000000010000004A00000043003A005C00500072006F006700720061006D002000460069006C00650073005C0037002D005A00690070005C0055006E0069006E007300740061006C006C002E006500780065000000")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP"; Key: "DISPLAYNAME"; Value: "00000000010000001800000037002D005A00690070002000310036002E00300034000000")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR"; Key: "UNINSTALLSTRING"; Value: "0000000001000000C800000063003A005C00500072006F006700720061006D002000460069006C00650073005C0043006F006D006D006F006E002000460069006C00650073005C00410064006F006200650020004100490052005C00560065007200730069006F006E0073005C0031002E0030005C005200650073006F00750072006300650073005C00410064006F00620065002000410049005200200055007000640061007400650072002E0065007800650020002D006100720070003A0075006E0069006E007300740061006C006C000000")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR"; Key: "DISPLAYNAME"; Value: "000000000100000014000000410064006F006200650020004100490052000000")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX"; Key: "UNINSTALLSTRING"; Value: "0000000001000000B000000043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C004D006100630072006F006D00650064005C0046006C006100730068005C0046006C006100730068005500740069006C00330032005F00320037005F0030005F0030005F003100380037005F0041006300740069007600650058002E0065007800650020002D006D00610069006E007400610069006E00200061006300740069007600650078000000")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX"; Key: "DISPLAYNAME"; Value: "00000000010000003C000000410064006F0062006500200046006C00610073006800200050006C006100790065007200200032003700200041006300740069007600650058000000")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE SHOCKWAVE PLAYER") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contacts server
- details
-
"132.108.136.103:443"
"47.168.247.94:443"
"195.123.220.45:443"
"195.123.246.209:443"
"31.244.102.117:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"wscript.pdb"
"rundll32.pdb"
"c:\Brown\Fruit\Swim\dear\Run\Finish\told\view\ElectricReach.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"wscript.exe" created file "%TEMP%\XnlPYhOz"
"wscript.exe" created file "%TEMP%\LmUGHAd.txt"
"wscript.exe" created file "%TEMP%\hHcmfJLZu.txt" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\47E8C839"
"\Sessions\1\BaseNamedObjects\2ADC0512"
"\Sessions\1\BaseNamedObjects\A9022E50"
"47E8C839"
"2ADC0512"
"A9022E50" - source
- Created Mutant
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
- "schtasks.exe" touched "TaskScheduler class" (Path: "HKCU\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}")
- source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "regsvr32.exe" (Show Process) was launched with modified environment variables: "Path"
Process "regsvr32.exe" (Show Process) was launched with missing environment variables: "PROMPT, VXDIR" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"wscript.exe" searching for class "Shell_TrayWnd"
"rundll32.exe" searching for class "A2292814" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "regsvr32.exe" with commandline "-s %TEMP%\hHcmfJLZu.txt" (Show Process)
Spawned process "rundll32.exe" with commandline "%WINDIR%\system32\\rundll32.exe %TEMP%\hHcmfJLZu.txt,f0" (Show Process)
Spawned process "rundll32.exe" with commandline "%WINDIR%\system32\\rundll32.exe %PROGRAMFILES(X86)%\31889263\3ED ..." (Show Process)
Spawned process "rundll32.exe" with commandline "%ALLUSERSPROFILE%\31889263\3ED95979.dll,f2 4458A332E9B82FF56A9D2 ..." (Show Process)
Spawned process "schtasks.exe" with commandline "/End /tn \Microsoft\Windows\Wininet\CacheTask" (Show Process)
Spawned process "schtasks.exe" with commandline "/Run /tn \Microsoft\Windows\Wininet\CacheTask" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "regsvr32.exe" with commandline "-s %TEMP%\hHcmfJLZu.txt" (Show Process)
Spawned process "rundll32.exe" with commandline "%WINDIR%\system32\\rundll32.exe %TEMP%\hHcmfJLZu.txt,f0" (Show Process)
Spawned process "rundll32.exe" with commandline "%WINDIR%\system32\\rundll32.exe %PROGRAMFILES(X86)%\31889263\3ED ..." (Show Process)
Spawned process "rundll32.exe" with commandline "%ALLUSERSPROFILE%\31889263\3ED95979.dll,f2 4458A332E9B82FF56A9D2 ..." (Show Process)
Spawned process "schtasks.exe" with commandline "/End /tn \Microsoft\Windows\Wininet\CacheTask" (Show Process)
Spawned process "schtasks.exe" with commandline "/Run /tn \Microsoft\Windows\Wininet\CacheTask" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts server
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"regsvr32.exe" connecting to "\ThemeApiPort"
"rundll32.exe" connecting to "\ThemeApiPort"
"schtasks.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from wscript.exe (PID: 2232) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"3ED95979.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"34FC48A3E33C86600528F94B2677D2CC" has type "data"
"XnlPYhOz" has type "ASCII text with no line terminators"
"6A41C838" has type "ASCII text with no line terminators"
"hHcmfJLZu.txt" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"698390.tmp" has type "SQLite 3.x database user version 8"
"stealler.txt" has type "ASCII text with no line terminators"
"FD6511CC84B0C2F574D34AB04BF6CA3D" has type "data"
"LmUGHAd.txt" has type "Zip archive data at least v2.0 to extract" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Scans for the windows taskbar (may be used for explorer injection)
- details
- "wscript.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\System32\scrrun.dll"
"wscript.exe" touched file "%WINDIR%\System32\wshom.ocx"
"wscript.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"wscript.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"wscript.exe" touched file "%WINDIR%\System32\wbem\wbemdisp.tlb"
"wscript.exe" touched file "%WINDIR%\System32\stdole2.tlb" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
System Security
-
Creates or modifies windows services
- details
-
"rundll32.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "DESCRIPTION"; Value: "@%SystemRoot%\system32\Sens.dll,-201")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "DISPLAYNAME"; Value: "@%SystemRoot%\system32\Sens.dll,-200")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "GROUP"; Value: "ProfSvc_Group")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "OBJECTNAME"; Value: "LocalSystem")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "IMAGEPATH"; Value: "%WINDIR%\system32\svchost.exe -k LocalService")
"rundll32.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263\PARAMETERS")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263\PARAMETERS"; Key: "SERVICEDLL"; Value: "%ALLUSERSPROFILE%\31889263\3ED95979.dll")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "ERRORCONTROL"; Value: "01000000")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "START"; Value: "02000000")
"rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\31889263"; Key: "TYPE"; Value: "10010000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"regsvr32.exe" opened "\Device\KsecDD"
"rundll32.exe" opened "\Device\KsecDD"
"schtasks.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
File Details
Receipt#35934291690503868185621.vbs
- Filename
- Receipt#35934291690503868185621.vbs
- Size
- 4.4MiB (4563704 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines, with no line terminators
- Architecture
- WINDOWS
- SHA256
- 1b47f95ea53234b810cf908f09904955226848b25041452da0db6fc992779976
- MD5
- 78a2b63d5f68823025790b3294ec9252
- SHA1
- eafc9e9d695be55efbae72e4fc5157b6b6b3effa
- ssdeep
- 49152:S8lR5pb/1toAYnKGb/gr7dpNLIwyxoJ2WPH0J6hlqCNDjFAI/gJQ7um7KqWDzMPA:O
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total (System Resource Monitor).
- wscript.exe "C:\Receipt#35934291690503868185621.vbs" (PID: 2232)
-
regsvr32.exe
-s %TEMP%\hHcmfJLZu.txt
(PID: 3900)
-
rundll32.exe
%WINDIR%\system32\\rundll32.exe %TEMP%\hHcmfJLZu.txt,f0
(PID: 3744)
-
rundll32.exe
%WINDIR%\system32\\rundll32.exe %PROGRAMFILES(X86)%\31889263\3ED95979.dll,f1 %TEMP%\hHcmfJLZu.txt@3744
(PID: 3344)
-
rundll32.exe
%ALLUSERSPROFILE%\31889263\3ED95979.dll,f2 4458A332E9B82FF56A9D22C7A5CF0F74
(PID: 3076)
- schtasks.exe /End /tn \Microsoft\Windows\Wininet\CacheTask (PID: 2912)
- schtasks.exe /Run /tn \Microsoft\Windows\Wininet\CacheTask (PID: 3056)
-
rundll32.exe
%ALLUSERSPROFILE%\31889263\3ED95979.dll,f2 4458A332E9B82FF56A9D22C7A5CF0F74
(PID: 3076)
-
rundll32.exe
%WINDIR%\system32\\rundll32.exe %PROGRAMFILES(X86)%\31889263\3ED95979.dll,f1 %TEMP%\hHcmfJLZu.txt@3744
(PID: 3344)
-
rundll32.exe
%WINDIR%\system32\\rundll32.exe %TEMP%\hHcmfJLZu.txt,f0
(PID: 3744)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
132.108.136.103 |
443
TCP |
rundll32.exe PID: 3744 |
United States |
47.168.247.94 |
443
TCP |
rundll32.exe PID: 3744 |
United States |
195.123.220.45 |
443
TCP |
rundll32.exe PID: 3744 |
Ukraine |
195.123.246.209 |
443
TCP |
rundll32.exe PID: 4000 svchost.exe PID: 304 |
Ukraine |
31.244.102.117 |
443
TCP |
svchost.exe PID: 304 |
Germany |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative Selection 2
-
-
3ED95979.dll
- Size
- 1.4MiB (1425408 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- rundll32.exe (PID: 3344)
- MD5
- 9567ccfa4561a88f690a195e2b1f79d5
- SHA1
- 746695927054327fdda9262a33e80ed1b39a4210
- SHA256
- d415166326d08ff6fcfca558f4cc5a689d5c543675d0409d60a75c9bea4a54c3
-
hHcmfJLZu.txt
- Size
- 1.5MiB (1624576 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- rundll32.exe (PID: 3344)
- MD5
- d4ab238adbb50101b084e389b9282dc7
- SHA1
- 6367d80ba4a3929bae62fcea6d2230902b6e1713
- SHA256
- d30af9bb7199fbf9263cacb8d673e5286a79150b561801ab5aace70a3421dad5
-
-
Informative 7
-
-
6A41C838
- Size
- 33B (33 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- rundll32.exe (PID: 3344)
- MD5
- b6413844844b1f87eee97d634bcbc4e5
- SHA1
- 155b0fcd9ffdba4fab29cc58d0b02cb519b6fe3e
- SHA256
- ab00b74f97172399daba9e3fb4eaeeacd7f4be71b811be029e67622bc4897a74
-
34FC48A3E33C86600528F94B2677D2CC
- Size
- 88KiB (90148 bytes)
- Type
- data
- Runtime Process
- rundll32.exe (PID: 3344)
- MD5
- 023ba613897c2311b61a015237954c56
- SHA1
- 32610fb22d8acfb0832d1aa3de9ffddd0f58bfdf
- SHA256
- 7e09d9d9226b351319fdcde59d167de7e95f364ea6b9892f77bb0a6b2fe3af79
-
LmUGHAd.txt
- Size
- 1.2MiB (1286671 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v2.0 to extract
- Runtime Process
- wscript.exe (PID: 2232)
- MD5
- 6dff91b277e5909dc1e0a4a373ddd919
- SHA1
- e7caff60a1d81515a5a4a0b13bde7d4738a5b5f8
- SHA256
- e0845ba2bb3e203b421797499ea75e4b9ee5351a094f772ca3c50aa9548e6323
-
XnlPYhOz
- Size
- 7B (7 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- wscript.exe (PID: 2232)
- MD5
- f7de362c72129e3ec204d617657a62ce
- SHA1
- d27e46a35aa1164b22e1ea1920c701474ef2e77b
- SHA256
- 467259371e9e2c4f0229d0bbe5af91c9e15f259cd166509453bbf47c70278179
-
698390.tmp
- Size
- 512KiB (524288 bytes)
- Type
- data
- Description
- SQLite 3.x database, user version 8
- MD5
- be370ff5a89c927527a2aa6e296600c6
- SHA1
- b88c7e72d2d7e203718f6f004ac7f3bf9065ff06
- SHA256
- c4c49e874abd38b83cb8eefe46d05d21dfc3502a69a59fb672316a50b04462c7
-
stealler.txt
- Size
- 4B (4 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- MD5
- 81dc9bdb52d04dc20036dbd8313ed055
- SHA1
- 7110eda4d09e062aa5e4a390b0a572ac0d2c0220
- SHA256
- 03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
-
FD6511CC84B0C2F574D34AB04BF6CA3D
- Size
- 5.7KiB (5876 bytes)
- Type
- data
- MD5
- bd2590bcb5a18dd632f0788d151257ec
- SHA1
- 518810dfdcaecfbfd7d3b3790f9c166fc452ff75
- SHA256
- 62fc2c2de9c36a3e10d8d3b5901d1284783d7118f2c3bc13a6c80c301fde010d
-
Notifications
-
Runtime
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report