temp.js
This report is generated from a file or URL submitted to this webservice on March 19th 2019 00:41:52 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 38/68 Antivirus vendors marked dropped file "49980.exe" as malicious (classified as "Gen:Variant.Ursu" with 55% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
- 38/68 Antivirus vendors marked spawned process "49980.exe" (PID: 3932) as malicious (classified as "Gen:Variant.Ursu" with 55% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Suspicious Indicators 6
-
Anti-Detection/Stealthyness
-
Possibly tries to hide a process launching it with different user credentials
- details
- ImpersonateLoggedOnUser@ADVAPI32.DLL from wscript.exe (PID: 4124) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Possibly tries to hide a process launching it with different user credentials
-
Environment Awareness
-
Contains ability to query CPU information
- details
- cpuid (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
FindResourceExW@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "49980.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"
- source
- Binary File
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"wscript.exe" wrote 32 bytes to a remote process "%APPDATA%\Microsoft\49980.exe" (Handle: 672)
"wscript.exe" wrote 52 bytes to a remote process "%APPDATA%\Microsoft\49980.exe" (Handle: 672)
"wscript.exe" wrote 4 bytes to a remote process "%APPDATA%\Microsoft\49980.exe" (Handle: 672) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
-
System Security
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Informative 15
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
GetVersionExA@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
GetUserDefaultUILanguage@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream)
GetProcessHeap@KERNEL32.DLL from wscript.exe (PID: 4124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contains PDB pathways
- details
- "wscript.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Logged script engine calls
- details
-
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Parsed Javascript
- details
-
Output: "var zwwd7976 = [];
var zwwd0151 = [];
var zwwd4426 = 0;
var zwwd2 = "";
var zwwd65 = "";
var zwwd6345 = "";
var zwwd88 = "";
var zwwd70 = "";
var zwwd22 = "";
var zwwd948 = "";
var zwwd035 = "";
var zwwd4072 = "";
var zwwd334 = "";
var zwwd8659 = "";
function zwwd66(zwwd386) {
var zwwd971 = "";
switch (zwwd386) {
case 32:
zwwd971 = " ";
break;
case 33:
zwwd971 = "!";
break;
case 34:
zwwd971 = '"';
break;
case 35:
zwwd971 = "#";
break;
case 36:
zwwd971 = "$";
break;
case 37:
zwwd971 = "%";
break;
case 38:
zwwd971 = "&";
break;
case 39:
zwwd971 = "'";
break;
case 40:
zwwd971 = "(";
break;
case 41:
zwwd971 = ")";
break;
case 42:
zwwd971 = "*";
break;
case 43:
zwwd971 = "+";
break;
case 44:
zwwd971 = "
";
break;
case 45:
zwwd971 = "-";
break;
case 46:
zwwd971 = ".";
break;
case 47:
zwwd971 = "/";
break;
case 48:
zwwd971 = "0";
break;
case 49:
zwwd971 = "1";
break;
case 50:
zwwd971 = "2";
break;
case 51:
zwwd971 = "3";
break;
case 52:
zwwd971 = "4";
break;
case 53:
zwwd971 = "5";
break;
case 54:
zwwd971 = "6";
break;
case 55:
zwwd971 = "7";
break;
case 56:
zwwd971 = "8";
break;
case 57:
zwwd971 = "9";
break;
case 58:
zwwd971 = ":";
break;
case 59:
zwwd971 = ";";
break;
case 60:
zwwd971 = "<";
break;
case 61:
zwwd971 = "=";
break;
case 62:
zwwd971 = ">";
break;
case 63:
zwwd971 = "?";
break;
case 64:
zwwd971 = "@";
break;
case 65:
zwwd971 = "A";
break;
case 66:
zwwd971 = "B";
break;
case 67:
zwwd971 = "C";
break;
case 68:
zwwd971 = "D";
break;
case 69:
zwwd971 = "E";
break;
case 70:
zwwd971 = "F";
break;
case 71:
zwwd971 = "G";
break;
case 72:
zwwd971 = "H";
break;
case 73:
zwwd971 = "I";
break;
case 74:
zwwd971 = "J";
break;
case 75:
zwwd971 = "K";
break;
case 76:
zwwd971 = "L";
break;
case 77:
zwwd971 = "M";
break;
case 78:
zwwd971 = "N";
break;
case 79:
zwwd971 = "O";
break;
case 80:
zwwd971 = "P";
break;
case 81:
zwwd971 = "Q";
break;
case 82:
zwwd971 = "R";
break;
case 83:
zwwd971 = "S";
break;
case 84:
zwwd971 = "T";
break;
case 85:
zwwd971 = "U";
break;
case 86:
zwwd971 = "V";
break;
case 87:
zwwd971 = "W";
break;
case 88:
zwwd971 = "X";
break;
case 89:
zwwd971 = "Y";
break;
case 90:
zwwd971 = "Z";
break;
case 91:
zwwd971 = "[";
..." - source
- Static Parser
- relevance
- 5/10
-
Spawns new processes
- details
- Spawned process "49980.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "49980.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from wscript.exe (PID: 4124) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Creates new processes
- details
- "wscript.exe" is creating a new process (Name: "%APPDATA%\Microsoft\49980.exe", Handle: 672)
- source
- API Call
- relevance
- 8/10
-
Dropped files
- details
- "49980.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "C:\Windows\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
"wscript.exe" touched file "C:\Windows\System32\en-US\jscript.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\tzres.dll"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"wscript.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
File Details
temp.js
- Filename
- temp.js
- Size
- 207KiB (211668 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines, with no line terminators
- Architecture
- WINDOWS
- SHA256
- de5104864cf1e0f9903d2e409660b4b1f1a831bd3238ea58619b9e1953c638a3
- MD5
- ffd7204b13b0e5dd5d2dfb1c4415c910
- SHA1
- 6c986c553b838d6fd1647f7861f9e84ca2e2534b
- ssdeep
- 6144:oQhQF34UYQroFK/BEIZf/Kumz3y4BxfV9F:oQhQfTrsK/BLZf/Kumzi4bF
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
wscript.exe
"C:\temp.js"
(PID: 4124)
- 49980.exe (PID: 3932) 38/68
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 1
-
-
49980.exe
- Size
- 153KiB (156672 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- AV Scan Result
- Labeled as "Gen:Variant.Ursu" (38/68)
- Runtime Process
- wscript.exe (PID: 4124)
- MD5
- 81612e4a782de156b979d60dbaf22c87
- SHA1
- 5183229e049f09c579f80068746a705296121fd9
- SHA256
- 02f3ab4845a3f1c15bb5865214e34285a803ac0757fbe8c15ded028aadc6f4e2
-