Genscape Australia Pty Ltd Statement.vbs
This report is generated from a file or URL submitted to this webservice on September 9th 2019 03:00:28 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/57 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Unusual Characteristics
-
References suspicious system modules
- details
- "met. Hoopen justiciable reappreciation platterface Pantopoda ordinated eelblennies wadsets hulloas fraudulently foreordinating probituminous swarmer barbarianism pandy ringmasters blacked ulcuscule palmettos clippings sociometric nonfamiliar Elsass Arkie commercialisation heelposts seashine brideman oxheart undeviously plasmagel abrotanum stomatomy Philemon sheafage understocking spectrological daystar hypnosporangia jefferisite knee-breeched Mesilla enterozoon cingulectomies gamings whitenesses ISRG extrameridian nonrecalcitrancy bonzes streptoneural Atcliffe saim compellative clubhand hipp- keena cytosols inconfusion patternlike sibilance wraggle saturator subpectoral rubedity Lorenz subpopulations diagnoseable facula hypergols Saperda searobin autoanalysis pedicelliform stilbenes magazines pretimely ichorrhaemia Goodrich silliness Kasavubu tinselmaking pertused teleseism eyeballs supererogatorily Elea sufficer quarsome anemochore antonymic can-lining re-emerge preadhered philopogon sundrops chivalresque ea"
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Script file shows a combination of malicious behavior
- details
-
The script produces internet activity
is obfuscated and drops files - source
- Indicator Combinations
- relevance
- 7/10
-
References suspicious system modules
-
Suspicious Indicators 8
-
Anti-Detection/Stealthyness
-
Launches the WMI Provider Host
- details
-
Found process "WmiPrvSE.exe" (Show Process)
Found process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to hide a process launching it with different user credentials
- details
- ImpersonateLoggedOnUser@ADVAPI32.DLL from wscript.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Launches the WMI Provider Host
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"isatore funkers brown-noser tanquam Tejo microvolt objections avid instore paiock stra Episcopalianize manhandling Rodrique Voltaic nonrectified triumvirate iwwort strapped headmistresses unpunctuating outtalking lance-knight tragia jawboner fetching nonsubversion near-smiling ethynyls gouramis Tyneside excludability Bart planigraphy inexpressibles homered leafiest sistrums potholes Rodenhouse comitia stasophobia hedriophthalmous Dodgeville turquoise thought-reading wine-bright proud-glancing specificness nondeprecatorily quinoidin depersonalize cosecs Derk deporte flatling J.S.D. unsmoothed cowhides arugula empurpling slot incommensurability cladocerans hand-fire abstrusely elated closecross Condorcet Tino gingalls millenist transcrystalline hokeypokey pantothenate plain-featured telegraphese kinkiness AGCT cheeking puzzlepatedness Ill. Tremandra micklest benzdioxdiazine mock-beggar preadjunct unrailwayed comparting onlaid Fucoideae magnifical Englifier tariffs dooms paracetaldehyde Bethena apprenticeships t" (Indicator: "ntice")
"azoisobutyronitrile preequip diagrams cuisse metachlamydeous Sabinsville subpubic Friant ulamas polyglottally somniate mycologies hathpace misgiven etymologizable thuluth Zachariah undampable polycotyledonary anconoid Keithville pashadom Schmidt commiseration oppressors wandsman supergoodness surf-showered Bladen Alcide Apgar afore-decried citizenized incognizant macadamizes Monticello Tigrai paterero glandless discrimination Cowen quasi-maternally uncontemplable overworry Veneaux syllabuses autoecy stride-legged commutant upsoared Jacksonport vacationer hyperhidrosis hyperethically nonomissible varnisher well-seasoned chored whity-gray Picabia perfumeless corviser Koepang entozoologist oversour glassies isodactylism boundness Pleospora statuesque azygos buttyman orbific tribrom- Bougainvilliidae cardiaplegia blastomata Jobcentre Anglicizing Calchaquian trapezing abstricts begrudged soddiest inomyxoma Matthews all-content adj. foemanship indent mutchkins quasi-innocently desertedly intemperateness unmisunders" (Indicator: "ntice")
"ssyria perjures desirous Grovetown heel-breaster undepressing overaroused subilium lipochrome saibling armaments lethargized Soxhlet splenative cations nondetonating handmaiden praisably quasi-interviewed innocencies Ventura embryonic three-flowered unsinningness sheriffcies unslung nonpathogenic cheths Midville hory lambent cottiest grosshead ape-headed fainant triandrous dewanee cottonbush unmitred undeferentially bloodcurdlingly amyelia tetrasepalous kleptomania mesothetic expellent trichromatism warships embezzlement tolane anticeremonious Heinz abwatt reponder kenmark teleostean videlicet rewarded track-clearing sport-affording Realpolitik quasi-difficult distinct dragonne small-finned bonniest Garrek freesilverism appoints peachlet weirdful generations missionarys ineconomic dochmiac hemocoelic interagglutinate refiles stuffed-over extrusive caravaned absurdities fenmen Ploch concavation Sattley Lukin bloodshedding platinization muset barnyards filmizing AOCS metwand sorrow-wasted electrophotomicrograph" (Indicator: "ntice")
"tractarianize submissively Burchett NCV palmarian invariableness Dunnsville waling UG argentin interaffiliation actuators mamoty mass-priest afrete mids bacterial enterochromaffin vituper criminol preopposing sickly-born bushidos Synura fustigate apocentric anticeremonially balandrana cosmoscope Carara mesoventrally outwrangle noncriticizing metaphrastical compositions leptocephalia fauster hydatogenous mesmerizable superdesirous Anaphe self-reflection hy-spy Platonise Florella unstayedness photogenous distributress obsign Liatris trellis-framed Camenes Khojent dalk batzen reclusive noughtily Spermophyta upshoots Schizonotus blithehearted crotaphite castellanies healer tecno- unassailability receptaculite interchannel carburiser low-leveled Zarathustrian oppositional rememberable acutorsion quasi-theatrical solicits unscrewable wakener twin-jet ragtime high-reared limbec sinopia plebiscite carbineer rewarm stillbirths cardio-aortic redemptive Senegambian colored criollos Alcaeus ganglionectomy virgate epikeia" (Indicator: "ntice")
"ychogram fraternism jutka armamentarium Afgh unscale interpalatine audiphone Alyse subject-raising gentle-manneredly scrabbler plum-colored prentice sirvent Scholz Bradshaw obscureness octogenarians reisner tractarianize tandem-compound coprahs straightforwardest speciates Tarasc sidelingwise chirality rippit severish fingerboards unmossy distills nemoricoline Fitzger squamellate purseful pandation volatize reassorted Celticist unpetrify corrige outplods cardcase nightish bivial quadrine zoopsychological busboys miscalculate scissions morsels uninstanced Territorial feta mesenteritic Phares precurriculum unrecondite unacquitted sialology kistvaen hyperostotic natured prereversed lyssophobia Sarcoptidae Auricula Rawley alnage conjecturally snur Herophilist equators Gawain convented extensionalism vestlet excoriable superhumanly ivin latticework bolled self-initiated bartisans monacanthine divisions crisscross-row hand-minded intercut charoset saleslady goldang optionally shakespeareans world-compelling side-ta" (Indicator: "ntice")
"planetless sacerdotism regamble mollisiose peristaltically goaded strabometer wrathless arquifoux Tours uncolourably trophaea single-banked Adlare dusts auxographic praemunire Drue misbuttoned anothers minischools unadorably landmen haemophile nonexcessive Bowler praenomen unconfuted pachyhemia lathering scrutinously ruggeder anticeremonious imperatrice undiagnosable pugnacity aeroliths nagara reset sniffiness zigzaggery curaris recliner red-throated hydroponic relaid slot-headed governors acanthoma gutter-bred santii propagule Peisch rotamen amniotes Elizabethton uncloudedly citronize dimwittedness fever-warm cleidocranial sectarianly thousand-eyed gymnastics polymania Eichman six-time overclean abusive Methodism vinose macroseism Geonoma supported thurificati Cooksburg Brainardsville violinlike nonextenuatingly metrotherapist woibe Hameln shoelaces out-group redistributor tail orgal world-overthrowing cercal eigh extrorsely pseudoreligiously swine-snouted Walachia phosphorescence Aesculus Catlett briskets" (Indicator: "ntice")
"nmonarchic darogah campsites nebrodi genitofemoral lapis tahina filmizing cadding appliers plughole blinker meltable sultanism gospelize Shari nosinesses ctenophoric nontemporizing Sevenmile nondispersive predable nasals netting rebottle sphere-born fever-stricken interexchange daymare stereography characteristically lily-crowned Herring thermostat stackman Didelphis ungilled overplay kuei stage-struck dead-seeming mountainwards seirosporic otaries AIC consistences tournette large-limbed apodoses hiplength cyathia Ginkgoales boomkin effascinate epiblema march-past acerin glaucophyllous spavin deluster prenticeship inquietude projectile psiloceratid Yoga indifferency pernicketty ohone Grotius ballam refulgency En-lil much-worshiped albification confessionaries kebab Kourou swamper preter stumor play-producing throughly weather-bitt transrhenane enormousnesses unmultiplicable choice brochettes spiciferous paganisation Whitebird idioelectric vastily rancheria sarcocystoid Balearic chivari aurine undersovereign D" (Indicator: "ntice")
"geochemist tuberculatedly machinized gentianaceous mollycosset premillennialist antiprism aberrated uncorroborant unglobe oppilated Ardehs vixenishness pheal Semito-hamite calfs shearless oarsmanship convoluting Sigel backwrap scopuliform Marshfield bescribbling sleepered ize rough-ream gulph tube-filling channelizing I.T.U. vamooses pyas slommack Jessey waterdrop assassinating kabob self-renouncement leariest grey-state Gurevich Irvingite whitret quasi-alternating divergences metastrophe recrucify Sinicized thinnesses vegetates unreferenced aper acridyl personifications gold-bug convertism abolete trainload boagane tetrathionic full-fronted Husserl toeshoe swounding Zohara copeck tenancy associator Selung preinfection gundy datch shindies graverobbing maid VAC footballs silver-lead bougee studfish buqshas disclimax flane cognomens purpuric gravedigger forts autexousy ultradolichocranial well-appointedly lyrico-dramatic Ket Merril outknee ipomoein toucans pardah anthradiol luminous agronomy apprenticement pen" (Indicator: "ntice")
"shly pneumolithiasis unamusement self-excite gybing Iddio maioidean wolly diactinism ablegate unchid photosynthesis extrastomachal duppa lavament violinistically chronicling stand-in low-statured overbake uralitizing plano- ballads formularization venada autocrats Arin receptors crockeries scissor-legs condylopodous yelps Slipcote bepistoled micropegmatite skillet Novara Gredel fumigates unvowed Papilionaceae summer-felled whatsoeer McGannon suplex interpreter aureoles schnozz Senghor rubber-cutting muggily oxynaphthoic fetishlike ottingkar house-cap devilfishes aphonia odium paralgesic disvulnerability nonannihilability ingestion algebraized formularistic politico-orthodox muzzleloader Compositae slimmest sittings albumean gameto- Cheektowaga heptadecane Azrael light-faced UNIVAC unomniscient unenticed forceless becarve appraisal resurrector Julietta hematology remodel resegregate time-bargain Symplocarpus matriarchs septenaries tigon bazooms sinuatopinnatifid fretted butyrometric phenomenism DN chlorotriflu" (Indicator: "ntice")
"lid overabundances ingrained analgias ratiocinative Chaetognatha ladyloves Niersteiner water-cooled chigger Eldwen effectuating attracter Bojardo incorrupted greatest januarys quadripartition skiagraphical mabolo rompishly pentaspermous Manatus parsons jackdaws debunkers Congridae lopho- bleached fuselike sergeantship re-reply narrow-bladed cogging opisthodomoses bloodwit murva feelinglessly neurotropism gambians leadsman gonidioid Trisetum half-turning overtapped brachychronic bemusk enticeful naometry disregardful wibble-wabble Camerina well-fortified caseases Wasta Placus unsubstantial errand scopet arboreal barmskin freeloading coadsorbent satin-shining camouflager pumpage heroine supersuperior interlinguist annihil washbrew Cavalier Reede waapa separte shark astrobiologists squadrons logicalization tips illmanneredness parses monier dammers jehup hollow-backed Turanian catholicisation Packwaukee offpay nonmen mountainously haemorrhagic sterno- defectum undivinable untoxically Horrocks daffiness Banquete" (Indicator: "ntice")
"unexempted thamin reintervening foresign forbidding metascope crosscut oblivial unpedagogically supertare sklent environmentalism friction-sawing originate short-spoken excecate noncollectively cocrucify wharp mortarlike misconducts misaffected cuneoscaphoid homeotransplant Pickar LLOX sleep-swollen saxifrax permutated cautelously apprenticement wishing phragmosis hardness depasturage Perakim lightboat curculionid lagoons wool-bundling expostulatory windmills frivolist diploses conventionalities rootworm unsereneness lapidify uncooled prosecutory incontrovertibility gusle centref polyalcohol Fisty semibald cautionaries pretrying Wrennie autophobia Dinerman retrained unnaturalizing uncanvassed cangy Tillatoba Guato Stylidiaceae refractile Post-kantian subaerial nonmeat caricographer criticize self-cognizably spear-shaped disorientates hooligans decentered naprapath peiser tutti-frutti quasi-equivalently incommodity endocritic misapplicability sufflamination gamuts nonfacultative UREP zanjero phr. Neffs stringy" (Indicator: "ntice")
"d consumables botheration tornachile goggler hemoleucocytic half-insinuatingly epipodia commuted phlorone tarentism sazen jampanee twenty-ton cupids physiocrat enwoman unsanitized B-shaped tiptops antinaturalist gospellike aged polverine subabbot kinship systematically Tchetnitsi macroplastia trinitarians damson unskin eucalyptole inkberry muskoxen SGML vintnership lawks shotman unmotioning soft-bone kerchieves sleided Ormond blowjob oncoming laurvikite brakehand mostest masker neginoth esthete Blackfoot Gippy craftiness well-worked ergonomic defecations abalation outimage suburbanisation signalism aughts elaeocarpaceous Kinta sizing Autrain xylostroma orarium antipodean Klee back-talk Copeville pisachee splendently pullulation bamboche unchanced unfermented maltster velamentous necropoles butanal shock-head caenogenetic Flintville lenticels tautologise Jacobitiana overregistration Comintern chippage monocarbonic well-sufficing unsubjugated vermilion-veined guardless polyphyleticism overstressing thrusting en" (Indicator: "ntice")
"watercolour rhomboid neuropathies rhythmopoeia unaired BSIR brillolette allorrhyhmia pseudo-Virgilian arthrobacterium larkish lapputan enticer ot nonsensually Nairn Moth rough-walled complexionally plucky well-anticipated upflinging bandi bottle-feed Locklin Maiga operantly admittances undisliked henotic harpless wind-footed electroengraving nonnecessitousness Riti decorability snow-mantled six-cylinder Calamites soul-rending polarisation serologic aluminised interdependent defaitiste lilaceous quantong maxillodental zonoskeleton wergelt labilities bustier manipulability overcomplicate world-sated yams clancularly bulletproof hyperflexibly blabs leishmaniasis Nemo unhackneyed pyopneumopericardium literalist zoehemera proctostenosis conico- currishness ammoniticone astronautics anthophobia mikvoth table-spoon saltly counterplotter minibrains engineering superstructed biasses ingratitudes perter Clein ergotizing institor cyphers nonavoidance rechauffes idin Mooresburg nosewards tortula gorb kibitzing check-sto" (Indicator: "ntice")
"hitewalls sensorial inobvious immarble wiseling mesal splender Nielsen chemotherapeuticness cleithral phantasmogenetic mingy underrogue encroachingly praelect restarting ecgonine portiered faker-out sheering quindecemvir lavable underdrying specificizing miniver caurale thoroughpin beater-out nonpainter panicky rambling berakes becuffed wingcut Swihart unavowable gallimaufry Chapman atrabilaire lardoon tyrannophobia encloak Yeager burrbark preponderantly good-naturedly lengthful handed pussyfooted Bridey economising fortunation overdignified white-barred judos nonreverent iodal overboastful hiccoughing snobbishnesses unsulphurized microphotometrically ill-borne finity iconology textuality forepromise unspinsterlikeness sliverer surroyals autotrophic precomradeship unregenerately lion-maned stadion curber chromed cottonwood WA pennatisect organifier trillachan stereology clot-poll Caca half-admitted contessa undecisiveness hypoplankton stomach-twitched retama diety accumb bestiary rentree Auer Laurie prentices" (Indicator: "ntice")
"ically copihue spoonily scapulobrachial reforecast cerebrum suboppositely gerundially Dianthe anticensorship trashily Assawoman intrathecal visuopsychic Sthelena blood-bedabbled immute bobolinks azoturias unintellectually wondrousness Andryc Chwang-tse hastiest weakliest yox well-patched double-park hemiterpene sidespin cool-headedness down-at-the-heels blastophoral subunit reguaranty dimensionality miniaceous rerolls tradition-making kinematics antinihilist cotingid cranely superzealous arsphenamine Kandiyohi decalcifier vehemence treehair superinducing hemopoietic TSR puerer passir depolarizer miniaturizing fusk progressionism many-beaming prevaccinated proprioception annelids ECLA mismates indefatigableness Bristol unperformable whiteheads Milesburg winglets savacu Siber nucleonics nonsacrilegious insurgently clear-cole icebound stepsister chuter interactionist incircumspectly mellificate Ustilaginales sowbread basilinna cutises unlikably torus supercharger antidiscrimination Dobbin dibromobenzene acapnias" (Indicator: "ntice")
"levelism Hellenism vendible Bassalian mucodermal Anisopoda chemiotropism acalycinous Wesleyanism twine-twisting Olynthian umbellately unedged Kellia roadman julidan pinaculum indef Jamesstore defrocking inversatile wavefronts plagiostome pangamously estimators riping anthropopathic horned great-coat hilting shrimpton Malacodermatidae stormed wattle SLIP boilery brogueneer outscolded Itea Delfine epiphyseal slangkop absolvitory ferromagneticism invested fortuned professionalise Viridissa supersets roods nematognath zingiberene portiones hamauls thatness Byran Ishtar alkanol heptane copatentee Walterville woman-suffragist deltahedra unduteousness larderie obfuscators foot-licking dahms dextrinous by-place coapprentice plasmase Vanderpoel disenfranchisements shuffle pomology extensors eudemons gez goopiest crossette golfs synchitic perniciousness Randell mud-built imperatives perigonium oscnode semipatriotically galacturia blindfold sacrovertebral chandeliers kodro Viscount punjum hyperoxygenation practice tempe" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/71 reputation engines marked "http://bostonfrogpond.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
FindResourceExW@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\GenscapeAustraliaPtyLtdStatement.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1064 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads the task scheduler COM API
- details
-
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 73D10000
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 00730000 - source
- Loaded Module
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 104.244.73.177 on port 443 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Informative 21
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
GetVersionExA@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
GetUserDefaultUILanguage@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream)
GetProcessHeap@KERNEL32.DLL from wscript.exe (PID: 3840) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "bostonfrogpond.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "104.244.73.177:443"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "wscript.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
- "wscript.exe" created file "%TEMP%\TableOfColors.exe"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\BaseNamedObjects\DSKQUOTA_SIDCACHE_MUTEX"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "TableOfColors.exe" as clean (type is "HTML document ASCII text")
- source
- Binary File
- relevance
- 10/10
-
Logged script engine calls
- details
-
"wscript.exe" called "Msxml2.DOMDocument.3.0.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "WmiPrvSE.exe" (Show Process)
Spawned process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "WmiPrvSE.exe" (Show Process)
Spawned process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from wscript.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1033 (Show technique in the MITRE ATT&CK™ matrix)
-
Dropped files
- details
- "TableOfColors.exe" has type "HTML document ASCII text"
- source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "wscript.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "%WINDIR%\System32\msxml3r.dll"
"wscript.exe" touched file "%WINDIR%\System32\wshom.ocx"
"wscript.exe" touched file "%WINDIR%\System32\msxml6r.dll"
"wscript.exe" touched file "%WINDIR%\System32\taskschd.dll"
"wscript.exe" touched file "%WINDIR%\System32\stdole2.tlb" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
- Heuristic match: "bostonfrogpond.com"
- source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"lolontha curiomaniac ex-minister disentangle unbombed spiral-geared quicknesses taffrail lingams Agriochoerus mis-center monodelphian l- by-dependency surpreciation alkalizer shackings jawsmith Peninsula Gorgophone hypochylia rehashing reported pond-apple perisphinctoid thoracocyrtosis gracelessly well-twisted Jeroboam zirconifluoride individualising granitize Russomaniac rheotrope botryogen kameel anteflexion chronobiology Waismann resettle enterohelcosis foulmouthed Stan imploratory Juznik pistolgraph valving griffs sky-cleaving Wilson contagions implanter monumentalism transvestites Nertie ays ephemeras inhabitance unvitriolized morphonomic seek noncarbohydrate parapsidal twitterer gibbartas IO furore much-honored untasting Ritter clitch sagoweer predelegating haptens melodias splined wanderers princes-feather peacock-spotted tonnelle squarier immobilization obfuscous faunistic hyet- dead-frozen radiums lycine ochraceous undermediator Enoree crosshatches archconsoler elder-born shop trophocyte misrelation" (Indicator: "twitter")
"vised underbedding antilepsis Charlevoix twitter anurans kohekohe draughtsboard unhappinesses Mithriac Sabra Mind snarly hassar temporally self-antithesis Trammel counterinvective amorino agricolous interresponsibility redolences Marmaduke buttwood postaspirate eczematous monial arachidonic babes blockholer psychotrine unobverted healder contraindicates mullion RAVC craspedal anodally extra-axillary Avicebron Yazbak nonisobaric beautifying riddances pipery Coccogonales esne Holsworth wind-driven hegiras urman unwalled deracine Antonina isogam skeptics hydromorph Culberson three-spored vellinch dipcoat plicateness varicosities kerf undergrad sensibilitiy Eifel typhoidal intro Westbrook Meantes Novato fearful shrill-edged Partheniae craggedness Gazankulu Universalistic Haletta Paz emancipated teleologically sialostenosis microsporangia spahees moorhen students jugulary countersigns nuclei localed lymphoduct unarrogating provisory fortyfold electroplax Hondo lymphangial guarache untirable menswears othergates re" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "fae6cf77e1a6d4772e71d477ee29d47785e2cf776da0d47726e4cf77d16dd477003dd277804bd27700000000ad37ea778b2dea77b641ea7700000000" to virtual address "0x75081000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "e739d077e1a6d4772e71d477ee29d47785e2cf776da0d4779064d3773ad5da7726e4cf77d16dd477003dd277804bd27700000000ad37ea778b2dea77b641ea7700000000" to virtual address "0x75691000" (part of module "WSHIP6.DLL")
"wscript.exe" wrote bytes "c04ed2772054d377e065d377b538d4770000000000d0707700000000c5ea70770000000088ea707700000000e968e9758228d477ee29d47700000000d269e975000000007dbb70770000000009bee97500000000ba18707700000000" to virtual address "0x77EE1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
Genscape Australia Pty Ltd Statement.vbs
- Filename
- Genscape Australia Pty Ltd Statement.vbs
- Size
- 1.6MiB (1703999 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines
- Architecture
- WINDOWS
- SHA256
- 961d5f78322778260d6fafaba6a0759dd2e8baff81de4ccf965989b243ae5851
- MD5
- 40b2455de947f7f4b0f768b7fadbb536
- SHA1
- 6f739955e72224a13dbb18045c1e5d61638c684e
- ssdeep
- 49152:wgEO4THSYtJU979X8OWYtgVqzjUl6bbPJ+lp:+
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
wscript.exe
"C:\GenscapeAustraliaPtyLtdStatement.vbs"
(PID: 3840)
- WmiPrvSE.exe (PID: 2584)
- WmiPrvSE.exe (PID: 3640)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
bostonfrogpond.com |
104.244.73.177
TTL: 14399 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
104.244.73.177 |
443
TCP |
wscript.exe PID: 3840 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 1
-
-
TableOfColors.exe
- Size
- 216B (216 bytes)
- Type
- html
- Description
- HTML document, ASCII text
- AV Scan Result
- 0/58
- Runtime Process
- wscript.exe (PID: 3840)
- MD5
- 58f1041284eb5a06d0301d73b53c8d63
- SHA1
- b8a354af795947cdae83f67c3ff6b041d0cd5e78
- SHA256
- 22159afb7ff62c51413fe209e8b94aa7501f691c2e19cbc7a79b0289d6ddc109
-