Source: Original Invoice.vbs |
Virustotal: Detection: 11% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.8% probability |
Source: |
Binary string: powershell.pdbUGP source: Original Invoice.vbs.exe.8.dr |
Source: |
Binary string: powershell.pdb source: Original Invoice.vbs.exe.8.dr |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} |
Jump to behavior |
Source: Original Invoice.vbs |
Initial sample: Strings found which are bigger than 50 |
Source: Original Invoice.vbs.exe.8.dr |
Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Original Invoice.vbs |
Source: classification engine |
Classification label: mal64.winVBS@3/1@0/0 |
Source: C:\Windows\System32\cmd.exe |
File created: C:\Users\user\Desktop\Original Invoice.vbs.exe |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1624:120:WilError_03 |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Original Invoice.vbs" |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Original Invoice.vbs |
Virustotal: Detection: 11% |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Original Invoice.vbs" |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Original Invoice.vbs.exe" /Y |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
Source: Original Invoice.vbs |
Static file information: File size 3936548 > 1048576 |
Source: |
Binary string: powershell.pdbUGP source: Original Invoice.vbs.exe.8.dr |
Source: |
Binary string: powershell.pdb source: Original Invoice.vbs.exe.8.dr |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
Source: C:\Windows\System32\cmd.exe |
File created: C:\Users\user\Desktop\Original Invoice.vbs.exe |
Jump to dropped file |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Dropped PE file which has not been started: C:\Users\user\Desktop\Original Invoice.vbs.exe |
Jump to dropped file |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: wscript.exe, 00000006.00000003.1389157749.0000025CFA0D6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\; |
Source: wscript.exe, 00000006.00000003.1389157749.0000025CFA0D6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:b |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |