Click to jump to signature section
Source: Original Invoice.vbs | Virustotal: Detection: 11% | Perma Link |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 98.8% probability |
Source: | Binary string: powershell.pdbUGP source: Original Invoice.vbs.exe.8.dr |
Source: | Binary string: powershell.pdb source: Original Invoice.vbs.exe.8.dr |
Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} | Jump to behavior |
Source: Original Invoice.vbs | Initial sample: Strings found which are bigger than 50 |
Source: Original Invoice.vbs.exe.8.dr | Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Original Invoice.vbs |
Source: classification engine | Classification label: mal64.winVBS@3/1@0/0 |
Source: C:\Windows\System32\cmd.exe | File created: C:\Users\user\Desktop\Original Invoice.vbs.exe | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1624:120:WilError_03 |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Original Invoice.vbs" |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
Source: C:\Windows\System32\wscript.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: Original Invoice.vbs | Virustotal: Detection: 11% |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Original Invoice.vbs" |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Original Invoice.vbs.exe" /Y |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: vbscript.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrrun.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 | Jump to behavior |
Source: Original Invoice.vbs | Static file information: File size 3936548 > 1048576 |
Source: | Binary string: powershell.pdbUGP source: Original Invoice.vbs.exe.8.dr |
Source: | Binary string: powershell.pdb source: Original Invoice.vbs.exe.8.dr |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
Source: C:\Windows\System32\cmd.exe | File created: C:\Users\user\Desktop\Original Invoice.vbs.exe | Jump to dropped file |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Dropped PE file which has not been started: C:\Users\user\Desktop\Original Invoice.vbs.exe | Jump to dropped file |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: wscript.exe, 00000006.00000003.1389157749.0000025CFA0D6000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\; |
Source: wscript.exe, 00000006.00000003.1389157749.0000025CFA0D6000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:b |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |