Malware Analysis Report

2024-08-06 08:28

Sample ID 220913-192fxscegp
Target SketchfabRipper.7z
SHA256 a48248c5afb0c225fe217d2578f92156e9a82979f8091b4114155784bd71521b
Tags
upx pyinstaller elysiumstealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a48248c5afb0c225fe217d2578f92156e9a82979f8091b4114155784bd71521b

Threat Level: Known bad

The file SketchfabRipper.7z was found to be: Known bad.

Malicious Activity Summary

upx pyinstaller elysiumstealer

Elysiumstealer family

ElysiumStealer payload

UPX packed file

Detects Pyinstaller

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-09-13 22:27

Signatures

ElysiumStealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Elysiumstealer family

elysiumstealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win10v2004-20220812-en

Max time kernel

1212s

Max time network

1945s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\EventTarget.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\EventTarget.js

Network

Country Destination Domain Proto
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
JP 40.79.189.58:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1822s

Max time network

1857s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\lib\tmp.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\lib\tmp.js

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1783s

Max time network

1854s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\test.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\test.js

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win10v2004-20220901-en

Max time kernel

1130s

Max time network

1217s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984133" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1184233662" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1265954062" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30984133" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369875262" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1184233662" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984133" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8049194cc5c7d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000001713ef52df65a76788973a2fe673bceb36fac4cfa37ab906838753b41fb1c04a000000000e8000000002000020000000f1c28687b4a085544dde679b4cd816b68b3e01cc2f31107c6c01983137781fb720000000b47e2b3060d0996333443d24674aeecb4dd4942ec42bc3e250b48e0c0b6bfd3640000000fefcff83f9a0468006e8b6d6eaf281659e90cd10499ec875d0cfff7fb38ea7dcff603b0c50fc54b2d5c846cae83731da0d7f843eaeb01bd442c7fe9684f0b961 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000003acfbeac929a214096bb21c88e178e9f7056ecb10687581855dbcb19aa7f4a36000000000e80000000020000200000006ad46edfcf75a1c958338b5075529f597c480b5adf73535c146682212ca405f720000000f4381d01cb28a666a5c13cf396efb9df642ae29b425a2d7e873b00e23f4f402440000000d33f5f71d1776a2411fbdf1e303d7d389de11a87ebce077f8fe16b0505c77a13b049382889641a1a401364a77a337c355d7807d1e53ccc0691a7914856180b85 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{72018243-33B8-11ED-A0EE-5ECEF326E858} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a1274cc5c7d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4204 wrote to memory of 4604 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 4204 wrote to memory of 4604 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 4604 wrote to memory of 3624 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4604 wrote to memory of 3624 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4604 wrote to memory of 3624 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\.xml

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4604 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
IE 13.69.239.74:443 tcp
NL 104.80.229.204:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/4204-132-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-133-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-136-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-135-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-134-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-137-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-138-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-139-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

memory/4204-140-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win7-20220812-en

Max time kernel

1699s

Max time network

1851s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\test.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\test.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1780s

Max time network

1854s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.js

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1816s

Max time network

1854s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369882440" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b582fed5c7d801 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000ce88ddbd09834286a7834d2b3f8fe8d3fa89a5812a4516d4593aed9852a2d313000000000e8000000002000020000000127cf03f3ed1142645c5510561d52086443e38edb6f75f8fe661d3ce517cba9c9000000093108c94e868f59a41d62b8d89f8ad6986d18d2e1c1dc588bba42c02080bb217921d963b757d34956ea985d203c9f0316aeffb605c5a3435e896c14ccc76690f4ad0f37b6e4a11f2aa1630a785decabd1707251d0e6b154acef4a25d0f33a8cf04741957346780859869a910baa4d9cfd6cc995f2202a3b3e62e83fcfc9aae9c7778914656d66d3f8d45bca642b6f83540000000cedd773017758a051cc95331e48cfa0ee0db54d0895cd347e7b66409363145d854f67cf92a45cf6cd2a47f4a6b50ce4214a3be346f056ad21f5dffdbc93ef95c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28F6E691-33C9-11ED-A94D-C6F54D7498C3} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000ab471f9678469cb5a7f6b1671077fb48b0460572baaba7cbe723922d09e92129000000000e800000000200002000000012603eecea09372cfc6a9deae17e35ef6b8c03a69c4c4feb40a8e5fffe9b296c2000000087867b0c8f366dc30e8a660444e44c29bb5072f034066141ef25c2283d797cdc40000000a48f5c38889a204b784c54d04d2cc43caf46bd9fe4fa3526f2b28a330bd33892b65b1b8e77c210a2e45b17f2f60b8feffb0d4ba94965e78eecb8294422789696 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 1392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 952 wrote to memory of 1392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 952 wrote to memory of 1392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 952 wrote to memory of 1392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1392 wrote to memory of 1004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 1004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 1004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 1004 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1004 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1004 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1004 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1004 wrote to memory of 1540 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/952-54-0x0000000076171000-0x0000000076173000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1PXL5QCX.txt

MD5 229670ac565a2f5e3677af8c18b353a4
SHA1 ce20675791a6aef55d050a778e1199f2d12eba11
SHA256 f866701f687a7520d78340e293cfaa80e7e9a18c821cf49e69747f31825abf28
SHA512 a7e046fc0f7635bf9c444a2a78e89288291b99c0256787156010d7ca94faa43abd41a7e331e1a4ff69d271e397925896cd90760363e15700f9afc2bbddc384ed

Analysis: behavioral9

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220901-en

Max time kernel

1771s

Max time network

1859s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\os-tmpdir\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\os-tmpdir\index.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win10v2004-20220812-en

Max time kernel

1145s

Max time network

1230s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\index.js

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
US 93.184.220.29:80 tcp
FR 40.79.150.121:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:35

Platform

win10v2004-20220901-en

Max time kernel

1114s

Max time network

1217s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\test.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\test.js

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 20.42.73.25:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220901-en

Max time kernel

1771s

Max time network

1861s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\README.js

Network

Country Destination Domain Proto
US 151.101.1.44:443 tcp
US 151.101.1.44:443 tcp
US 151.101.1.44:443 tcp
US 151.101.1.44:443 tcp
US 151.101.1.44:443 tcp
US 151.101.1.44:443 tcp
US 151.101.1.44:443 tcp
US 151.101.1.44:443 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:35

Platform

win10v2004-20220901-en

Max time kernel

1117s

Max time network

1221s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\README.js

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
US 20.189.173.4:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win7-20220812-en

Max time kernel

1695s

Max time network

1851s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\README.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:35

Platform

win10v2004-20220901-en

Max time kernel

1114s

Max time network

1219s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\index.js

Network

Country Destination Domain Proto
NL 104.80.225.205:443 tcp
US 20.42.65.89:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220901-en

Max time kernel

1773s

Max time network

1862s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\index.js

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win10v2004-20220812-en

Max time kernel

886s

Max time network

1235s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\README.js

Network

Country Destination Domain Proto
NL 95.101.78.82:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 104.80.225.205:443 tcp
US 52.182.143.208:443 tcp
NL 8.248.5.254:80 tcp
NL 8.248.5.254:80 tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win10v2004-20220812-en

Max time kernel

899s

Max time network

1228s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\lib\verror.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\lib\verror.js

Network

Country Destination Domain Proto
NL 95.101.78.82:80 tcp
NL 95.101.78.82:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 104.80.225.205:443 tcp
FR 51.11.192.48:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win7-20220812-en

Max time kernel

1693s

Max time network

1851s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.es.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.es.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220901-en

Max time kernel

1772s

Max time network

1858s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\@types\node\base.d.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\@types\node\base.d.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1814s

Max time network

1853s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\EventTarget.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\EventTarget.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win10v2004-20220812-en

Max time kernel

1194s

Max time network

1941s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\os-tmpdir\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\os-tmpdir\index.js

Network

Country Destination Domain Proto
US 13.89.178.27:443 tcp
NL 104.80.225.205:443 tcp
US 8.249.91.254:80 tcp
US 8.249.91.254:80 tcp
US 8.249.91.254:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1811s

Max time network

1855s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\README.js

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:35

Platform

win10v2004-20220901-en

Max time kernel

1113s

Max time network

1217s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.js

Network

Country Destination Domain Proto
NL 67.26.109.254:80 tcp
NL 104.80.225.205:443 tcp
US 20.189.173.10:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 52.109.12.19:443 tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:35

Platform

win10v2004-20220901-en

Max time kernel

1647s

Max time network

1221s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wrappy\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wrappy\README.js

Network

Country Destination Domain Proto
US 20.189.173.12:443 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:35

Platform

win10v2004-20220901-en

Max time kernel

835s

Max time network

1218s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\test.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\out\test.js

Network

Country Destination Domain Proto
US 8.253.135.112:80 tcp
US 8.253.135.112:80 tcp
NL 104.80.225.205:443 tcp
US 20.189.173.4:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win10v2004-20220812-en

Max time kernel

1186s

Max time network

1934s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\lib\tmp.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\tmp\lib\tmp.js

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1789s

Max time network

1854s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wrappy\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wrappy\README.js

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win7-20220812-en

Max time kernel

1815s

Max time network

1854s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\wordwrapjs\index.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win10v2004-20220812-en

Max time kernel

1192s

Max time network

1931s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\@types\node\base.d.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\@types\node\base.d.js

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:34

Platform

win10v2004-20220812-en

Max time kernel

1153s

Max time network

1229s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\README.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\vblob\node_modules\eventtarget\README.js

Network

Country Destination Domain Proto
US 20.189.173.13:443 tcp
NL 104.80.225.205:443 tcp
NL 95.101.78.82:80 tcp
NL 95.101.78.82:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:36

Platform

win7-20220812-en

Max time kernel

1700s

Max time network

1853s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\lib\verror.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\verror\lib\verror.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2022-09-13 22:21

Reported

2022-09-13 23:35

Platform

win10v2004-20220901-en

Max time kernel

840s

Max time network

1213s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.es.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tools\nodejs\node_modules\webcrypto-core\build\webcrypto-core.es.js

Network

Country Destination Domain Proto
US 52.182.141.63:443 tcp
FR 2.18.109.224:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

N/A