Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 6, 2021, 10:53 a.m.	Aug. 6, 2021, 10:55 a.m.

Size	2.0KB
Type	HTML document, ASCII text
MD5	`822fb233e4614239ae79d9f901d98821`
SHA256	`386920ea6252af6feb7947fb1053018d4fe23325bbcc27455b6cc32a039cc6c1`
CRC32	`38E3B860`
ssdeep	`24:AzK3qc522ZYdEybUJLMsU05x8dwNV40eKB4n+g/RJrAcNRNxVHfbv+GOBneHQdRt:rkddbaU069n99NzTWfe9+QdLfM`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\Adscouponcode.hta
1540

Name	Response	Post-Analysis Lookup
ajax.googleapis.com	A 172.217.174.202	172.217.175.234

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.174.202	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 172.217.174.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 172.217.174.202:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	ff:c0:ff:a1:df:4a:a6:62:2c:77:6b:0d:f5:da:dd:3c:ed:16:58:29

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 6, 2021, 10:53 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js

Allocates read-write-execute memory (usually to unpack itself) (50 out of 142 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03413000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03414000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03414000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03414000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03415000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03415000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03415000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03415000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03416000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03418000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03418000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03418000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03418000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03418000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03418000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03419000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03419000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0341f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03462000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03462000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03463000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\jquery.min[1].js

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 6, 2021, 10:53 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03410000 process_handle: 0xffffffff	1	0	0

Adscouponcode.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All