Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 11, 2021, 10:12 a.m.	Aug. 11, 2021, 10:20 a.m.

Size	2.8KB
Type	ASCII text, with CRLF line terminators
MD5	`424085315ca9018d431fd693e72bfa64`
SHA256	`bef413d426877a9f43dddd722cbd5b35905b57116820d2d93d5bea7ba4739483`
CRC32	`0B5A91AA`
ssdeep	`48:5FGABpaDS1kzGIR0L6OhNrSA+g7rul3lnxl8H3C:5EABpaDSKzGIRo2A+gPul3lnxmXC`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\222222.vbs
1100
- schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs
  2084

Name	Response	Post-Analysis Lookup
facebook-sports.publicvm.com	A 81.171.31.214	81.171.31.214

IP Address	Status	Action
164.124.101.2	Active	Moloch
81.171.31.214	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 91 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2021, 10:13 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 11, 2021, 10:12 a.m.	buffer: SUCCESS: The scheduled task "Skype" has successfully been created. console_handle: 0x00000007	1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

facebook-sports.publicvm.com

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs
cmdline	schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 11, 2021, 10:12 a.m.	show_type: 0 filepath_r: schtasks parameters: /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs filepath: schtasks	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs
cmdline	schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs

Wscript.exe initiated network communications indicative of a script based payload download (30 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:14 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:14 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Aug. 11, 2021, 10:14 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs
cmdline	schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs

wscript.exe-based dropper (JScript, VBS) (15 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (45 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:12 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:12 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:12 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:12 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:12 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:13 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:13 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:14 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:14 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:14 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:14 a.m.	buffer: ! socket: 1060 sent: 1	1	1
InternetCrackUrlW Aug. 11, 2021, 10:14 a.m.	url: http://facebook-sports.publicvm.com:9999/Vre flags: 0	1	1
HttpOpenRequestW Aug. 11, 2021, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 11, 2021, 10:14 a.m.	buffer: ! socket: 1060 sent: 1	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs
parent_process	wscript.exe				martian_process	schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\test22\AppData\Local\Temp\222222.vbs

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.VBS.Agent.4!c
MicroWorld-eScan	VB:Trojan.Valyria.3090
FireEye	VB:Trojan.Valyria.3090
Sangfor	Worm.Generic-Script.Save.265b0e93
Cyren	VBS/Veanslim.A
Symantec	Trojan.Malscript
ESET-NOD32	VBS/Agent.NNI
Baidu	VBS.Trojan-Downloader.Agent.pn
Avast	VBS:Agent-BVH [Trj]
Kaspersky	Trojan.VBS.Agent.ahf
BitDefender	VB:Trojan.Valyria.3090
NANO-Antivirus	Trojan.Script.MLW.eienze
Tencent	Vbs.Trojan.Agent.Pabo
Ad-Aware	VB:Trojan.Valyria.3090
Comodo	Worm.VBS.Agent.NNI@8fded6
McAfee-GW-Edition	BehavesLike.VBS.Backdoor.xp
Emsisoft	VB:Trojan.Valyria.3090 (B)
Jiangmin	Trojan.VBS.hf
MAX	malware (ai score=81)
Microsoft	TrojanDownloader:VBS/Donvibs.Q
GData	Script.Worm.Veanslim.B
ALYac	VB:Trojan.Valyria.3090
Ikarus	Win32.Outbreak
Fortinet	VBS/Agent.ONU!tr.dldr
AVG	VBS:Agent-BVH [Trj]
Qihoo-360	virus.vbs.houdini.b

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\schtasks.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (16 events)

dead_host	192.168.56.102:49172
dead_host	192.168.56.102:49166
dead_host	192.168.56.102:49173
dead_host	192.168.56.102:49167
dead_host	192.168.56.102:49178
dead_host	192.168.56.102:49179
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49170
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49171
dead_host	192.168.56.102:49168
dead_host	192.168.56.102:49169
dead_host	192.168.56.102:49180
dead_host	81.171.31.214:9999
dead_host	192.168.56.102:49174
dead_host	192.168.56.102:49175

222222.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All