Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 1, 2022, 12:36 p.m.	Oct. 1, 2022, 12:38 p.m.

Size	46.3KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`8071f8af591e0433f4709047836143a2`
SHA256	`a69f3622f93337b9501d5721ed248d24f5816a6d57eea3002ce97042e0d0335d`
CRC32	`9C9F6795`
ssdeep	`768:EBZf2fDUXKoJY7k8+wryZS83azUz7OCEv1UxKAFyP1KPqVJhajDudIBSSLtQG:EBZufP6Y7kjwrXyUUzyCEv1Ux5yP1KPv`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
2980
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\LYSVcAPajL.js"
  204
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
  2216
  - wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\LYSVcAPajL.js"
    156

Name	Response	Post-Analysis Lookup
fresh01.ddns.net	A 79.134.225.11	79.134.225.11
javaautorun.duia.ro	A 41.217.31.194	41.217.31.194

IP Address	Status	Action
164.124.101.2	Active	Moloch
41.217.31.194	Active	Moloch
79.134.225.11	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:64513 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 57 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 1, 2022, 12:37 p.m.	computer_name: TEST22-PC	1	1

Connects to a Dynamic DNS Domain (1 event)

domain

fresh01.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 1, 2022, 12:36 p.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2022, 12:36 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2022, 12:36 p.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d2000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

wscript.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (16 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2227383 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2226867 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2226862 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2227002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2227002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2227002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2227002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:36 p.m.	number_of_free_clusters: 2227002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2227002 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2226970 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2226970 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2226971 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2226973 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2226973 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2226973 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 1, 2022, 12:37 p.m.	number_of_free_clusters: 2226973 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\LYSVcAPajL.js

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (50 out of 52 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:38 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:38 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356

Installs itself for autorun at Windows startup (36 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confirmation transfer Copy MT103 Ref_000101237829382_PDF	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

CAT-QuickHeal	Trojan.JS.Cryxos.37051
Cyren	JS/Agent.BMB.gen!Eldorado
Symantec	JS.Vajawom
ESET-NOD32	JS/Kryptik.CIA
Kaspersky	HEUR:Trojan-Downloader.Script.SLoad.gen
NANO-Antivirus	Trojan.Script.Downloader.ezetbq
Comodo	TrojWare.JS.Crypt.BNB@8chm46
Google	Detected
Microsoft	Trojan:Script/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Script.Generic
VBA32	suspected of JS.Crypted.Heur
Ikarus	Trojan.Script

wscript.exe-based dropper (JScript, VBS) (26 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 78 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Oct. 1, 2022, 12:37 p.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Oct. 1, 2022, 12:37 p.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:38 p.m.	url: http://javaautorun.duia.ro:5465/Vre flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:38 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Oct. 1, 2022, 12:38 p.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:36 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:36 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:36 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:37 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:37 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 1, 2022, 12:37 p.m.	buffer: ! socket: 1104 sent: 1	1	1
InternetCrackUrlW Oct. 1, 2022, 12:37 p.m.	url: http://fresh01.ddns.net:2256/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 1, 2022, 12:37 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

One or more non-whitelisted processes were created (6 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\LYSVcAPajL.js"
parent_process	wscript.exe	martian_process	wscript //B "C:\Users\test22\AppData\Roaming\LYSVcAPajL.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\LYSVcAPajL.js"
parent_process	wscript.exe	martian_process	wscript.exe //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js"
parent_process	wscript.exe	martian_process	wscript //B "C:\Users\test22\AppData\Roaming\LYSVcAPajL.js"

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (18 events)

dead_host	192.168.56.102:49187
dead_host	192.168.56.102:49171
dead_host	192.168.56.102:49165
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49170
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49188
dead_host	79.134.225.11:2256
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49189
dead_host	192.168.56.102:49168
dead_host	192.168.56.102:49183
dead_host	192.168.56.102:49180
dead_host	41.217.31.194:5465
dead_host	192.168.56.102:49174
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49175
dead_host	192.168.56.102:49186

Confirmation transfer Copy MT103 Ref_000101237829382_PDF.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All