Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 19, 2023, 5:50 p.m.	April 19, 2023, 5:53 p.m.

Size	78.5KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`05b869c9cc7e17a6216b23cc5da83ade`
SHA256	`8c399ed57197ce38c5aedbc5720690d34172f558701b50303ccf6c37700bc278`
CRC32	`567DA9B3`
ssdeep	`1536:RR3LU0FGHNkg5j+9GkGaeA1ZI4sDQ0G29cWoRWvmXYmSelDCPF:zU0Fs+9VpIRItovaYmSelDCPF`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Funds_431353.wsf
1700

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	172.67.34.170

IP Address	Status	Action
104.20.67.143	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 19, 2023, 5:51 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 wscript+0x2fbd @ 0x352fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 3405444 registers.edi: 0 registers.eax: 37364880 registers.ebp: 3405472 registers.edx: 1 registers.ebx: 0 registers.esi: 6689680 registers.ecx: 1941976444	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 19, 2023, 5:51 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
wscript+0x2fbd @ 0x352fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 3405444
registers.edi: 0
registers.eax: 37364880
registers.ebp: 3405472
registers.edx: 1
registers.ebx: 0
registers.esi: 6689680
registers.ecx: 1941976444

Performs some HTTP requests (2 events)

request	GET https://pastebin.com/raw/zD5ag0UX
request	GET https://pastebin.com/raw/mJfkXNYx

Wscript.exe initiated network communications indicative of a script based payload download (6 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 19, 2023, 5:50 p.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 19, 2023, 5:50 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
InternetReadFile April 19, 2023, 5:50 p.m.	buffer: <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html> request_handle: 0x00cc000c	1	1
InternetCrackUrlW April 19, 2023, 5:50 p.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 19, 2023, 5:50 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
InternetReadFile April 19, 2023, 5:50 p.m.	buffer: <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html> request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (2 events)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (13 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 19, 2023, 5:50 p.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 19, 2023, 5:50 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
send April 19, 2023, 5:50 p.m.	buffer: ! socket: 852 sent: 1	1	1
send April 19, 2023, 5:50 p.m.	buffer: okd?«k.ô~\|n´ìä³Úá"X"¬þÌ-QEkÑ/5 ÀÀÀ À 28ÿpastebin.com socket: 960 sent: 116	1	116
send April 19, 2023, 5:50 p.m.	buffer: ! socket: 852 sent: 1	1	1
send April 19, 2023, 5:50 p.m.	buffer: FBAFÀº`ÆðJwQVxQÿê,r¬Áib¥â_F3¾ÐÌ(2Q$Ä¾£]tA3BóÃá@VÃ#½ü0§ûª¦½z¨o9í$Ô,¡v«ñ±jÙêäãåi,ÿqrñNqHU2è socket: 960 sent: 134	1	134
send April 19, 2023, 5:50 p.m.	buffer: ! socket: 852 sent: 1	1	1
send April 19, 2023, 5:50 p.m.	buffer: PÿK¬zäa\pÚÿáô8Mp¡Ùbô3âH>ÕÜîvH8÷Á[:§ÀD®ü¼IÔ,¾²ÏKÆ-®Åç`½p§ö¬]46fE8A&9fGè2ûxJã×Ëe£òiW'åãbÁÙæM[%"¨ MSFF³T°WG5åüzÿhüÇ%ä_¹VÝÜ¦lÑzkÑ§Í_Ó2´Ü\vAdqt¡ ¸·Á0 ;o¥%uKËôæ1¶Sl¨Ïy¾Ï»I®äqë(OãahNCJzwxÙpRQ[¼Ørý»gÆV÷*É÷ï»M²)ëIw¢v«}äáü2p[áÂÅÿpêÜò¾Ûc0Êyr'o¶Û èÍ`-uéXwì8y$[9jÌ{;¼7!0x socket: 960 sent: 341	1	341
send April 19, 2023, 5:50 p.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW April 19, 2023, 5:50 p.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 19, 2023, 5:50 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
send April 19, 2023, 5:50 p.m.	buffer: PRfct¡ÄÝÜû%ÃÐ Ò£Ð÷_×µ%ôGõßE¥@Ý6Ø='1ñ0©´In ¿é{Ü_0ã¿%*»KBV´Âê0óZ±NhK×¨bU¶åìtP]fxüþe.nçÚ6ºAóoò\«ãl]âDHÈ}ZCþó[L:õõÀSÞù"¥®;øÕý CÂ4mO\|ì+ePâúb¼2ôÊoÑR£îyTå¿¹óâ³Ýò§\6f©0^ÂÛ½óR}ª zØÀöüùU]Îã}©èÊ4ïºÑ qfS$Ò°³Ý¸!6ØwEêó©íaæeÝs#úpISZ°$êYa¥T ,ÌS«ä^HÛh&)³ù«¡_¸.þ7ªÝÜjé×!C-d socket: 960 sent: 341	1	341
send April 19, 2023, 5:50 p.m.	buffer: ! socket: 852 sent: 1	1	1

Funds_431353.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All