Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 20, 2023, 11:15 a.m.	April 20, 2023, 11:17 a.m.

Size	76.6KB
Type	Non-ISO extended-ASCII text, with very long lines, with CRLF, LF line terminators
MD5	`c8cdbe9de89761dd6364ac64c6fdf0cf`
SHA256	`8e6e01a514d1374a01348f3701292cef839b749ab702f521cb26ff502de65628`
CRC32	`E17AC349`
ssdeep	`1536:lQi3QiUM6QuQwWjijsq3bQm4U3KvIseYYvvpy:OstDIb0m3s3Ynpy`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Funds_166311.wsf
3024

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.67.143

IP Address	Status	Action
104.20.67.143	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49161 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49161 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 20, 2023, 11:15 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 wscript+0x2fbd @ 0xf02fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 1897704 registers.edi: 0 registers.eax: 13510616 registers.ebp: 1897732 registers.edx: 1 registers.ebx: 0 registers.esi: 5261152 registers.ecx: 1937782484	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 20, 2023, 11:15 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
wscript+0x2fbd @ 0xf02fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 1897704
registers.edi: 0
registers.eax: 13510616
registers.ebp: 1897732
registers.edx: 1
registers.ebx: 0
registers.esi: 5261152
registers.ecx: 1937782484

Performs some HTTP requests (2 events)

request	GET https://pastebin.com/raw/zD5ag0UX
request	GET https://pastebin.com/raw/mJfkXNYx

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 20, 2023, 11:15 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a3000 process_handle: 0xffffffff	1	0	0

Wscript.exe initiated network communications indicative of a script based payload download (6 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 20, 2023, 11:15 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 20, 2023, 11:15 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
InternetReadFile April 20, 2023, 11:15 a.m.	buffer: <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html> request_handle: 0x00cc000c	1	1
InternetCrackUrlW April 20, 2023, 11:15 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 20, 2023, 11:15 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
InternetReadFile April 20, 2023, 11:15 a.m.	buffer: <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html> request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (2 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (13 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 20, 2023, 11:15 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 20, 2023, 11:15 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
send April 20, 2023, 11:15 a.m.	buffer: ! socket: 852 sent: 1	1	1
send April 20, 2023, 11:15 a.m.	buffer: okd@ ?ÜM0l(þ³Þ6ð 6:1RsS)Ð+/5 ÀÀÀ À 28*ÿpastebin.com socket: 964 sent: 116	1	116
send April 20, 2023, 11:15 a.m.	buffer: ! socket: 852 sent: 1	1	1
send April 20, 2023, 11:15 a.m.	buffer: FBAçó4Óék±KXnæ¦,2sRìæ¿áA ùå»d/w9[ÙHÝ¯/éRð3Þf'a½Y½\m¿8û0´¼¬Ñ¢bâÎW¨çzcoKiú,:è_áV Ö ¦Âàg´j socket: 964 sent: 134	1	134
send April 20, 2023, 11:15 a.m.	buffer: ! socket: 852 sent: 1	1	1
send April 20, 2023, 11:15 a.m.	buffer: `Nìj÷-¿Ã¼ÃhòÈÐÕ³ÞlTæ&²úU]£ª L,ª@¸5óDÜ=v²&Pëq7+"rZi<~knhÝÿE wyACÁÀ½ñ6 éËH¸/±;S_¤9@m®X÷ú 4÷Â· ÷ÀyÊÿ÷·¢E#ôÞÍæd#lÜp[\?XA¡ÙÞu0Æ'¦uPú%Ê£õQRB1y·,gbd:PÓê77qªò{eäÕ3.¿YÕà0Zif@¥» È(x þD¹\¶ä?F G$»ÀâeÛ{9Æâqox»cðctRà¡m²8,ô2YãKéèÈÔÙôû{dCØÖæfÃÝ'-H+¯ÅÊ)æÎÀV9Ðü%>i¦ÖTtIPµè°u±© socket: 964 sent: 357	1	357
send April 20, 2023, 11:15 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW April 20, 2023, 11:15 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 20, 2023, 11:15 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
send April 20, 2023, 11:15 a.m.	buffer: `Ó.)uN¤ÖEHöÉîëÑÿ«CRwù¾f'ÙEñÿTS#FpÛþ¸BOÀ{·©`¥ô²# Ä ØÇ¥ù®º&zªX$Av1ÜP£Y§¾Eëxx¤¿ó¨ùc§¦wIcò·xS ßª¨2/þ?6ÙI§J èàbRí=t7¥l"Ú:@yúM^ØÐ`éúE¿¢Ümi+£]Èa(KJ2ie¼ Ó³(ÞPÝJD©ð8$Çþ{çÎEióñí³âi¶rSyà_ñÀ×òl¸÷Þy¾rÁ?$]½â¨éå<-º¦ò4o2&$[ç}xÚSát×®+³x70É²¨ObPiyt½LéÏ¨4{OXÙ0#¦+÷õ[b[m\|f socket: 964 sent: 357	1	357
send April 20, 2023, 11:15 a.m.	buffer: ! socket: 852 sent: 1	1	1

Funds_166311.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All