Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

Payment_260127.wsf

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2023, 8:56 a.m.	April 21, 2023, 8:58 a.m.

Size	74.0KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`ad5e7053e14384edd2d8af5164d9f7bf`
SHA256	`1712dc1caca28662cc573afab4fc436f9adacded1f0292897a927bb06517c268`
CRC32	`9532E286`
ssdeep	`1536:a7oTQiVPcCJqNCUWwxPNN6oTy31tn/1ZOtO:a7ox7JqNswuEQn/1ZOtO`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Payment_260127.wsf
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
51.222.96.42	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Communicates with host for which no DNS query was performed (1 event)

host

51.222.96.42

Wscript.exe initiated network communications indicative of a script based payload download (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 21, 2023, 8:56 a.m.	url: http://51.222.96.42/aO03psmvtKQU.dat flags: 0	1	1	0
HttpOpenRequestW April 21, 2023, 8:56 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /aO03psmvtKQU.dat	1	13369356	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 21, 2023, 8:56 a.m.	url: http://51.222.96.42/aO03psmvtKQU.dat flags: 0	1	1	0
HttpOpenRequestW April 21, 2023, 8:56 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /aO03psmvtKQU.dat	1	13369356	0
send April 21, 2023, 8:56 a.m.	buffer: ! socket: 872 sent: 1	1	1	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

51.222.96.42:80