Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 3, 2023, 9:50 a.m.	May 3, 2023, 9:52 a.m.

Size	42.9KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`ad4bcd97e9014f9f76b05d5db8b1e273`
SHA256	`2cfffc7aff2656ddac2d73b855a70757e5370bf1af8f1ba1355daa23fdfef351`
CRC32	`2901C417`
ssdeep	`768:FjAbTum3DfTvVmnw5WyDCblhkehECwcbTum3DDe2xJ1ll:Fjkl3DbvwnPlDhvLl3Dzr`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\C713.wsf
3008
rundll32.exe C:\\Windows\\SysWOW64\\rundll32.exe C:\ProgramData\az9rjoe8faNg.dat,Time
2380

Name	Response	Post-Analysis Lookup
puntoproduction.com	A 162.241.194.193	162.241.194.193
tridayaonline.com	A 103.41.206.174	103.41.206.174
abragest.com	A 192.185.79.168	192.185.79.168
demosites.live	A 108.167.180.121	108.167.180.121

IP Address	Status	Action
103.41.206.174	Active	Moloch
108.167.180.121	Active	Moloch
162.241.194.193	Active	Moloch
164.124.101.2	Active	Moloch
192.185.79.168	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 162.241.194.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49161 -> 192.185.79.168:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49163 -> 192.185.79.168:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 162.241.194.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.79.168:443 -> 192.168.56.102:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 103.41.206.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.194.193:443 -> 192.168.56.102:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49170 -> 108.167.180.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49171 -> 108.167.180.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 108.167.180.121:443 -> 192.168.56.102:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49174 103.41.206.174:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=tridayaonline.com	b7:26:61:c5:52:d4:bf:e1:e9:77:dc:f7:0c:c3:39:b2:43:3b:06:21

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 3, 2023, 9:50 a.m.	computer_name: TEST22-PC	1	1	0

Performs some HTTP requests (1 event)

request

GET https://tridayaonline.com/rf7H/1203

Wscript.exe initiated network communications indicative of a script based payload download (9 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://abragest.com/yKmmLBY/170 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /yKmmLBY/170	1	13369356
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://puntoproduction.com/87bacDu/1704 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /87bacDu/1704	1	13369356
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://demosites.live/zAjzkL/200 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /zAjzkL/200	1	13369356
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://tridayaonline.com/rf7H/1203 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /rf7H/1203	1	13369356
InternetCrackUrlA May 3, 2023, 9:50 a.m.	url: https://tridayaonline.com/rf7H/1203 flags: 0	1	1

wscript.exe-based dropper (JScript, VBS) (4 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (46 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://abragest.com/yKmmLBY/170 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /yKmmLBY/170	1	13369356
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: okdQ¯ßÏkyÎFåËo¡aµf&Ùbk£×Dë/5 ÀÀÀ À 28*ÿabragest.com socket: 960 sent: 116	1	116
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: okdQ¯àDÔHQy >åÝ"Â$ ?ÿkÂ;`dß/5 ÀÀÀ À 28*ÿabragest.com socket: 960 sent: 116	1	116
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: 51dQ¯à³}ôu&¬uÿ-±¢8y~ñÇ9ûM]î ÿ socket: 960 sent: 58	1	58
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://puntoproduction.com/87bacDu/1704 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /87bacDu/1704	1	13369356
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: vrdQ¯áÌ¸ê¯ebZ^3%Á*Ó£Ù&yÇÅÄ1ÙP ²/5 ÀÀÀ À 281ÿpuntoproduction.com socket: 1076 sent: 123	1	123
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: vrdQ¯áakÛ;½*, Î©ÔÑß:¬Ð4äßPù/5 ÀÀÀ À 281ÿpuntoproduction.com socket: 1076 sent: 123	1	123
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: 51dQ¯á}ðe¼FèÈÄÑk u%ýÝAà2â¦»è³ ÿ socket: 1080 sent: 58	1	58
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://demosites.live/zAjzkL/200 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /zAjzkL/200	1	13369356
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: qmdQ¯âîÝLGô`ü§bGÑÛf\|k(ëõg¦d½¡©//5 ÀÀÀ À 28,ÿdemosites.live socket: 1084 sent: 118	1	118
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: qmdQ¯ã¤!´°^Çí(ä «ºM6\|vI³sçÌ±U/5 ÀÀÀ À 28,ÿdemosites.live socket: 1084 sent: 118	1	118
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: 51dQ¯ãõIÚ¢âa¥$wR´©È®9; ÿ socket: 1088 sent: 58	1	58
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 3, 2023, 9:50 a.m.	url: https://tridayaonline.com/rf7H/1203 flags: 0	1	1
HttpOpenRequestW May 3, 2023, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /rf7H/1203	1	13369356
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: tpdQ¯å,g¼ÐÜýÆ?çñ9.Ó 6ã`gÉ%x/5 ÀÀÀ À 28/ÿtridayaonline.com socket: 1092 sent: 121	1	121
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: FBA¾QõçÉÈ§ xå QÖÏY\|¯R(Vê-wÍ¢ÙWÀ7õAîMÓ5$ìG^Ú¾éÇ[vÉ P0{¨'´zêä©:õ~íÓD½:Èµu~{Æ²$ëÄÿÌwÞz^SU¤2ª socket: 1092 sent: 134	1	134
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 3, 2023, 9:50 a.m.	buffer: `£¿~ KÔµ¯Ë86C+û+°×Ô*²n»Â%áë0K19»ºeVUUüx÷µØÚôÅ Kp þÊÏAç;¦ ¬Ì¦é["½ãOâ9ûk ýBû K¶´¬9 ¤ý\| UBØaV ìÌÜâ½ÖO+ ºGcú'¤É¢ÖP~>¼{öM S¡âÓÉòÂMJUp{±üQßÂñì¢ ,+G«ÖUqßâí) ( ¨þ¤ÐF±DõÈ¤¸rÜ6>ô$IwQ²×"¸/éO÷QwBnêweýHÅMïý±Lò0@J?Ïþ©EIÞÖ×£2Ôçó¯y]ÅßXlãÇ°`)² )I1}jº -sùØc©30¾úOóz4Öî5xm_Údï¢°¥_]iOçøFQ socket: 1092 sent: 357	1	357
send May 3, 2023, 9:50 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlA May 3, 2023, 9:50 a.m.	url: https://tridayaonline.com/rf7H/1203 flags: 0	1	1

Generates some ICMP traffic

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod May 3, 2023, 9:50 a.m.	inargs.CurrentDirectory: None inargs.CommandLine: C:\\Windows\\SysWOW64\\rundll32.exe C:\ProgramData\az9rjoe8faNg.dat,Time inargs.ProcessStartupInformation: None outargs.ProcessId: 2380 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

A potential heapspray has been detected. 2515 megabytes was sprayed onto the heap of the wscript.exe process (15 events)

count

13936

name

heapspray

process

wscript.exe

total_mb

163

length

12288

protection

PAGE_READWRITE

count

13918

name

heapspray

process

wscript.exe

total_mb

489

length

36864

protection

PAGE_READWRITE

count

1740

name

heapspray

process

wscript.exe

total_mb

101

length

61440

protection

PAGE_READWRITE

count

3482

name

heapspray

process

wscript.exe

total_mb

136

length

40960

protection

PAGE_READWRITE

count

13952

name

heapspray

process

wscript.exe

total_mb

length

4096

protection

PAGE_READWRITE

count

10465

name

heapspray

process

wscript.exe

total_mb

length

8192

protection

PAGE_READWRITE

count

1741

name

heapspray

process

wscript.exe

total_mb

length

53248

protection

PAGE_READWRITE

count

1744

name

heapspray

process

wscript.exe

total_mb

length

32768

protection

PAGE_READWRITE

count

3478

name

heapspray

process

wscript.exe

total_mb

258

length

77824

protection

PAGE_READWRITE

count

1739

name

heapspray

process

wscript.exe

total_mb

169

length

102400

protection

PAGE_READWRITE

count

3484

name

heapspray

process

wscript.exe

total_mb

length

16384

protection

PAGE_READWRITE

count

12181

name

heapspray

process

wscript.exe

total_mb

237

length

20480

protection

PAGE_READWRITE

count

5222

name

heapspray

process

wscript.exe

total_mb

224

length

45056

protection

PAGE_READWRITE

count

3484

name

heapspray

process

wscript.exe

total_mb

length

24576

protection

PAGE_READWRITE

count

6965

name

heapspray

process

wscript.exe

total_mb

326

length

49152

protection

PAGE_READWRITE

C713.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All