Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 2, 2023, 6:31 p.m.	June 2, 2023, 6:33 p.m.

Size	51.5KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`0f721b8721fcf53a2f584d1e14576222`
SHA256	`f161d48c833773858c90a6f75b8a826a3c9e4803c879d390528ee1fdf694016b`
CRC32	`3D4C3980`
ssdeep	`768:3u8nrzB3MhzVxPsAU96jqlTqT5qeG3Wb4/yWDnh1d7ySTaiWXxLRw0HUsOMgbt8I:lx6/oFt8huvX4m`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Atm_Fradulent_Transaction_Note_docx.js
1572
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
  2164

Name	Response	Post-Analysis Lookup
phhvvvvzeraphulo.gotdns.ch	A 185.227.82.21	185.227.82.21

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.227.82.21	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2042740	ET INFO DYNAMIC_DNS Query to a *.gotdns .ch Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 2, 2023, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2023, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2023, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2023, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2023, 6:31 p.m.	computer_name: TEST22-PC	1	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (17 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW June 2, 2023, 6:31 p.m.	number_of_free_clusters: 2425221 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:31 p.m.	number_of_free_clusters: 2425210 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:31 p.m.	number_of_free_clusters: 2425209 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:31 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:31 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:31 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:32 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:33 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 2, 2023, 6:33 p.m.	number_of_free_clusters: 2425227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Symantec	ISB.Downloader!gen52
Kaspersky	HEUR:Trojan.Script.Startup.gen
McAfee-GW-Edition	BehavesLike.JS.Exploit.qm

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (34 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:33 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:33 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 2, 2023, 6:33 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:33 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (38 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atm_Fradulent_Transaction_Note_docx	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (17 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 51 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:31 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:31 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:31 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:31 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:31 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:31 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:31 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:31 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:32 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:32 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:32 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:33 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:33 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 2, 2023, 6:33 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW June 2, 2023, 6:33 p.m.	url: http://phhvvvvzeraphulo.gotdns.ch:5492/is-ready flags: 0	1	1
HttpOpenRequestW June 2, 2023, 6:33 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"
parent_process	wscript.exe				martian_process	wscript.exe //B "C:\Users\test22\AppData\Roaming\Atm_Fradulent_Transaction_Note_docx.js"

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (18 events)

dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49180
dead_host	185.227.82.21:5492
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49166

Atm_Fradulent_Transaction_Note_docx.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All