Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 13, 2023, 12:33 a.m.	Oct. 13, 2023, 12:35 a.m.

Size	243.5KB
Type	MS Windows HtmlHelp Data
MD5	`2556a9e1d5e9874171f51620e5c5e09a`
SHA256	`7f0511b09b1ab3a64c8827dd8af017acbf7d2688db31a5d98fea8a5029a89d56`
CRC32	`FC08FF38`
ssdeep	`6144:6hK9QF9IF78JuiKgnheEVfh+x6I/c0mGkBZ6w5+2yrBnx:d9QFq78JuiBnheEVqvcBZ6ws7nx`
Yara	chm_file_format - chm file format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "PBAB" C:\Users\test22\AppData\Local\Temp\dovidka.chm
2544
- hh.exe "C:\Windows\hh.exe" C:\Users\test22\AppData\Local\Temp\dovidka.chm
  2656
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\ignit.vbs"
    2900
  - wscript.exe "C:\Windows\System32\wscript.exe" //B //E:vbs C:\Users\Public\Favorites\desktop.ini
    2984
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\Public\Libraries\core.dll
      604

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 13, 2023, 12:33 a.m.			0	0
IsDebuggerPresent Oct. 13, 2023, 12:33 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Oct. 13, 2023, 12:33 a.m.	buffer: Microsoft .NET Framework Assembly Registration Utility version 4.0.30319.17929 for Microsoft .NET Framework version 4.0.30319.17929 Copyright (C) Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 13, 2023, 12:33 a.m.	buffer: RegAsm : error RA0000 : Failed to load 'C:\Users\Public\Libraries\core.dll' because it is not a valid .NET assembly console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 13, 2023, 12:33 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (35 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 2984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7337b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71462000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7049a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7329f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00961000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73271000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74141000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Prefetch.lNk
file	C:\Users\Public\ignit.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Prefetch.lNk

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 13, 2023, 12:33 a.m.	show_type: 0 filepath_r: C:\Users\Public\ignit.vbs parameters: filepath: C:\Users\Public\ignit.vbs	1	1
ShellExecuteExW Oct. 13, 2023, 12:33 a.m.	show_type: 0 filepath_r: wscript.exe parameters: //B //E:vbs C:\Users\Public\Favorites\desktop.ini filepath: wscript.exe	1	1
ShellExecuteExW Oct. 13, 2023, 12:33 a.m.	show_type: 0 filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe parameters: /U C:\Users\Public\Libraries\core.dll filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 13, 2023, 12:33 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

A process attempted to delay the analysis task. (1 event)

description

RegAsm.exe tried to sleep 2728173 seconds, actually delayed analysis time by 2728173 seconds

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Prefetch.lNk

Drops a binary and executes it (1 event)

file	C:\Users\Public\ignit.vbs

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\Public\Libraries\core.dll
parent_process	wscript.exe				martian_process	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /U C:\Users\Public\Libraries\core.dll

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2656
NtResumeThread Oct. 13, 2023, 12:33 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2656	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.VBS.Agent.b!c
MicroWorld-eScan	Trojan.GenericKD.39159037
Skyhigh	HTML/Agent.i
ALYac	Exploit.CVE-2019-0541
K7AntiVirus	Trojan ( 0001140e1 )
K7GW	Trojan ( 0001140e1 )
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBS/TrojanDropper.Agent.OVE
TrendMicro-HouseCall	Trojan.VBS.DROPPER.M
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan-Dropper.VBS.Agent.ow
BitDefender	Trojan.GenericKD.39159037
Rising	Dropper.Agent/VBS!8.12129 (TOPIS:E0:PMkBg2JzqSK)
Emsisoft	Trojan.GenericKD.39159037 (B)
F-Secure	Malware.VBS/Drop.Agent.AW
DrWeb	Trojan.MulDrop19.59136
VIPRE	Trojan.GenericKD.39159037
TrendMicro	Trojan.VBS.DROPPER.M
FireEye	Trojan.GenericKD.39159037
Sophos	Troj/CHMDrop-M
GData	Trojan.GenericKD.39159037
Varist	VBS/Agent.ALE
Avira	VBS/Drop.Agent.AW
MAX	malware (ai score=100)
Antiy-AVL	GrayWare[APT]/Office.Unc1151
Xcitium	Malware@#1iqsbfr3047p2
Arcabit	Trojan.Generic.D25584FD
ViRobot	CHM.S.Agent.249340
ZoneAlarm	Trojan-Dropper.VBS.Agent.ow
Microsoft	Trojan:Win32/WinLNK
Google	Detected
AhnLab-V3	Downloader/Chm.Agen
McAfee	HTML/Agent.i
Tencent	Vbs.Trojan-Dropper.Agent.Cujl
Ikarus	Trojan-Dropper.VBS.Agent
Fortinet	VBS/Agent.OVE!tr
AVG	Other:Malware-gen [Trj]

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

dovidka.chm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All