Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 10, 2024, 10:40 p.m.	July 10, 2024, 10:42 p.m.

Size	840.7KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`ad27be427dd7f922143e57fd1fa64f98`
SHA256	`4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08`
CRC32	`A87FA5E2`
ssdeep	`12288:ifY8It0lbvO1PJ9XyuRrvafaI8ieJaU4I79VXHv0aIn83IHiz0:iubAaIoUCI`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js
2560
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js"
  2652
- invoice_a_202.exe "C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe"
  2768
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
    2844
    - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe"
      2916
      - windowsjx.exe C:\ProgramData\Remcos\windowsjx.exe
        2976

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.157.162.75	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 10, 2024, 10:40 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 10, 2024, 10:40 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2024, 10:40 p.m.	process_identifier: 2844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 10, 2024, 10:40 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

windowsjx.exe tried to sleep 349 seconds, actually delayed analysis time by 349 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe
file	C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js
file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 10, 2024, 10:40 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1	0
ShellExecuteExW July 10, 2024, 10:40 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\ProgramData\Remcos\windowsjx.exe" filepath: cmd	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

185.157.162.75

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\microsoftjx	reg_value	"C:\ProgramData\Remcos\windowsjx.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoftjx	reg_value	"C:\ProgramData\Remcos\windowsjx.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\microsoftjx	reg_value	"C:\ProgramData\Remcos\windowsjx.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoftjx	reg_value	"C:\ProgramData\Remcos\windowsjx.exe"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe
file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA July 10, 2024, 10:40 p.m.	thread_identifier: 0 callback_function: 0x00408d39 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	721307	0

One or more non-whitelisted processes were created (6 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js"
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe
parent_process	wscript.exe	martian_process	wscript //B "C:\Users\test22\AppData\Roaming\bQiNiwTuYc.js"
parent_process	wscript.exe	martian_process	cmd /c "C:\ProgramData\Remcos\windowsjx.exe"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe"

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.Script.Generic.4!c
McAfee	JS/Vjw0rm.b
ALYac	Trojan.Script.GenericKDZ.13960
VIPRE	Trojan.Script.GenericKDZ.13960
Sangfor	Malware.Generic-JS.Save.c2e12912
Arcabit	Trojan.Script.Generic.D3688
Cyren	JS/Agent.BII.gen!Eldorado
Symantec	ISB.Dropper!gen1
ESET-NOD32	JS/TrojanDropper.Agent.NSL
Avast	JS:Cryxos-M [Trj]
Cynet	Malicious (score: 99)
BitDefender	Trojan.Script.GenericKDZ.13960
NANO-Antivirus	Trojan.Script.Dropper.foxxbq
MicroWorld-eScan	Trojan.Script.GenericKDZ.13960
Rising	Dropper.Agent/JS!8.126A2 (TOPIS:E0:A4NeuhdiXIR)
Emsisoft	Trojan.Script.GenericKDZ.13960 (B)
F-Secure	Malware.JS/Malscript.G34
DrWeb	Trojan.Siggen18.29718
McAfee-GW-Edition	JS/Vjw0rm.b
FireEye	Trojan.Script.GenericKDZ.13960
Ikarus	Trojan.Script
Avira	JS/Malscript.G34
Microsoft	Trojan:Win32/Leonem
GData	Trojan.Script.GenericKDZ.13960
Google	Detected
VBA32	suspected of JS.Crypted.Heur
Tencent	Js.Virus.Malscript.Kqil
MAX	malware (ai score=84)
AVG	JS:Cryxos-M [Trj]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.157.162.75:62186

The process wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Users\test22\AppData\Local\Temp\invoice_a_202.exe
file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All