Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 7, 2024, 9:48 a.m.	Aug. 7, 2024, 10:10 a.m.

Size	254.6KB
Type	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5	`67d660ff76a9414cc62d4ddf7f3223f6`
SHA256	`a5927250203747b32a59412cebb3685e3b4edd97d0adf3320f76a2998974e4ae`
CRC32	`C0E1D53E`
ssdeep	`768:sQKYqDbDpN2T5aeUXBBRC3XUFIG/lM6MO3hZjprBo:r`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\wp.vbs
2556
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\wp.vbs"
  2680

Name	Response	Post-Analysis Lookup
chongmei33.publicvm.com	A 46.246.6.6	46.246.6.6

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.246.6.6	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 7, 2024, 9:50 a.m.	computer_name: TEST22-PC	1	1

Connects to a Dynamic DNS Domain (1 event)

domain

chongmei33.publicvm.com

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 7, 2024, 9:48 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Aug. 7, 2024, 9:48 a.m.	number_of_free_clusters: 3253089 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2024, 9:48 a.m.	number_of_free_clusters: 3253081 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2024, 9:49 a.m.	number_of_free_clusters: 3253061 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2024, 9:49 a.m.	number_of_free_clusters: 3252927 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Aug. 7, 2024, 9:50 a.m.	number_of_free_clusters: 3252927 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (10 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Aug. 7, 2024, 9:48 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:48 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 7, 2024, 9:48 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:48 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 7, 2024, 9:49 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:49 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 7, 2024, 9:49 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:49 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Aug. 7, 2024, 9:50 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (14 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (5 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (15 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Aug. 7, 2024, 9:48 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:48 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 7, 2024, 9:48 a.m.	buffer: ! socket: 976 sent: 1	1	1
InternetCrackUrlW Aug. 7, 2024, 9:48 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:48 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 7, 2024, 9:48 a.m.	buffer: ! socket: 976 sent: 1	1	1
InternetCrackUrlW Aug. 7, 2024, 9:49 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:49 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 7, 2024, 9:49 a.m.	buffer: ! socket: 976 sent: 1	1	1
InternetCrackUrlW Aug. 7, 2024, 9:49 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:49 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 7, 2024, 9:49 a.m.	buffer: ! socket: 976 sent: 1	1	1
InternetCrackUrlW Aug. 7, 2024, 9:50 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Aug. 7, 2024, 9:50 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Aug. 7, 2024, 9:50 a.m.	buffer: ! socket: 976 sent: 1	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\wp.vbs"
parent_process	wscript.exe				martian_process	wscript.exe //B "C:\Users\test22\AppData\Roaming\wp.vbs"

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

46.246.6.6:7045

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Skyhigh	VBS/Agent.dy
ALYac	VB:Trojan.Valyria.4537
Sangfor	Malware.Generic-VBS.Save.d63cbaa2
Arcabit	VB:Trojan.Valyria.D11B9
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.OXW
Avast	JS:Skiddo-A [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.VBS.Agent.bdq
BitDefender	VB:Trojan.Valyria.4537
NANO-Antivirus	Trojan.Script.Agent.iwquii
MicroWorld-eScan	VB:Trojan.Valyria.4537
Emsisoft	VB:Trojan.Valyria.4537 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPTL
VIPRE	VB:Trojan.Valyria.4537
FireEye	VB:Trojan.Valyria.4537
Sophos	VBS/DwnLdr-ACDC
Ikarus	Trojan-Downloader.VBS.Agent
Google	Detected
Avira	VBS/Dldr.Agent.VPTL
MAX	malware (ai score=82)
Kingsoft	Script.Troj.vbs.2023153
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	Trojan.VBS.Agent.bdq
GData	VB:Trojan.Valyria.4537
Varist	VBS/Dunihi.A
McAfee	VBS/Agent.dy
huorong	Trojan/VBS.Obfuscator.f
Fortinet	VBS/Agent.OXW!tr
AVG	JS:Skiddo-A [Trj]

wp.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All