Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 7, 2024, 10:16 a.m.	Aug. 7, 2024, 10:18 a.m.

Size	19.1KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`367299f3b78921590e30252fcc114cc7`
SHA256	`af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba`
CRC32	`6D128ABE`
ssdeep	`48:3bRsY90sYJdUGkpHDvTWMCtsj84kl1ByPMRcsYB8sYywQzZdfsYoGG:rCIbXpjvT9Ct883l1B9CCr`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ienetworks.hta.wsf
1636

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 7, 2024, 10:16 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 wscript+0x2fbd @ 0xb12fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 3537020 registers.edi: 0 registers.eax: 39909000 registers.ebp: 3537048 registers.edx: 1 registers.ebx: 0 registers.esi: 4705176 registers.ecx: 1945974484	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 7, 2024, 10:16 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
wscript+0x2fbd @ 0xb12fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 3537020
registers.edi: 0
registers.eax: 39909000
registers.ebp: 3537048
registers.edx: 1
registers.ebx: 0
registers.esi: 4705176
registers.ecx: 1945974484

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 7, 2024, 10:16 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa3000 process_handle: 0xffffffff	1	0	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

ALYac	VBS.Heur.Asthma.2.C43158E1.Gen
VIPRE	VBS.Heur.Asthma.2.C43158E1.Gen
Arcabit	VBS.Heur.Asthma.2.C43158E1.Gen
Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/TrojanDownloader.Agent.DDN
Avast	BV:Agent-BVA [Drp]
BitDefender	VBS.Heur.Asthma.2.C43158E1.Gen
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
MicroWorld-eScan	VBS.Heur.Asthma.2.C43158E1.Gen
Emsisoft	VBS.Heur.Asthma.2.C43158E1.Gen (B)
FireEye	VBS.Heur.Asthma.2.C43158E1.Gen
MAX	malware (ai score=87)
GData	VBS.Heur.Asthma.2.C43158E1.Gen
Fortinet	VBS/Obfuscated.AO!tr
AVG	BV:Agent-BVA [Drp]

ienetworks.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All