Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 12, 2024, 11:22 a.m.	Aug. 12, 2024, 11:24 a.m.

Size	16.4KB
Type	HTML document, ASCII text, with very long lines
MD5	`bc97e8b78d54a21fa34fd4be1095c5d9`
SHA256	`8f1af2913a1a784fb463c94b7dc25c826320ece06bee06b2d8d99589d79034c4`
CRC32	`AF23B210`
ssdeep	`384:lNNlqK3X3rIOgiThHHsdQ0lz5q1QgE3LzTWEqmak44Cv7vKjshN2:l/lqI7IOVdsdFlz5mQgE3LzTWEqmYP7c`
Yara	Win_Trojan_Formbook_Zero - Used Formbook

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\Director.hta
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 11:22 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0334b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03347000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03345000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c	1	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 created a remote thread in non-child process 2636
CreateRemoteThread Aug. 12, 2024, 11:22 a.m.	thread_identifier: 0 process_identifier: 2636 function_address: 0x000c0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x0000033c	1	836	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 manipulating memory of non-child process 2636
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 injected into non-child 2636
WriteProcessMemory Aug. 12, 2024, 11:22 a.m.	buffer: üè`1ÒdR0åRRr(·J&1ÿ1À¬<a\|, ÁÏ ÇIuïRWRB<Ð@xÀtLÐPX ÓHÉt<I1ÿ4Ö1ÀÁÏ ¬Ç8àuô}ø;}$uàXX$ÓfKXÓÐD$$[[aYZQÿàX_Zéÿÿÿ]h32hws2_ThLw&èÿÐ¸)ÄTPh)kÿÕj hÀ¨Ïh\æPPPP@P@PhêßàÿÕjVWh¥taÿÕÀt ÿNuìègjjVWhÙÈ_ÿÕø~66j@hVjhX¤SåÿÕSjVSWhÙÈ_ÿÕø}(Xh@jPh/0ÿÕWhunMaÿÕ^^ÿ$pÿÿÿéÿÿÿÃ)ÆuÁÃ»ðµ¢VjSÿÕ base_address: 0x000c0000 process_identifier: 2636 process_handle: 0x0000033c	1	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.207.2:4444

Executed a process and injected code into it, probably while unpacking (5 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 12, 2024, 11:22 a.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Aug. 12, 2024, 11:22 a.m.	thread_identifier: 2640 thread_handle: 0x00000338 process_identifier: 2636 current_directory: filepath: C:\Windows\SysWOW64\rundll32.exe track: 1 command_line: filepath_r: C:\Windows\SysWOW64\rundll32.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x0000033c	1	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:22 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c	1	0
WriteProcessMemory Aug. 12, 2024, 11:22 a.m.	buffer: üè`1ÒdR0åRRr(·J&1ÿ1À¬<a\|, ÁÏ ÇIuïRWRB<Ð@xÀtLÐPX ÓHÉt<I1ÿ4Ö1ÀÁÏ ¬Ç8àuô}ø;}$uàXX$ÓfKXÓÐD$$[[aYZQÿàX_Zéÿÿÿ]h32hws2_ThLw&èÿÐ¸)ÄTPh)kÿÕj hÀ¨Ïh\æPPPP@P@PhêßàÿÕjVWh¥taÿÕÀt ÿNuìègjjVWhÙÈ_ÿÕø~66j@hVjhX¤SåÿÕSjVSWhÙÈ_ÿÕø}(Xh@jPh/0ÿÕWhunMaÿÕ^^ÿ$pÿÿÿéÿÿÿÃ)ÆuÁÃ»ðµ¢VjSÿÕ base_address: 0x000c0000 process_identifier: 2636 process_handle: 0x0000033c	1	1
NtResumeThread Aug. 12, 2024, 11:22 a.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 2544	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Script.Dojos.4!c
ClamAV	Win.Ransomware.BlackByte-9915811-0
CAT-QuickHeal	Script.CactusTorch.46900
McAfee	VBS/Cactustorch.a
ALYac	VB:Trojan.Valyria.998
VIPRE	VB:Trojan.Valyria.998
Sangfor	Trojan_Script_Generic_1
Arcabit	VB:Trojan.Valyria.998
Cyren	VBS/Agent.AUA
Symantec	Hacktool.Cactorch
ESET-NOD32	Win32/CobaltStrike.Beacon.A
Avast	JS:Agent-EFZ [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.Script.Dojos.c
BitDefender	VB:Trojan.Valyria.998
NANO-Antivirus	Trojan.Script.ExpKit.ezonew
MicroWorld-eScan	VB:Trojan.Valyria.998
Rising	Trojan.Dojos!8.E8EB (TOPIS:E0:0cqFj4OYWGD)
Emsisoft	VB:Trojan.Valyria.998 (B)
F-Secure	Malware.VBS/Agent.0987
DrWeb	VBS.Packed.18
McAfee-GW-Edition	VBS/Cactustorch.a
FireEye	VB:Trojan.Valyria.998
Sophos	ATK/Cactus-F
Ikarus	Trojan.JS.SharpShooter
Avira	VBS/Agent.0987
Microsoft	Trojan:VBS/Nanocore.RN!MTB
ZoneAlarm	HEUR:Trojan.Script.Dojos.c
GData	VB:Trojan.Valyria.998
Google	Detected
AhnLab-V3	HTML/Magnitude.S5
Tencent	Html.Win32.Script.504632
MAX	malware (ai score=85)
Fortinet	VBS/Agent.NYO!tr
AVG	JS:Agent-EFZ [Trj]

Director.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All