Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.04.30 09:48	Machine	s1_win7_x6401
Filename	divine11111.html
Type	HTML document, ASCII text, with very long lines
AI Score	Not founds	Behavior Score	10.0
ZERO API	file : clean
VT API (file)
md5	2eeda876014265c8413ef0e565a96657
sha256	50988e57db0ca47f40ed37d48d220e59a632c78e891229a33d03cd32d0e419fa
ssdeep	768:m43eyHHvPWdN+hQI7D7Q7ZAYCZntCaRklfiQ6ntMssXnSwGQ2SVO:m43LHH2dN+NUaRmwnFwGl
imphash
impfuzzy

Network IP location

Signature (21cnts)

Level	Description
watch	A command shell or script process was created by an unexpected parent process
watch	Attempts to create or modify system certificates
watch	Drops a binary and executes it
watch	Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch	One or more non-whitelisted processes were created
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Wscript.exe initiated network communications indicative of a script based payload download
watch	wscript.exe-based dropper (JScript
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Executes one or more WMI queries
notice	Performs some HTTP requests
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername

Rules (9cnts)

Level	Name	Description	Collection
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	PNG_Format_Zero	PNG Format	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (52cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png whois	GOOGLE	172.217.31.233		clean
https://resources.blogblog.com/img/anon36.png whois	GOOGLE	172.217.31.233		clean
https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog whois	GOOGLE	142.250.204.105		clean
https://fonts.googleapis.com/css?family=Open+Sans:300 whois	GOOGLE	172.217.163.234		clean
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501 whois	GOOGLE	142.250.204.105		clean
https://ia801408.us.archive.org/25/items/defender_202103/defender.txt whois	INTERNET-ARCHIVE	207.241.228.148	971	mailcious
https://www.blogger.com/static/v1/widgets/1564291244-widgets.js whois	GOOGLE	142.250.204.105		clean
https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff whois	GOOGLE	172.217.161.131		clean
https://www.google-analytics.com/analytics.js whois	GOOGLE	172.217.163.238		clean
https://www.blogger.com/img/share_buttons_20_3.png whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501&bpli=1 whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css whois	GOOGLE	142.250.204.105		clean
https://resources.blogblog.com/img/blank.gif whois	GOOGLE	172.217.31.233		clean
https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff whois	GOOGLE	172.217.161.131		clean
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff whois	GOOGLE	172.217.161.131		clean
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png whois	GOOGLE	172.217.31.233		clean
https://www.google.com/css/maia.css whois	GOOGLE	172.217.24.68		clean
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D92020 whois	GOOGLE	142.250.66.141		clean
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans\|Roboto:400,700 whois	GOOGLE	172.217.163.234		clean
https://www.blogger.com/img/blogger-logotype-color-black-1x.png whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fyahameinhunbusorkoinai.blogspot.com%2Fp%2Fdivine11111.html&type=blog&bpli=1 whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/static/v1/jsbin/3544430843-cmt__en_gb.js whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c whois	GOOGLE	142.250.204.105		clean
https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css whois	GOOGLE	142.250.204.105		clean
https://resources.blogblog.com/img/icon18_edit_allbkg.gif whois	GOOGLE	172.217.31.233		clean
https://resources.blogblog.com/img/icon18_wrench_allbkg.png whois	GOOGLE	172.217.31.233		clean
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahame whois	GOOGLE	142.250.66.141		clean
https://www.google.com/js/bg/EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c.js whois	GOOGLE	172.217.24.68		clean
resources.blogblog.com whois	GOOGLE	172.217.31.137		clean
ia801408.us.archive.org whois	INTERNET-ARCHIVE	207.241.228.148		mailcious
www.google.com whois	GOOGLE	172.217.161.68		clean
www.gstatic.com whois	GOOGLE	172.217.174.99		clean
fonts.googleapis.com whois	GOOGLE	172.217.25.106		clean
archive.org whois	INTERNET-ARCHIVE	207.241.224.2		mailcious
accounts.google.com whois	GOOGLE	216.58.220.141		clean
www.google-analytics.com whois	GOOGLE	172.217.161.78		clean
fonts.gstatic.com whois	GOOGLE	172.217.175.227		clean
www.blogger.com whois	GOOGLE	172.217.31.137		clean
172.217.163.234 whois	GOOGLE	172.217.163.234		clean
142.250.204.105 whois	GOOGLE	142.250.204.105		clean
207.241.228.148 whois	INTERNET-ARCHIVE	207.241.228.148		mailcious
142.250.66.35 whois	GOOGLE	142.250.66.35		clean
142.250.66.141 whois	GOOGLE	142.250.66.141		clean
172.217.31.233 whois	GOOGLE	172.217.31.233		clean
172.217.24.68 whois	GOOGLE	172.217.24.68		clean
172.217.163.238 whois	GOOGLE	172.217.163.238		clean
172.217.161.131 whois	GOOGLE	172.217.161.131		clean

Report - divine11111.html

Signature (21cnts)

Rules (9cnts)

Network (52cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure