Report - NDA_D673_May_10.wsf

ScreenShot

Info
Location map


Created	2023.05.11 09:21	Machine	s1_win7_x6403
Filename	NDA_D673_May_10.wsf
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
AI Score	Not founds	Behavior Score	10.0
ZERO API	file : clean
VT API (file)
md5	883bbc5030fbf590ef98edc18c49565b
sha256	b1142e2bb27447560ed144bd576678421de36e669fda3554a1c4f615b5c64c64
ssdeep	768:+dW9PdW9RHWpAwaD6giD6bj1UA/F8fAQh0SGYa5nNpm3DfTt16gBEWN16KTvt:9sRSAwi6gV11F8fveV5NI3Dbt16gB5Nl
imphash
impfuzzy

Network IP location

Signature (10cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	A potential heapspray has been detected. 4178 megabytes was sprayed onto the heap of the wscript.exe process
warning	Uses WMI to create a new process
watch	Communicates with host for which no DNS query was performed
watch	Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch	Wscript.exe initiated network communications indicative of a script based payload download
watch	wscript.exe-based dropper (JScript
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
info	Queries for the computername

Rules (0cnts)

Level	Name	Description	Collection

Network (8cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://207.148.14.105/ac3Trg8kqFxJaVW.dat whois		AS-CHOOPA	207.148.14.105		clean
http://149.102.225.18/ac3Trg8kqFxJaVW.dat whois			149.102.225.18		clean
45.155.37.101 whois		SHOCK-1	45.155.37.101		mailcious
144.208.127.242 whois		SHOCK-1	144.208.127.242		mailcious
149.102.225.18 whois			149.102.225.18		mailcious
91.193.16.139 whois		HZ Hosting Ltd	91.193.16.139		mailcious
5.42.221.144 whois			5.42.221.144		mailcious
207.148.14.105 whois		AS-CHOOPA	207.148.14.105		mailcious

Suricata ids

Similarity measure (PE file only) - Checking for service failure