Report - ZeroBOX

ScreenShot

Info
Location map


Created	2025.04.09 10:42	Machine	s1_win7_x6401
Filename	greatnicegirlbackontheearthwithgoodnews.hta
Type	HTML document, ASCII text, with very long lines, with no line terminators
AI Score	Not founds	Behavior Score	10.0
ZERO API	file : clean
VT API (file)	13 detected (asthma, gen80, iacgm, PowerShell)
md5	efb65d67dc764eb12f65fc12dd8eb542
sha256	36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c
ssdeep	192:/MTb900M5pTbSD0M53v38PxTrG/qTbjTbXL8Ck0M5sETbd:0b9MxbU3vcTrG/GbPbb8CcsUbd
imphash
impfuzzy

Network IP location

Signature (30cnts)

Level	Description
watch	A potential heapspray has been detected. 118 megabytes was sprayed onto the heap of the iexplore.exe process
watch	Communicates with host for which no DNS query was performed
watch	Creates a suspicious Powershell process
watch	Drops a binary and executes it
watch	File has been identified by 13 AntiVirus engines on VirusTotal as malicious
watch	Network communications indicative of a potential document or script payload download was initiated by the processes powershell.exe
watch	One or more non-whitelisted processes were created
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	The process powershell.exe wrote an executable file to disk
watch	Wscript.exe initiated network communications indicative of a script based payload download
watch	wscript.exe-based dropper (JScript
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Poweshell is sending data to a remote host
notice	URL downloaded by powershell script
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Queries for the computername
info	Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Network_Downloader	File Downloader	binaries (download)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	Is_DotNET_DLL	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (4cnts) ?

Request	ASN Co	IP4	ZERO ?
http://192.3.23.235/xampp/javn/newthingsonhereforgetrockgain.gif whois	AS-COLOCROSSING	192.3.23.235	clean
paste.ee whois		23.186.113.60	mailcious
192.3.23.235 whois	AS-COLOCROSSING	192.3.23.235	clean
23.186.113.60 whois		23.186.113.60	mailcious

Report - greatnicegirlbackontheearthwithgoodnews.hta

Signature (30cnts)

Rules (15cnts)

Network (4cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure