Edit tour

Windows Analysis Report
Doc_23-03-27.js

Overview

General Information

Sample name:Doc_23-03-27.js
Analysis ID:1576718
MD5:9581eae1a60b3e284da57c704cd10939
SHA1:8e4bdb492f777ec7629ec4df05f03afeac851d80
SHA256:2dd920b9ae86c91758ad3150304fb11874152e5ab66b5d07363c8283a69fa3a1
Tags:bruterateljsuser-smica83
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • wscript.exe (PID: 7460 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • msiexec.exe (PID: 7548 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js", ProcessId: 7460, ProcessName: wscript.exe
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.32.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 7548, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js", ProcessId: 7460, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /bas.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: loscabos.life
Source: global trafficDNS traffic detected: DNS query: loscabos.life
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 12:14:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/8.1.29cf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OWCf%2BIK8kfq%2FWumRT9fuf0YI4ICqhhJEhtKDrcaiZkMnn40froLgOMg7NEUefXGcJJ6mfQTlIOVI%2F8343k6fHjrG0ImveSC2PVs8LRIgKAWbd6%2Fe%2BweS3yU4FjuTWYHY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f36d5b80cd6c327-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1704&rtt_var=668&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2828&recv_bytes=728&delivery_rate=1601755&cwnd=189&unsent_bytes=0&cid=f005989de28dee4b&ts=560&x=0"
Source: wscript.exe, 00000001.00000003.1418323687.00000143757CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://loscabos.life/bas.php
Source: wscript.exe, 00000001.00000002.1423938239.0000014375190000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://loscabos.life/bas.php7558
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49699 version: TLS 1.2

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Microsoft Windows Installer HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C1090-0000-0000-C000-000000000046}Jump to behavior
Source: Doc_23-03-27.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal48.winJS@2/0@1/1
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7576Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting
Valid AccountsWindows Management Instrumentation2
Scripting
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping1
Virtualization/Sandbox Evasion
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
1
Process Injection
LSASS Memory2
System Information Discovery
Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576718 Sample: Doc_23-03-27.js Startdate: 17/12/2024 Architecture: WINDOWS Score: 48 12 loscabos.life 2->12 16 Sigma detected: WScript or CScript Dropper 2->16 6 wscript.exe 1 2->6         started        9 msiexec.exe 2->9         started        signatures3 process4 dnsIp5 18 Windows Scripting host queries suspicious COM object (likely to drop second stage) 6->18 14 loscabos.life 104.21.32.1, 443, 49699 CLOUDFLARENETUS United States 9->14 signatures6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Doc_23-03-27.js3%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://loscabos.life/bas.php75580%Avira URL Cloudsafe
https://loscabos.life/bas.php0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
loscabos.life
104.21.32.1
truefalse
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://loscabos.life/bas.phpfalse
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://loscabos.life/bas.php7558wscript.exe, 00000001.00000002.1423938239.0000014375190000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    104.21.32.1
    loscabos.lifeUnited States
    13335CLOUDFLARENETUSfalse
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1576718
    Start date and time:2024-12-17 13:13:44 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 11s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Without Instrumentation
    Number of analysed new started processes analysed:8
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Doc_23-03-27.js
    Detection:MAL
    Classification:mal48.winJS@2/0@1/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .js
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: Doc_23-03-27.js
    TimeTypeDescription
    07:14:46API Interceptor1x Sleep call for process: msiexec.exe modified
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    104.21.32.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
    • redroomaudio.com/administrator/index.php
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    CLOUDFLARENETUSc2.exeGet hashmaliciousXmrigBrowse
    • 104.20.4.235
    23d5f89e-2c54-ee19-3778-06a4bec842b9.emlGet hashmaliciousUnknownBrowse
    • 104.18.65.57
    https://protect.checkpoint.com/v2/r01/___https://link.edgepilot.com/xdg*~*fiaa57dVgx2DluRTp19jF8WMmYfWl?z=myyux:ddjrfnq.ynintwjuqD.htrdhdjOBhER6ylHFZFTGu9JoBlVNMIw79G-bMOgKn5Sf55EkuFm_s/LOKQ2pPEoswuEsuU2A7WKVctU0F0LxRir4fJPhZrPOzTgvHZltxJFSX/jFwCJW7F4BtO0gjUt6gM8NiU9g*~*uEaD_oE2wiDMlq2GDu8zhwYySQbzr0kVZGcn8s4Dk7cEDvSl6XRkaXaP7a5RqmSqgUx7-yk6g8/s-FxFFU__PNlcuV___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmRkMGI4MjA2MTNmMjg1YzMyNTM2YjE2YzI0MjAzMGU1Ojc6MzQ1NjphZDU1ODAwMDRlN2FjYWY0Nzk3ODJmN2U3MjI1MmNkMTUyZWIyNWZlZjgyYTY4N2M3ZWVjN2E0NjVmZjU3M2E4Omg6VDpUGet hashmaliciousUnknownBrowse
    • 104.16.123.96
    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
    • 172.67.129.27
    122046760.batGet hashmaliciousRHADAMANTHYSBrowse
    • 162.159.61.3
    pkqLAMAv96.lnkGet hashmaliciousRHADAMANTHYSBrowse
    • 172.64.41.3
    IIC0XbKFjS.lnkGet hashmaliciousRHADAMANTHYSBrowse
    • 172.64.41.3
    873406390.batGet hashmaliciousRHADAMANTHYSBrowse
    • 172.64.41.3
    0J3fAc6cHO.lnkGet hashmaliciousRHADAMANTHYSBrowse
    • 162.159.61.3
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    28a2c9bd18a11de089ef85a160da29e4Recommended Itinerary.jsGet hashmaliciousUnknownBrowse
    • 104.21.32.1
    d2W4YpqsKg.lnkGet hashmaliciousLummaCBrowse
    • 104.21.32.1
    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
    • 104.21.32.1
    file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
    • 104.21.32.1
    file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
    • 104.21.32.1
    RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
    • 104.21.32.1
    https://link.edgepilot.com/s/f30932b1/vPPKRjWXhUuvPsJT0zGKsQ?u=https://lf7oxrhbb.cc.rs6.net/tn.jsp?f=001h06J4Rg18suvxSEI1tED4DAF8iRuyxY1F6LaYcn7sb4iX7GBolUHc7ee-KUx3ocXE9JkVShRAfV1x6aenzzKcDmVc2_grDROu5C380NMdm5zgykpeK24RW4ydxOZY-zzWGqXDAcSMsLIRx7mTviOEg==%26c=rtZvyEmdrWl6DZ9XsciJKGlh47UQUNn-J3NXlYUvzX0mHT2yPp0J7g==%26ch=pbMEYYEPfkmXeu_oUdJD2iMHpz6dLW5FEUtMz_fcwAIrF1HSqrYuCA==%26__=wp-admin/wp/2XWV/Dcndx/c3Njb3R0QGRjbmR4LmNvbQ=%3DGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
    • 104.21.32.1
    n70CrSGL8G.exeGet hashmaliciousRedLineBrowse
    • 104.21.32.1
    Doc_13-35-42.jsGet hashmaliciousUnknownBrowse
    • 104.21.32.1
    No context
    No created / dropped files found
    File type:ASCII text, with very long lines (65536), with no line terminators
    Entropy (8bit):3.8721077110947393
    TrID:
      File name:Doc_23-03-27.js
      File size:388'999 bytes
      MD5:9581eae1a60b3e284da57c704cd10939
      SHA1:8e4bdb492f777ec7629ec4df05f03afeac851d80
      SHA256:2dd920b9ae86c91758ad3150304fb11874152e5ab66b5d07363c8283a69fa3a1
      SHA512:cf2ab696168c7976336de53154c5f0ffb9822b2d17227c23b0db0efe24529fd7c0ba3ee3784013f3ad0dc36a14920e3d89c21f357e2673dc8a6bb35b90397f5a
      SSDEEP:3072:qw2/gK4yi6iMWk8J2RmWyOTuKCHZ2Gvdwzkelt5X8HIVe8TFNvBBzHftC5/tDkFy:ewtFq1qf7B
      TLSH:0184925ED9081FBA67C23CBA42796C6076D836CB2074D96DBD8CE5CF43532690B12D3A
      File Content Preview:var splunk = "{\n \"splunk_beta97\": {\n \"svn_chai22\": \"2024-12-13T18:08:18.551881Z\",\n \"blueprint96\": {\n \"encryption86\": [\n \"webpack\",\n 737,\n 8290,\n 72
      Icon Hash:68d69b8bb6aa9a86

      Download Network PCAP: filteredfull

      • Total Packets: 10
      • 443 (HTTPS)
      • 53 (DNS)
      TimestampSource PortDest PortSource IPDest IP
      Dec 17, 2024 13:14:45.542792082 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:45.542838097 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:45.542911053 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:45.544831038 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:45.544855118 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:46.772485018 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:46.772588015 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:46.776762962 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:46.776774883 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:46.777096987 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:46.817543030 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:46.824315071 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:46.871334076 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:47.312366009 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:47.312633038 CET44349699104.21.32.1192.168.2.7
      Dec 17, 2024 13:14:47.312823057 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:47.314177990 CET49699443192.168.2.7104.21.32.1
      Dec 17, 2024 13:14:47.314197063 CET44349699104.21.32.1192.168.2.7
      TimestampSource PortDest PortSource IPDest IP
      Dec 17, 2024 13:14:45.395899057 CET5505453192.168.2.71.1.1.1
      Dec 17, 2024 13:14:45.538531065 CET53550541.1.1.1192.168.2.7
      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Dec 17, 2024 13:14:45.395899057 CET192.168.2.71.1.1.10x3f5dStandard query (0)loscabos.lifeA (IP address)IN (0x0001)false
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Dec 17, 2024 13:14:45.538531065 CET1.1.1.1192.168.2.70x3f5dNo error (0)loscabos.life104.21.32.1A (IP address)IN (0x0001)false
      Dec 17, 2024 13:14:45.538531065 CET1.1.1.1192.168.2.70x3f5dNo error (0)loscabos.life104.21.64.1A (IP address)IN (0x0001)false
      Dec 17, 2024 13:14:45.538531065 CET1.1.1.1192.168.2.70x3f5dNo error (0)loscabos.life104.21.80.1A (IP address)IN (0x0001)false
      Dec 17, 2024 13:14:45.538531065 CET1.1.1.1192.168.2.70x3f5dNo error (0)loscabos.life104.21.16.1A (IP address)IN (0x0001)false
      Dec 17, 2024 13:14:45.538531065 CET1.1.1.1192.168.2.70x3f5dNo error (0)loscabos.life104.21.112.1A (IP address)IN (0x0001)false
      Dec 17, 2024 13:14:45.538531065 CET1.1.1.1192.168.2.70x3f5dNo error (0)loscabos.life104.21.48.1A (IP address)IN (0x0001)false
      Dec 17, 2024 13:14:45.538531065 CET1.1.1.1192.168.2.70x3f5dNo error (0)loscabos.life104.21.96.1A (IP address)IN (0x0001)false
      • loscabos.life
      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.749699104.21.32.14437548C:\Windows\System32\msiexec.exe
      TimestampBytes transferredDirectionData
      2024-12-17 12:14:46 UTC114OUTGET /bas.php HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Windows Installer
      Host: loscabos.life
      2024-12-17 12:14:47 UTC841INHTTP/1.1 404 Not Found
      Date: Tue, 17 Dec 2024 12:14:47 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close
      X-Powered-By: PHP/8.1.29
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OWCf%2BIK8kfq%2FWumRT9fuf0YI4ICqhhJEhtKDrcaiZkMnn40froLgOMg7NEUefXGcJJ6mfQTlIOVI%2F8343k6fHjrG0ImveSC2PVs8LRIgKAWbd6%2Fe%2BweS3yU4FjuTWYHY"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f36d5b80cd6c327-EWR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1704&rtt_var=668&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2828&recv_bytes=728&delivery_rate=1601755&cwnd=189&unsent_bytes=0&cid=f005989de28dee4b&ts=560&x=0"
      2024-12-17 12:14:47 UTC22INData Raw: 31 30 0d 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 0d 0a
      Data Ascii: 10File not found.
      2024-12-17 12:14:47 UTC5INData Raw: 30 0d 0a 0d 0a
      Data Ascii: 0


      050100s020406080100

      Click to jump to process

      050100s0.005101520MB

      Click to jump to process

      • File
      • Registry

      Click to dive into process behavior distribution

      Click to jump to process

      Target ID:1
      Start time:07:14:44
      Start date:17/12/2024
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc_23-03-27.js"
      Imagebase:0x7ff792410000
      File size:170'496 bytes
      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:3
      Start time:07:14:44
      Start date:17/12/2024
      Path:C:\Windows\System32\msiexec.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\msiexec.exe /V
      Imagebase:0x7ff615ab0000
      File size:69'632 bytes
      MD5 hash:E5DA170027542E25EDE42FC54C929077
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      No disassembly