Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 31, 2021, 6:12 p.m.	March 31, 2021, 6:15 p.m.

Size	224.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`642276a12dace4b65a6f848fcefc617b`
SHA256	`b0762ca49381026932f488d2a816a18639c410ba45f456014861ac66b9b3f4e6`
CRC32	`1C8B4AF0`
ssdeep	`6144:vAPmNUBC88FT3uYyVC+rXj+MeKyFGFP4BhI6c:ySFaYyk+LjVerGFQs6c`
Yara	PE_Header_Zero - PE File Signature Zero escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
7724
- svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
  3500

Name	Response	Post-Analysis Lookup
www.vtz6whu5254xb1.xyz	A 49.156.179.238	49.156.179.238
www.dajiangzhibo12.com	A 172.67.212.23 A 104.21.85.234	104.21.85.234
www.whowetrust.com	CNAME whowetrust.com A 34.102.136.180	34.102.136.180
www.orangeecho.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.nature-powered.com	CNAME naturepowered.myshopify.com CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.tristatecandlesupply.net	A 162.246.16.67 CNAME tristatecandlesupply.net	162.246.16.67
www.simdikikitap.com	CNAME simdikikitap.com A 34.102.136.180	34.102.136.180
www.xhvai.com	A 143.92.63.154	143.92.63.154
www.aitelco.net	CNAME aitelco.net A 34.102.136.180	34.102.136.180
www.abolishlawinforcement.com	A 66.96.162.131	66.96.162.131
www.deltaeleveight.com
www.saturnkorp.net	A 75.126.101.233	75.126.101.233
www.profoundai.net	A 208.91.197.39	208.91.197.39
www.tmancar.com	A 154.196.151.57	154.196.151.57
www.pwjol.com	A 107.186.80.174	107.186.80.174

IP Address	Status	Action
107.186.80.174	Active	Moloch
143.92.63.154	Active	Moloch
154.196.151.57	Active	Moloch
162.246.16.67	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.212.23	Active	Moloch
208.91.197.39	Active	Moloch
23.227.38.74	Active	Moloch
3.223.115.185	Active	Moloch
34.102.136.180	Active	Moloch
49.156.179.238	Active	Moloch
66.96.162.131	Active	Moloch
75.126.101.233	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 31, 2021, 6:12 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.profoundai.net/c22b/?Jt7=rpIKAznr1hng9gfpyj+TGZo0GkcVk4hvDSWWXjOtP4H3/wQKhlpkZGtGvKv1ucHK/49yEoe8&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tristatecandlesupply.net/c22b/?Jt7=ZPP+6NG7hPa7D/pRAKk67SZaGJDlQmsZpFTbUnYLokSY+Ybe+KFNg0JkYx22dzPtZZRZC25L&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.orangeecho.com/c22b/?Jt7=+cS1hFhSUMgyG1XN7zyQVeYAofXfv2Z1IU4Y/A1kGAEunj/iTCBG8iVSwWWrUROHiSDiynRD&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.saturnkorp.net/c22b/?Jt7=IngE1hDOfz/xrXd/zwheuQ4ABgAGAsEfCrLp9X1ReoJC4M60t2KVtLLFuR7A8Nl9D4jCWR6d&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.nature-powered.com/c22b/?Jt7=gMZS0DD6saKYnOXE9oC51+LMkZmn/HCE0RAFxOnjkyqRcA4ApUTvt68+inf9jJsnGfrLr2QV&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tmancar.com/c22b/?Jt7=4DQakw3/6Y/oDZFQxHc+stiRF7o2U51IWvS9VXwI8Vcn9Xf+bYhXI6vIEN3XsIiQX5YN3Cg6&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.simdikikitap.com/c22b/?Jt7=qlj1ixcflcSMJJ9EbUYz+Kn8XJoESHItc42hAyfnx6G/0yYdUNJKpoBqekkYgGUIhkLrWJCW&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.aitelco.net/c22b/?Jt7=MmZJZq9q+xJYPFqeponmrUnmxEzzaDQVFJWC+mtFgK7A9v4vK+wH3saSO9aPWXW1FSrJ/2JR&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dajiangzhibo12.com/c22b/?Jt7=5+EjqSxzxtGBBZoADJIwjNuki1nPzn2WfNsPkl3d3zU9JCc0jeLXkeCWxL7UoSHXsUI9o64f&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.pwjol.com/c22b/?Jt7=AvT2B13g0NJGY5xNZu+Y2n5h298IzrYCwz5NrXvIG52q8e0Se/MhnW0iroyWZwVe/95PdulL&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xhvai.com/c22b/?Jt7=KO+I5REz4KHWFF4dyzMfPgQ6ZkspKQO64wMfyAVBbvLNsOXMR1+bc+SMpfDfUe0UiLC56F/z&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vtz6whu5254xb1.xyz/c22b/?Jt7=5ho6ncVGowFaKf09k831vYHCH4/kodbR9mX0cGETo5GgSiIuBxvpdfPQGnveXBDesg/Ru56I&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.whowetrust.com/c22b/?Jt7=dnLo5ZxmWKpoAqgPLJJrqzqSek5xAfJXWr0PXCs066Jmf7qySmX9VdnTqRl50cTti5X/7bHI&BvI=BR-0AR
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.abolishlawinforcement.com/c22b/?Jt7=1dQaaDtJ1/83k2VxDhM80GCvP8/I8CX19DsvhDwOSzSN5xUeyntRckuxQrpD65eTgEHCcTKy&BvI=BR-0AR

Performs some HTTP requests (27 events)

request	POST http://www.profoundai.net/c22b/
request	GET http://www.profoundai.net/c22b/?Jt7=rpIKAznr1hng9gfpyj+TGZo0GkcVk4hvDSWWXjOtP4H3/wQKhlpkZGtGvKv1ucHK/49yEoe8&BvI=BR-0AR
request	POST http://www.tristatecandlesupply.net/c22b/
request	GET http://www.tristatecandlesupply.net/c22b/?Jt7=ZPP+6NG7hPa7D/pRAKk67SZaGJDlQmsZpFTbUnYLokSY+Ybe+KFNg0JkYx22dzPtZZRZC25L&BvI=BR-0AR
request	POST http://www.orangeecho.com/c22b/
request	GET http://www.orangeecho.com/c22b/?Jt7=+cS1hFhSUMgyG1XN7zyQVeYAofXfv2Z1IU4Y/A1kGAEunj/iTCBG8iVSwWWrUROHiSDiynRD&BvI=BR-0AR
request	POST http://www.saturnkorp.net/c22b/
request	GET http://www.saturnkorp.net/c22b/?Jt7=IngE1hDOfz/xrXd/zwheuQ4ABgAGAsEfCrLp9X1ReoJC4M60t2KVtLLFuR7A8Nl9D4jCWR6d&BvI=BR-0AR
request	POST http://www.nature-powered.com/c22b/
request	GET http://www.nature-powered.com/c22b/?Jt7=gMZS0DD6saKYnOXE9oC51+LMkZmn/HCE0RAFxOnjkyqRcA4ApUTvt68+inf9jJsnGfrLr2QV&BvI=BR-0AR
request	POST http://www.tmancar.com/c22b/
request	GET http://www.tmancar.com/c22b/?Jt7=4DQakw3/6Y/oDZFQxHc+stiRF7o2U51IWvS9VXwI8Vcn9Xf+bYhXI6vIEN3XsIiQX5YN3Cg6&BvI=BR-0AR
request	POST http://www.simdikikitap.com/c22b/
request	GET http://www.simdikikitap.com/c22b/?Jt7=qlj1ixcflcSMJJ9EbUYz+Kn8XJoESHItc42hAyfnx6G/0yYdUNJKpoBqekkYgGUIhkLrWJCW&BvI=BR-0AR
request	POST http://www.aitelco.net/c22b/
request	GET http://www.aitelco.net/c22b/?Jt7=MmZJZq9q+xJYPFqeponmrUnmxEzzaDQVFJWC+mtFgK7A9v4vK+wH3saSO9aPWXW1FSrJ/2JR&BvI=BR-0AR
request	POST http://www.dajiangzhibo12.com/c22b/
request	GET http://www.dajiangzhibo12.com/c22b/?Jt7=5+EjqSxzxtGBBZoADJIwjNuki1nPzn2WfNsPkl3d3zU9JCc0jeLXkeCWxL7UoSHXsUI9o64f&BvI=BR-0AR
request	POST http://www.pwjol.com/c22b/
request	GET http://www.pwjol.com/c22b/?Jt7=AvT2B13g0NJGY5xNZu+Y2n5h298IzrYCwz5NrXvIG52q8e0Se/MhnW0iroyWZwVe/95PdulL&BvI=BR-0AR
request	GET http://www.xhvai.com/c22b/?Jt7=KO+I5REz4KHWFF4dyzMfPgQ6ZkspKQO64wMfyAVBbvLNsOXMR1+bc+SMpfDfUe0UiLC56F/z&BvI=BR-0AR
request	POST http://www.vtz6whu5254xb1.xyz/c22b/
request	GET http://www.vtz6whu5254xb1.xyz/c22b/?Jt7=5ho6ncVGowFaKf09k831vYHCH4/kodbR9mX0cGETo5GgSiIuBxvpdfPQGnveXBDesg/Ru56I&BvI=BR-0AR
request	POST http://www.whowetrust.com/c22b/
request	GET http://www.whowetrust.com/c22b/?Jt7=dnLo5ZxmWKpoAqgPLJJrqzqSek5xAfJXWr0PXCs066Jmf7qySmX9VdnTqRl50cTti5X/7bHI&BvI=BR-0AR
request	POST http://www.abolishlawinforcement.com/c22b/
request	GET http://www.abolishlawinforcement.com/c22b/?Jt7=1dQaaDtJ1/83k2VxDhM80GCvP8/I8CX19DsvhDwOSzSN5xUeyntRckuxQrpD65eTgEHCcTKy&BvI=BR-0AR

Sends data using the HTTP POST Method (13 events)

request	POST http://www.profoundai.net/c22b/
request	POST http://www.tristatecandlesupply.net/c22b/
request	POST http://www.orangeecho.com/c22b/
request	POST http://www.saturnkorp.net/c22b/
request	POST http://www.nature-powered.com/c22b/
request	POST http://www.tmancar.com/c22b/
request	POST http://www.simdikikitap.com/c22b/
request	POST http://www.aitelco.net/c22b/
request	POST http://www.dajiangzhibo12.com/c22b/
request	POST http://www.pwjol.com/c22b/
request	POST http://www.vtz6whu5254xb1.xyz/c22b/
request	POST http://www.whowetrust.com/c22b/
request	POST http://www.abolishlawinforcement.com/c22b/

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 31, 2021, 6:12 p.m.	process_identifier: 7724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1000b000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 31, 2021, 6:12 p.m.	process_identifier: 3500 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsi1F9.tmp\kxxpjqdo92e33.dll

Creates a suspicious process (1 event)

cmdline

"C:\Users\test22\AppData\Local\Temp\svchost.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsi1F9.tmp\kxxpjqdo92e33.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (14 events)

Time & API	Arguments	Status	Return
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 5008	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: mobsync.exe process_identifier: 3268	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 7644	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: taskhost.exe process_identifier: 8564	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: cmd.exe process_identifier: 4748	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: conhost.exe process_identifier: 1520	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: pw.exe process_identifier: 6192	1	1
Process32NextW March 31, 2021, 6:12 p.m.	snapshot_handle: 0x000001ec process_name: svchost.exe process_identifier: 7724	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 31, 2021, 6:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 31, 2021, 6:12 p.m.	thread_identifier: 4372 thread_handle: 0x00000200 process_identifier: 3500 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000204	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7724 called NtSetContextThread to modify thread in remote process 3500
NtSetContextThread March 31, 2021, 6:12 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4313248 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000200 process_identifier: 3500	1	0	0

Generates some ICMP traffic

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

MicroWorld-eScan	Gen:Variant.Jaik.44831
FireEye	Gen:Variant.Jaik.44831
Sangfor	Trojan.Win32.Save.a
Cyren	W32/Wacatac.CU.gen!Eldorado
ESET-NOD32	a variant of Win32/Injector.EOZZ
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Trojan.Generic-9848208-0
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
Tencent	Win32.Trojan.Inject.Auto
Ad-Aware	Gen:Variant.Jaik.44831
DrWeb	Trojan.Packed2.42989
McAfee-GW-Edition	BehavesLike.Win32.Dropper.dc
Microsoft	Trojan:Win32/SpyNoon!ml
GData	Gen:Variant.Jaik.44831
AhnLab-V3	Trojan/Win.Generic.R374864
Rising	Trojan.Injector!8.C4 (TFE:dGZlOgVTT9Cxl3PltA)
Ikarus	Trojan.NSIS.Agent
Fortinet	W32/Injector.EOLV!tr
AVG	Win32:TrojanX-gen [Trj]

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All