Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 12, 2021, 3:37 p.m.	April 12, 2021, 3:39 p.m.

Size	202.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`3fef6985af0d52ab6701df170096b504`
SHA256	`a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64`
CRC32	`4689C3D1`
ssdeep	`3072:HyewmN4skJ6VtZmtsl0UDwDZ6jnJ+vmebKkjgiuK5svdujBO1niLCA0RvNbBorAC:HddmedJjkvxKvMCA0TirvG6t`
Yara	escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

loki%20old.exe "C:\Users\test22\AppData\Local\Temp\loki%20old.exe"
4748
- loki%20old.exe "C:\Users\test22\AppData\Local\Temp\loki%20old.exe"
  7528

Name	Response	Post-Analysis Lookup
www.metabol.parts	A 89.31.143.1	89.31.143.1
www.skipperdaily.com	CNAME skipperdaily.com A 34.102.136.180	34.102.136.180
www.beachjunction.com	A 52.15.160.167 A 3.13.255.157 CNAME prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com A 3.14.206.30	52.15.160.167
www.catherineandwilson.com	A 184.168.131.241 CNAME catherineandwilson.com	184.168.131.241
www.sparkmonic.com	A 52.128.23.153	52.128.23.153
www.montcoimmigrationlawyer.com	A 184.168.131.241 CNAME montcoimmigrationlawyer.com	184.168.131.241
www.bestcoloncleanseblog.com
www.chaitanya99.com	CNAME chaitanya99.com A 34.102.136.180	34.102.136.180
www.liveporn.wiki	A 64.22.68.40	64.22.68.40
www.swashbug.com	A 169.1.24.244	169.1.24.244
www.plaisterpress.com	A 104.21.24.135 A 172.67.218.244	104.21.24.135
www.lanren.plus	A 107.161.23.204 A 198.251.84.92 A 70.39.125.244 A 45.58.190.82 A 188.164.131.200 A 64.32.22.102 A 198.251.81.30 A 204.188.203.155 A 209.141.38.71 A 192.161.187.200 CNAME parking.namesilo.com A 168.235.88.209	209.141.38.71
www.unipacksexpress.com	A 45.84.204.80 CNAME unipacksexpress.com	45.84.204.80
www.gaelmobilecarwash.com	CNAME gaelmobilecarwash.com A 54.172.82.69	54.172.82.69
www.intersp.net	CNAME intersp.net A 5.254.41.1	5.254.41.1

IP Address	Status	Action
104.21.24.135	Active	Moloch
164.124.101.2	Active	Moloch
169.1.24.244	Active	Moloch
172.217.25.14	Active	Moloch
184.168.131.241	Active	Moloch
34.102.136.180	Active	Moloch
45.84.204.80	Active	Moloch
5.254.41.1	Active	Moloch
52.128.23.153	Active	Moloch
52.15.160.167	Active	Moloch
54.172.82.69	Active	Moloch
64.22.68.40	Active	Moloch
70.39.125.244	Active	Moloch
89.31.143.1	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 12, 2021, 3:37 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2021, 3:37 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.skipperdaily.com/uoe8/?I6A=kSyxzBy7+NxjvltcH5qhh24HYIKUFMMxBbNkxLb26MtcWgNh+6Vz0GM3RP3eatyJABfRpbEE&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.metabol.parts/uoe8/?I6A=DPa/LdvKb4x0EQHHSG4HnoBustHAKvau/XdJEIoo9jvmj6B/UiY0ng+XEe8SlKole1XP0R9B&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.intersp.net/uoe8/?I6A=on49514hbo2JW48J+3/a1CaBEwSBwS4RZ72+qRP3c15gatp3EaIlW3Li0VjSgeEAJTee1r7g&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.beachjunction.com/uoe8/?I6A=UaWDVduC8UFTwGehvLFCG15pALMvw+tGTmrfHTf8nBW+JGuA66stVchzjBlkkNqpWkXjqLwX&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sparkmonic.com/uoe8/?I6A=c1orGQk3ileK0l34y1jRdN2F2ZNEAoz87JDR1JcULV/NR4yFAYbLF+WSSfU/LO94q10BAp8C&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.catherineandwilson.com/uoe8/?I6A=KdZiceDq2kSpg+gOAXOYCMhbIwexAutPvfm5ku1h+ZdZhJi6amIzed2Hhyoq3wJbWCyYGcfN&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.swashbug.com/uoe8/?I6A=jbWl/12LOy/8QMol1vq5On9CelmHmR3hJriw/uowHAcnrTs+PcPuE1M21NVN5bXc/q7xGzNj&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.unipacksexpress.com/uoe8/?I6A=MejYmmGKYE1uSbWIbuYb3LujTandHC0iEVZq/mU5CIxLMZtpZr1I1457to9XwNbgKKeK/WUp&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.montcoimmigrationlawyer.com/uoe8/?I6A=DVW7OxuR/l0MgT0nDzIJzGfsiMq3vXOqW3XcgnFXnAhOJxKbpl47XJscsrRJEeE6Tdv++OFn&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.liveporn.wiki/uoe8/?I6A=pk7aJzxroZ8+lfULIHT1NelU/8wtwZvYT/SETT0E40z+jFmloCWTtagjW+F1BqptGtqwExO3&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.plaisterpress.com/uoe8/?I6A=ntdwrTRHgRdJ5a2Xf4NJYZb1FUQAWBN8mHNzZPufyj4i4SmxEkZcAfGryMwHg42WTLRCq5qX&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lanren.plus/uoe8/?I6A=tMPs/lCCUJyXhCtAb5b8gcWtLLVD4pee8R/Nt6qFrEMANauGy9c5Nh7d9aIxKCpuae/zz+V5&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.chaitanya99.com/uoe8/?I6A=ZkDtwBVzfWeNGE7gTpqBE8SwHePO3C2IlyVk4AYlHdYLdQQSCszz4JLeYMoObzzlWefK30yZ&nfutZl=xPJDZDjp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gaelmobilecarwash.com/uoe8/?I6A=MOHGqkP6Ebzm+vNZgwkp8TSdnjf3KOQ5apN6aASQAzUE1fEqhZnwLAdbCeZI2pBtPLMSkxvo&nfutZl=xPJDZDjp

Performs some HTTP requests (28 events)

request	POST http://www.skipperdaily.com/uoe8/
request	GET http://www.skipperdaily.com/uoe8/?I6A=kSyxzBy7+NxjvltcH5qhh24HYIKUFMMxBbNkxLb26MtcWgNh+6Vz0GM3RP3eatyJABfRpbEE&nfutZl=xPJDZDjp
request	POST http://www.metabol.parts/uoe8/
request	GET http://www.metabol.parts/uoe8/?I6A=DPa/LdvKb4x0EQHHSG4HnoBustHAKvau/XdJEIoo9jvmj6B/UiY0ng+XEe8SlKole1XP0R9B&nfutZl=xPJDZDjp
request	POST http://www.intersp.net/uoe8/
request	GET http://www.intersp.net/uoe8/?I6A=on49514hbo2JW48J+3/a1CaBEwSBwS4RZ72+qRP3c15gatp3EaIlW3Li0VjSgeEAJTee1r7g&nfutZl=xPJDZDjp
request	POST http://www.beachjunction.com/uoe8/
request	GET http://www.beachjunction.com/uoe8/?I6A=UaWDVduC8UFTwGehvLFCG15pALMvw+tGTmrfHTf8nBW+JGuA66stVchzjBlkkNqpWkXjqLwX&nfutZl=xPJDZDjp
request	POST http://www.sparkmonic.com/uoe8/
request	GET http://www.sparkmonic.com/uoe8/?I6A=c1orGQk3ileK0l34y1jRdN2F2ZNEAoz87JDR1JcULV/NR4yFAYbLF+WSSfU/LO94q10BAp8C&nfutZl=xPJDZDjp
request	POST http://www.catherineandwilson.com/uoe8/
request	GET http://www.catherineandwilson.com/uoe8/?I6A=KdZiceDq2kSpg+gOAXOYCMhbIwexAutPvfm5ku1h+ZdZhJi6amIzed2Hhyoq3wJbWCyYGcfN&nfutZl=xPJDZDjp
request	POST http://www.swashbug.com/uoe8/
request	GET http://www.swashbug.com/uoe8/?I6A=jbWl/12LOy/8QMol1vq5On9CelmHmR3hJriw/uowHAcnrTs+PcPuE1M21NVN5bXc/q7xGzNj&nfutZl=xPJDZDjp
request	POST http://www.unipacksexpress.com/uoe8/
request	GET http://www.unipacksexpress.com/uoe8/?I6A=MejYmmGKYE1uSbWIbuYb3LujTandHC0iEVZq/mU5CIxLMZtpZr1I1457to9XwNbgKKeK/WUp&nfutZl=xPJDZDjp
request	POST http://www.montcoimmigrationlawyer.com/uoe8/
request	GET http://www.montcoimmigrationlawyer.com/uoe8/?I6A=DVW7OxuR/l0MgT0nDzIJzGfsiMq3vXOqW3XcgnFXnAhOJxKbpl47XJscsrRJEeE6Tdv++OFn&nfutZl=xPJDZDjp
request	POST http://www.liveporn.wiki/uoe8/
request	GET http://www.liveporn.wiki/uoe8/?I6A=pk7aJzxroZ8+lfULIHT1NelU/8wtwZvYT/SETT0E40z+jFmloCWTtagjW+F1BqptGtqwExO3&nfutZl=xPJDZDjp
request	POST http://www.plaisterpress.com/uoe8/
request	GET http://www.plaisterpress.com/uoe8/?I6A=ntdwrTRHgRdJ5a2Xf4NJYZb1FUQAWBN8mHNzZPufyj4i4SmxEkZcAfGryMwHg42WTLRCq5qX&nfutZl=xPJDZDjp
request	POST http://www.lanren.plus/uoe8/
request	GET http://www.lanren.plus/uoe8/?I6A=tMPs/lCCUJyXhCtAb5b8gcWtLLVD4pee8R/Nt6qFrEMANauGy9c5Nh7d9aIxKCpuae/zz+V5&nfutZl=xPJDZDjp
request	POST http://www.chaitanya99.com/uoe8/
request	GET http://www.chaitanya99.com/uoe8/?I6A=ZkDtwBVzfWeNGE7gTpqBE8SwHePO3C2IlyVk4AYlHdYLdQQSCszz4JLeYMoObzzlWefK30yZ&nfutZl=xPJDZDjp
request	POST http://www.gaelmobilecarwash.com/uoe8/
request	GET http://www.gaelmobilecarwash.com/uoe8/?I6A=MOHGqkP6Ebzm+vNZgwkp8TSdnjf3KOQ5apN6aASQAzUE1fEqhZnwLAdbCeZI2pBtPLMSkxvo&nfutZl=xPJDZDjp

Sends data using the HTTP POST Method (14 events)

request	POST http://www.skipperdaily.com/uoe8/
request	POST http://www.metabol.parts/uoe8/
request	POST http://www.intersp.net/uoe8/
request	POST http://www.beachjunction.com/uoe8/
request	POST http://www.sparkmonic.com/uoe8/
request	POST http://www.catherineandwilson.com/uoe8/
request	POST http://www.swashbug.com/uoe8/
request	POST http://www.unipacksexpress.com/uoe8/
request	POST http://www.montcoimmigrationlawyer.com/uoe8/
request	POST http://www.liveporn.wiki/uoe8/
request	POST http://www.plaisterpress.com/uoe8/
request	POST http://www.lanren.plus/uoe8/
request	POST http://www.chaitanya99.com/uoe8/
request	POST http://www.gaelmobilecarwash.com/uoe8/

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 12, 2021, 3:37 p.m.	process_identifier: 4748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 12, 2021, 3:37 p.m.	process_identifier: 7528 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsj14.tmp\6oxdti6l9qd.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsj14.tmp\6oxdti6l9qd.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 12, 2021, 3:37 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

McAfee	Artemis!3FEF6985AF0D
Sangfor	Trojan.Win32.Save.a
Cyren	W32/Injector.AGZ.gen!Eldorado
ESET-NOD32	a variant of Win32/Injector.EPCD
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Zenpak.gen
Rising	Trojan.Injector!8.C4 (CLOUD)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.dc
FireEye	Generic.mg.3fef6985af0d52ab
Sophos	Generic ML PUA (PUA)
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Trojan/Win.Generic.R415229
Fortinet	W32/Injector.EPAI!tr
Qihoo-360	QVM42.0.Malware.Gen

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4748 called NtSetContextThread to modify thread in remote process 7528
NtSetContextThread April 12, 2021, 3:37 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4313248 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e4 process_identifier: 7528	1	0	0

loki%20old.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All