Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 16, 2021, 6:01 p.m.	April 16, 2021, 6:03 p.m.

Size	15.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`35ab7b989418f63d814895500fe6617b`
SHA256	`2514b92213c76d20d06d54f413f5becb994a27e07a01372356e770aadd450448`
CRC32	`96E2B2EA`
ssdeep	`393216:sPrZfV4KKaIFDyvFziyfiR+Zy6NByu/Sc:MVVKjxyhiYiMj8uz`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Device_Check_Zero - Device Check Zero Process_Snapshot_Kill_Zero - Process Kill Zero CryptGenKey_Zero - CryptGenKey Zero FindFirstVolume_Zero - FindFirstVolume Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check AutoIt - www.autoitscript.com/site/autoit/

winsdk.exe "C:\Users\test22\AppData\Local\Temp\winsdk.exe"
2444
- CL_Debug_Log.txt C:\Users\test22\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\test22\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\test22\AppData\Local\Temp\"
  2240
- cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
  2876
  - schtasks.exe schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    2044
- cmd.exe C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\test22\AppData\Local\Temp\winsdk.exe"&&timeout /t 0&&if not exist "C:\Users\test22\AppData\Local\Temp\winsdk.exe" exit)
  2672
  - timeout.exe timeout /t 0
    2908

Name	Response	Post-Analysis Lookup
ezstat.ru	A 88.99.66.31	88.99.66.31
pool.hashvault.pro	A 131.153.159.26 A 131.153.76.130	131.153.159.26

IP Address	Status	Action
131.153.76.130	Active	Moloch
145.239.66.236	Active	Moloch
163.172.157.213	Active	Moloch
164.124.101.2	Active	Moloch
176.10.104.240	Active	Moloch
51.75.169.249	Active	Moloch
54.36.227.247	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 51.75.169.249:443 -> 192.168.56.101:49221	2522632	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633	Misc Attack
TCP 54.36.227.247:443 -> 192.168.56.101:49220	2522646	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 647	Misc Attack
TCP 163.172.157.213:443 -> 192.168.56.101:49218	2522198	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199	Misc Attack
TCP 145.239.66.236:9001 -> 192.168.56.101:49219	2522173	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174	Misc Attack
TCP 176.10.104.240:8443 -> 192.168.56.101:49216	2520019	ET TOR Known Tor Exit Node Traffic group 20	Misc Attack
TCP 176.10.104.240:8443 -> 192.168.56.101:49216	2522019	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20	Misc Attack
TCP 192.168.56.101:49227 -> 131.153.76.130:3333	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49226 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49220 54.36.227.247:443	None	None	None
TLS 1.3 192.168.56.101:49221 51.75.169.249:443	None	None	None
TLS 1.2 192.168.56.101:49218 163.172.157.213:443	CN=www.kbh6c2mkb3ep3gmmbunj.com	CN=www.msbmibde6afmtoudkx.net	d2:a9:57:33:22:05:5f:8e:9d:0c:31:87:f8:9d:28:26:8d:48:1a:e7
TLS 1.3 192.168.56.101:49219 145.239.66.236:9001	None	None	None
TLS 1.3 192.168.56.101:49216 176.10.104.240:8443	None	None	None
TLS 1.3 192.168.56.101:49222 51.75.169.249:443	None	None	None
TLSv1 192.168.56.101:49226 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	a6:9e:b0:a2:7d:aa:50:d1:63:45:45:aa:4b:92:18:ef:3b:1e:2e:94

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 16, 2021, 6 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 16, 2021, 6:01 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2021, 6 p.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: 7-Zip (a) 19.00 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21 console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Scanning the drive for archives: console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: 0M Scan C:\Users\test22\AppData\Local\Temp\ console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: 1 file, 15335970 bytes (15 MiB) console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Extracting archive: console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\CR_Debug_Log.txt console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Path console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\CR_Debug_Log.txt console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Type console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: 7z console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Physical Size console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Headers Size console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Method console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: LZMA2:24 BCJ 7zAES console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Solid console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Blocks console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Everything is Ok console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Files: console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Size: console_handle: 0x00000007	1	1
WriteConsoleA April 16, 2021, 6:01 p.m.	buffer: Compressed: console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: SUCCESS: The scheduled task "System\SystemCheck" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp\winsdk.exe" console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: timeout console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: /t 0 console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: not console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\winsdk.exe" console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: Waiting for 0 console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2021, 6:01 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2021, 6:01 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET https://ezstat.ru/1DEqw7

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

ezstat.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 16, 2021, 6 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\64.exe
file	C:\Users\test22\AppData\Local\Temp\32.exe

Creates a suspicious process (3 events)

cmdline	schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
cmdline	C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\test22\AppData\Local\Temp\winsdk.exe"&&timeout /t 0&&if not exist "C:\Users\test22\AppData\Local\Temp\winsdk.exe" exit)
cmdline	C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\CL_Debug_Log.txt
file	C:\Users\test22\AppData\Local\Temp\32.exe
file	C:\Users\test22\AppData\Local\Temp\winsdk.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00f27e00', u'virtual_address': u'0x000c8000', u'entropy': 7.99983884848177, u'name': u'.rsrc', u'virtual_size': u'0x00f27c68'}

entropy

7.99983884848

description

A section with a high entropy has been found

entropy

0.950483831455

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 16, 2021, 6:01 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 16, 2021, 6:01 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 16, 2021, 6:01 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
cmdline	C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\test22\AppData\Local\Temp\winsdk.exe"&&timeout /t 0&&if not exist "C:\Users\test22\AppData\Local\Temp\winsdk.exe" exit)
cmdline	C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"

Communicates with host for which no DNS query was performed (5 events)

host	145.239.66.236
host	163.172.157.213
host	176.10.104.240
host	51.75.169.249
host	54.36.227.247

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\SystemCheck.xml

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	AIT:Trojan.Nymeria.1546
CAT-QuickHeal	Trojan.AutoIt.MineDropper.C
McAfee	Artemis!35AB7B989418
Sangfor	Trojan.Win32.Save.a
Arcabit	AIT:Trojan.Nymeria.D60A
ESET-NOD32	a variant of Win32/TrojanDropper.Autoit.TL
APEX	Malicious
Avast	AutoIt:Injector-JY [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	AIT:Trojan.Nymeria.1546
Rising	Trojan.CoinMiner/Autoit!1.C937 (CLASSIC)
Ad-Aware	AIT:Trojan.Nymeria.1546
Emsisoft	AIT:Trojan.Nymeria.1546 (B)
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.wc
FireEye	Generic.mg.35ab7b989418f63d
Sophos	ML/PE-A
Ikarus	Trojan-Dropper.Win32.Autoit
Avira	DR/AutoIt.Gen
MAX	malware (ai score=100)
Microsoft	TrojanDropper:AutoIt/Nymeria.AR!MTB
GData	AIT:Trojan.Nymeria.1546 (2x)
Cynet	Malicious (score: 99)
AhnLab-V3	Dropper/AU3.Miner.S1098
BitDefenderTheta	AI:Packer.BC75735117
ALYac	AIT:Trojan.Nymeria.1546
eGambit	Unsafe.AI_Score_99%
Fortinet	AutoIt/CoinMiner.TL!tr
AVG	AutoIt:Injector-JY [Trj]
Qihoo-360	HEUR/QVM10.1.9EDA.Malware.Gen

winsdk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All