Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 4, 2021, 11:11 a.m.	May 4, 2021, 11:14 a.m.

Size	100.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ee0a1ec859b753abc30847157d81f37c`
SHA256	`abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922`
CRC32	`9E18C80F`
ssdeep	`3072:UlmICQuNwVOv/8I6WruEPJZDUXA2M1CUci6sUJW51TrFS83Fo:WmICRmgMtWruEhZDCA2M1CUci6sUJW5D`
PDB Path
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

p.exe "C:\Users\test22\AppData\Local\Temp\p.exe"
7948
- lsass.exe C:\11608722823373\lsass.exe
  8780

Name	Response	Post-Analysis Lookup
api.wipmania.com	A 212.83.168.196	212.83.168.196

IP Address	Status	Action
149.56.45.200	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
212.83.168.196	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49807 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49809 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 149.56.45.200:9030 -> 192.168.56.102:49812	2522180	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181	Misc Attack

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 4, 2021, 11:11 a.m.	stacktrace: wsabuf_get_buffer+0xde secbuf_get_buffer-0x2b @ 0x729ae934 New_ws2_32_WSARecv@28+0xfa New_ws2_32_WSARecvFrom@36-0x85 @ 0x729cb33c lsass+0x8a5c @ 0x12c8a5c lsass+0x8ad8 @ 0x12c8ad8 lsass+0x8caf @ 0x12c8caf lsass+0xe4fc @ 0x12ce4fc lsass+0xe5ab @ 0x12ce5ab _itow_s+0x4c _endthreadex-0x35 msvcrt+0x11287 @ 0x76501287 _endthreadex+0x6c _beginthreadex-0x6 msvcrt+0x11328 @ 0x76501328 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: f3 a5 ff 24 95 b8 99 4f 76 8a 06 88 07 8a 46 01 exception.symbol: memcpy+0x250 _ftol2-0x41 msvcrt+0x9b60 exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: MSVCRT.dll exception.exception_code: 0xc0000005 exception.offset: 39776 exception.address: 0x764f9b60 registers.esp: 119730092 registers.edi: 125566980 registers.eax: 87366887 registers.ebp: 119730100 registers.edx: 0 registers.ebx: 125566980 registers.esi: 23 registers.ecx: 21841716	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 4, 2021, 11:11 a.m.

stacktrace:

wsabuf_get_buffer+0xde secbuf_get_buffer-0x2b @ 0x729ae934
New_ws2_32_WSARecv@28+0xfa New_ws2_32_WSARecvFrom@36-0x85 @ 0x729cb33c
lsass+0x8a5c @ 0x12c8a5c
lsass+0x8ad8 @ 0x12c8ad8
lsass+0x8caf @ 0x12c8caf
lsass+0xe4fc @ 0x12ce4fc
lsass+0xe5ab @ 0x12ce5ab
_itow_s+0x4c _endthreadex-0x35 msvcrt+0x11287 @ 0x76501287
_endthreadex+0x6c _beginthreadex-0x6 msvcrt+0x11328 @ 0x76501328
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: f3 a5 ff 24 95 b8 99 4f 76 8a 06 88 07 8a 46 01
exception.symbol: memcpy+0x250 _ftol2-0x41 msvcrt+0x9b60
exception.instruction: movsd dword ptr es:[edi], dword ptr [esi]
exception.module: MSVCRT.dll
exception.exception_code: 0xc0000005
exception.offset: 39776
exception.address: 0x764f9b60
registers.esp: 119730092
registers.edi: 125566980
registers.eax: 87366887
registers.ebp: 119730100
registers.edx: 0
registers.ebx: 125566980
registers.esi: 23
registers.ecx: 21841716

Performs some HTTP requests (1 event)

request

GET http://api.wipmania.com/

Communicates with host for which no DNS query was performed (2 events)

host	149.56.45.200
host	172.217.25.14

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services				reg_value	C:\11608722823373\lsass.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services				reg_value	C:\11608722823373\lsass.exe

Operates on local firewall's policies and settings (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Modifies security center warnings (7 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride

Network activity contains more than one unique useragent (2 events)

process	p.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
process	lsass.exe				useragent

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\11608722823373\lsass.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\p.exe:Zone.Identifier

Disables Windows Security features (5 events)

description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Dropped:Generic.Malware.SFYd.1047967C
ALYac	Dropped:Generic.Malware.SFYd.1047967C
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Worm:Win32/Phorpiex.954d53a9
K7GW	Trojan ( 005533551 )
K7AntiVirus	Trojan ( 005533551 )
Arcabit	Generic.Malware.SFYd.DFFD9FC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.V
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
ClamAV	Win.Malware.Zard-9793613-0
Kaspersky	HEUR:Trojan-Banker.Win32.ClipBanker.gen
BitDefender	Dropped:Generic.Malware.SFYd.1047967C
NANO-Antivirus	Trojan.Win32.ClipBanker.iusbkc
Paloalto	generic.ml
Ad-Aware	Dropped:Generic.Malware.SFYd.1047967C
DrWeb	Win32.HLLW.Autoruner3.3323
McAfee-GW-Edition	BehavesLike.Win32.Dropper.ch
FireEye	Generic.mg.ee0a1ec859b753ab
Emsisoft	Dropped:Generic.Malware.SFYd.1047967C (B)
Ikarus	Worm.Win32.Phorpiex
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1132833
MAX	malware (ai score=100)
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)
Microsoft	Trojan:Script/Phonzy.B!ml
AegisLab	Trojan.Win32.ClipBanker.7!c
GData	Dropped:Generic.Malware.SFYd.1047967C
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.SFYd.C4442145
McAfee	RDN/Generic.tfr
VBA32	BScope.Trojan.Skeeyah
Malwarebytes	Trojan.Phorpiex
TrendMicro-HouseCall	TROJ_GEN.R06CC0WE321
Rising	Worm.Phorpiex!1.CA88 (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Phorpiex.V!worm
BitDefenderTheta	Gen:NN.ZexaF.34686.guW@ae1FM0ki
AVG	Win32:CoinminerX-gen [Trj]
Cybereason	malicious.859b75

p.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All