Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 27, 2021, 9:29 a.m.	May 27, 2021, 9:41 a.m.

Size	968.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`c6409dcd1888eed5d528f85c21b89162`
SHA256	`9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186`
CRC32	`9EC637D5`
ssdeep	`24576:m9btxEOeavmxQyis4IY417H6SreppXHxGKklCOjkx:mNNeauxblYSyNxw8Kkx`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

file5.exe "C:\Users\test22\AppData\Local\Temp\file5.exe"
2324
- cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Sue.mp3
  288
  - cmd.exe C:\Windows\system32\cmd
    1744
    - findstr.exe findstr /V /R "^VHxFkTKzklMPCtSumZgtoIXuqMkLYwTAlnvenkTAxMprPQZQFATAsmxjKhFmHYcpskFtHQHguOKvmUspMxuniapKtlskGzSvdqLDlVoPSFxCPXNQWcNjSWw$" Divino.mp3
      1492
    - Ammirabile.exe.com Ammirabile.exe.com o
      196
      - Ammirabile.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Ammirabile.exe.com o
        1996
        
        Ammirabile.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Ammirabile.exe.com o
        1520

Name	Response	Post-Analysis Lookup
CXGVubAglGFDxYMBdULdcW.CXGVubAglGFDxYMBdULdcW
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31

IP Address	Status	Action
104.26.13.31	Active	Moloch
157.90.238.247	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49220 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 157.90.238.247:43252 -> 192.168.56.101:49219	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49220 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 27, 2021, 9:28 a.m.			0	0
IsDebuggerPresent May 27, 2021, 9:29 a.m.			0	0
IsDebuggerPresent May 27, 2021, 9:29 a.m.			0	0
IsDebuggerPresent May 27, 2021, 9:30 a.m.			0	0

Command line console output was observed (18 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: Set aoSCTEs=%userdomain% console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: Set //String2//=DESKTOP-QO5QU33 console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: The syntax of the command is incorrect. console_handle: 0x0000000b	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: if %aoSCTEs%==%//String2//% exit console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: <nul set /p = "MZ" > Ammirabile.exe.com console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: findstr /V /R "^VHxFkTKzklMPCtSumZgtoIXuqMkLYwTAlnvenkTAxMprPQZQFATAsmxjKhFmHYcpskFtHQHguOKvmUspMxuniapKtlskGzSvdqLDlVoPSFxCPXNQWcNjSWw$" Divino.mp3 >> Ammirabile.exe.com" console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: copy Pei.mp3 o console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW May 27, 2021, 9:29 a.m.	buffer: start Ammirabile.exe.com o console_handle: 0x00000007	1	1

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 27, 2021, 9:28 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74242000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:29 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74242000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:30 a.m.	process_identifier: 1996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74242000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 27, 2021, 9:29 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13726912512 root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Ammirabile.exe.com

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Sue.mp3

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 27, 2021, 9:29 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c C:\Windows\system32\cmd < Sue.mp3 filepath: C:\Windows\System32\cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001d600', u'virtual_address': u'0x00023000', u'entropy': 7.12576526719866, u'name': u'.rsrc', u'virtual_size': u'0x0001d4fa'}

entropy

7.1257652672

description

A section with a high entropy has been found

entropy

0.507559395248

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

157.90.238.247

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Bkav	W32.AIDetect.malware2
ESET-NOD32	a variant of Win32/Packed.7Zip.T
APEX	Malicious
Kaspersky	UDS:Backdoor.Win32.Agent
FireEye	Generic.mg.c6409dcd1888eed5
Jiangmin	Trojan.Generic.dmbkj
Webroot	W32.Adware.Gen
Microsoft	Trojan:Win32/Wacatac.B!ml
eGambit	Unsafe.AI_Score_99%
BitDefenderTheta	Gen:NN.ZexaF.34692.8q3@aqg6ogdk

file5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All