Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 11:11 p.m.	June 24, 2021, 11:42 p.m.

Size	105.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f07ce87fb0fee1ccc330e07141be91f9`
SHA256	`af8d689527c8f558062465791525d862a6a68b0f2b51596d2509a70d3120cd5a`
CRC32	`BBC402BC`
ssdeep	`3072:U0oyTwRNNYzYQMvKnz06K+JDz+W8M4EaJG0e4/131roJ:9kmzYQM402DzP4vjkJ`
PDB Path	D:\C++\csrrs\csrrs\Release\csrrs.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

csrrs.exe "C:\Users\test22\AppData\Local\Temp\csrrs.exe"
9068
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  5628
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  6096
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  2848
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  8400
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  4368
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  1756
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  3320
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  6324
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  7000
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  9060
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  6140
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  7128
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  1404
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  296
- cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe
  5600
- cmd.exe C:\Windows\system32\cmd.exe /c csvchost.exe
  6372

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (16 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 24, 2021, 11:11 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:12 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:12 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:12 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:12 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:12 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:12 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:12 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'C:\Users\Public\csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 11:13 p.m.	buffer: 'csvchost.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

This executable has a PDB path (1 event)

pdb_path

D:\C++\csrrs\csrrs\Release\csrrs.pdb

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /c csvchost.exe
cmdline	C:\Windows\system32\cmd.exe /c C:\Users\Public\csvchost.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (18 events)

Time & API	Arguments	Status	Return
Process32NextW June 24, 2021, 11:11 p.m.	snapshot_handle: 0x00000068 process_name: mobsync.exe process_identifier: 3400	1	1
Process32NextW June 24, 2021, 11:11 p.m.	snapshot_handle: 0x00000068 process_name: pw.exe process_identifier: 2368	1	1
Process32NextW June 24, 2021, 11:11 p.m.	snapshot_handle: 0x00000068 process_name: taskhost.exe process_identifier: 8308	1	1
Process32NextW June 24, 2021, 11:11 p.m.	snapshot_handle: 0x00000068 process_name: cmd.exe process_identifier: 9180	1	1
Process32NextW June 24, 2021, 11:11 p.m.	snapshot_handle: 0x00000068 process_name: pw.exe process_identifier: 7092	1	1
Process32NextW June 24, 2021, 11:11 p.m.	snapshot_handle: 0x00000068 process_name: csrrs.exe process_identifier: 9068	1	1
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x0000006c process_name: cmd.exe process_identifier: 1608	1	1
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x0000006c process_name: conhost.exe process_identifier: 6744	1	1
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x0000006c process_name: pw.exe process_identifier: 2196	1	1
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x00000068 process_name: cmd.exe process_identifier: 3180	1	1
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x00000068 process_name: conhost.exe process_identifier: 2600	1	1
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x00000068 process_name: pw.exe process_identifier: 3176	1	1
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x0000006c process_name: cmd.exe process_identifier: 6688	1	1
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x0000006c process_name: conhost.exe process_identifier: 2860	1	1
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x0000006c process_name: pw.exe process_identifier: 6636	1	1
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x00000068 process_name: cmd.exe process_identifier: 4828	1	1
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x00000068 process_name: conhost.exe process_identifier: 2300	1	1
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x00000068 process_name: pw.exe process_identifier: 5012	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (16 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 24, 2021, 11:11 p.m.	snapshot_handle: 0x00000068 process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x0000006c process_name: slui.exe process_identifier: 3236		0	0
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x00000068 process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x0000006c process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x00000068 process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x0000006c process_name: pw.exe process_identifier: 2196		0	0
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x00000068 process_name: pw.exe process_identifier: 3176		0	0
Process32NextW June 24, 2021, 11:12 p.m.	snapshot_handle: 0x0000006c process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x00000068 process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x0000006c process_name: pw.exe process_identifier: 6636		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x00000068 process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x0000006c process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x00000068 process_name: pw.exe process_identifier: 5012		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x0000006c process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x00000068 process_name: csrrs.exe process_identifier: 9068		0	0
Process32NextW June 24, 2021, 11:13 p.m.	snapshot_handle: 0x0000006c process_name: pw.exe process_identifier: 8960		0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

MicroWorld-eScan	Gen:Variant.Ransom.Gibon.20
McAfee	RDN/Generic.dx
Sangfor	Trojan.Win32.Dridex.ml
Alibaba	Trojan:Win32/Generic.958799d5
Cybereason	malicious.fb0fee
Arcabit	Trojan.Ransom.Gibon.20
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
BitDefender	Gen:Variant.Ransom.Gibon.20
Ad-Aware	Gen:Variant.Ransom.Gibon.20
Emsisoft	Gen:Variant.Ransom.Gibon.20 (B)
TrendMicro	TROJ_GEN.R011C0PFL21
McAfee-GW-Edition	RDN/Generic.dx
MaxSecure	Trojan.Malware.300983.susgen
FireEye	Gen:Variant.Ransom.Gibon.20
MAX	malware (ai score=81)
Gridinsoft	Ransom.Win32.Gen.sa
Microsoft	Trojan:Win32/Dridex!ml
AegisLab	Trojan.Win32.Gibon.4!c
GData	Gen:Variant.Ransom.Gibon.20
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Ransom.Gibon.20
Malwarebytes	Trojan.Dropper
TrendMicro-HouseCall	TROJ_GEN.R011C0PFL21
Rising	Malware.Heuristic!ET#83% (RDMK:cmRtazoyxUVkqsyQNiqrTy+JKRx5)
eGambit	Unsafe.AI_Score_90%
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.34758.guW@aasZ44ni
AVG	Win32:Malware-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)

csrrs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All