Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 27, 2021, 5:53 p.m.	July 27, 2021, 6:02 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`36efb3390df7e6ecc5289f72cdf59d82`
SHA256	`a42e903ae820f28980e819453ce24adcb66832cb474b993a288518562092fb68`
CRC32	`10D7B419`
ssdeep	`24576:UZUwXfHfdrWqVn6tnFE2A8ZF6Qm+pKVG29fcwDLMQG+Z2XlR:Cf/RCGmdpKb9fc1q2f`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

ma.exe "C:\Users\test22\AppData\Local\Temp\ma.exe"
2072
- taskkill.exe Taskkill /F /IM DbSecuritySpt.exe
  2216
- taskkill.exe Taskkill /F /IM Bill.exe
  2332
- taskkill.exe Taskkill /F /IM svch0st.exe
  2476

Name	Response	Post-Analysis Lookup
cao.300gsyn.it	A 216.83.33.79	216.83.33.79

IP Address	Status	Action
164.124.101.2	Active	Moloch
216.83.33.79	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 27, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 27, 2021, 5:53 p.m.	buffer: ERROR: The process "DbSecuritySpt.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2021, 5:53 p.m.	buffer: ERROR: The process "Bill.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW July 27, 2021, 5:53 p.m.	buffer: ERROR: The process "svch0st.exe" not found. console_handle: 0x0000000b	1	1

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

EXE

Foreign language identified in PE resource (9 events)

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

Creates executable files on the filesystem (3 events)

file	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
file	C:\Program Files\DbSecuritySpt\Packet.dll
file	C:\Program Files\DbSecuritySpt\SESDKDummy64.dll

Creates a service (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA July 27, 2021, 5:53 p.m.	service_start_name: start_type: 2 password: display_name: filepath: C:\Program Files\DbSecuritySpt\npf.sys service_name: NPF filepath_r: C:\Program Files\DbSecuritySpt\npf.sys desired_access: 983551 service_handle: 0x005cb538 error_control: 1 service_type: 1 service_manager_handle: 0x005cb358	1	6075704	0
CreateServiceA July 27, 2021, 5:54 p.m.	service_start_name: start_type: 2 password: display_name: filepath: C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe service_name: DbSecuritySpt filepath_r: C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe desired_access: 983551 service_handle: 0x005cb1f0 error_control: 1 service_type: 16 service_manager_handle: 0x005cb358	1	6074864	0

Executes one or more WMI queries (3 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DbSecuritySpt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "svch0st.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Bill.exe")

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 27, 2021, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 27, 2021, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 27, 2021, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	Taskkill /F /IM svch0st.exe
cmdline	Taskkill /F /IM DbSecuritySpt.exe
cmdline	Taskkill /F /IM Bill.exe

Installs itself for autorun at Windows startup (2 events)

service_name	NPF				service_path	C:\Program Files\DbSecuritySpt\npf.sys
service_name	DbSecuritySpt				service_path	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe

Installs WinPCAP (2 events)

file	C:\Program Files\DbSecuritySpt\Packet.dll
file	C:\Program Files\DbSecuritySpt\npf.sys

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Reconyc.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Agent.CGMR
CAT-QuickHeal	Trojan.WebToos.S18562
ALYac	Trojan.Agent.CGMR
Cylance	Unsafe
Zillya	Rootkit.Agent.Win32.15968
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	RootKit ( 0055e3fe1 )
Alibaba	Malware:Win32/Dorpal.ali1000029
K7GW	RootKit ( 0055e3fe1 )
Cybereason	malicious.90df7e
Baidu	Win32.Rootkit.Agent.at
Cyren	W32/WebToos.B.gen!Eldorado
Symantec	SMG.Heur!gen
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Gadoopt-2
Kaspersky	Trojan.Win32.Reconyc.esql
BitDefender	Trojan.Agent.CGMR
NANO-Antivirus	Trojan.Win32.Reconyc.exhhog
ViRobot	Backdoor.Win32.Agent.1315840.A
Avast	Win32:Prockill-A [Rtk]
Tencent	Malware.Win32.Gencirc.10b54e8b
Ad-Aware	Trojan.Agent.CGMR
TACHYON	Trojan/W32.Rootkit.1315840
Sophos	Mal/Generic-R
DrWeb	BackDoor.Gates.8
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_WEBTOOS.SM
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
FireEye	Generic.mg.36efb3390df7e6ec
Emsisoft	Trojan.Agent.CGMR (B)
Ikarus	Backdoor.Win32.Agent
Jiangmin	Trojan/Reconyc.eyd
Avira	TR/Agent.14016.2
Antiy-AVL	Trojan/Generic.ASMalwS.A3CBB3
Kingsoft	Win32.Troj.Reconyc.es.(kcloud)
Microsoft	Trojan:Win32/WebToos.A
SUPERAntiSpyware	Trojan.Agent/Gen-Backdoor
ZoneAlarm	Trojan.Win32.Reconyc.esql
GData	Trojan.Agent.CGMR
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Webtoos.C1040590
McAfee	GenericRXDY-OY!36EFB3390DF7
MAX	malware (ai score=100)
VBA32	BScope.Trojan.Nagyo
Malwarebytes	Trojan.WebToos

ma.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All