Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 15, 2021, 1:08 p.m.	Aug. 15, 2021, 1:11 p.m.

Size	283.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`39d6ec1892af37c0fd5c5c2ea89ea782`
SHA256	`439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7`
CRC32	`9F02B6F4`
ssdeep	`1536:Pi/RkUpybMbsLs6Hfo0uC3ItNmWPsh4U16wnrg/xSMxWRL7C9ki2FZ9DPnak9P8N:ewznY8ItNHGNr2vW79XIa+5k4`
PDB Path	hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win_Worm_Phorpiex - a worm which spreads via removable drives and network drives.

456.exe "C:\Users\test22\AppData\Local\Temp\456.exe"
2232
- winappmgr.exe "C:\Users\test22\Windows Application Manager\winappmgr.exe"
  1772
  - cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
    492
    - netsh.exe netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe"
      2696
    - netsh.exe netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
      2196
  - cmd.exe "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
    1204
    - netsh.exe netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe"
      656
    - netsh.exe netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
      900
  - cmd.exe "C:\Windows\System32\cmd.exe" /c netsh firewall set service type= upnp mode = enable
    1868
    - netsh.exe netsh firewall set service type= upnp mode = enable
      2088
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
stun.sipgate.net	A 217.10.68.145 A 217.10.68.152	217.10.68.152

IP Address	Status	Action
164.124.101.2	Active	Moloch
217.10.68.145	Active	Moloch
217.116.122.143	Active	Moloch
79.141.72.138	Active	Moloch
79.141.72.156	Active	Moloch
79.141.72.52	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61481 -> 217.116.122.143:3479	2033078	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 217.116.122.143:3479 -> 192.168.56.101:61481	2018908	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Generic Protocol Command Decode
UDP 217.10.68.145:3478 -> 192.168.56.101:61481	2016150	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Attempted User Privilege Gain
UDP 217.10.68.145:3478 -> 192.168.56.101:61481	2018908	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)	Generic Protocol Command Decode
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2018907	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)	Generic Protocol Command Decode
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2018905	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)	Generic Protocol Command Decode
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain
UDP 192.168.56.101:61481 -> 217.10.68.145:3478	2016149	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	Attempted User Privilege Gain

Suricata TLS

No Suricata TLS

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleA Aug. 15, 2021, 1:08 p.m.	buffer: No rules match the specified criteria. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 1:08 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 1:10 p.m.	buffer: No rules match the specified criteria. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 1:10 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 1:10 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 1:10 p.m.	buffer: Ok. console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 15, 2021, 1:08 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	217.10.68.145
ip	217.116.122.143
ip	79.141.72.138
ip	79.141.72.156
ip	79.141.72.52

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 15, 2021, 1:09 p.m.	total_number_of_free_bytes: 13652402176 free_bytes_available: 13652402176 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Aug. 15, 2021, 1:08 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\Windows Application Manager filepath: C:\Users\test22\Windows Application Manager	1	1	0

Creates a suspicious process (6 events)

cmdline	cmd.exe /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh firewall set service type= upnp mode = enable
cmdline	cmd.exe /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	cmd.exe /c netsh firewall set service type= upnp mode = enable

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 15, 2021, 1:08 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe" filepath: cmd.exe	1	1
ShellExecuteExW Aug. 15, 2021, 1:09 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480 filepath: cmd.exe	1	1
ShellExecuteExW Aug. 15, 2021, 1:09 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c netsh firewall set service type= upnp mode = enable filepath: cmd.exe	1	1

Connects to SIP Stun Server (1 event)

domain

stun.sipgate.net

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	netsh firewall set service type= upnp mode = enable
cmdline	cmd.exe /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh firewall set service type= upnp mode = enable
cmdline	cmd.exe /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe"
cmdline	netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe"
cmdline	cmd.exe /c netsh firewall set service type= upnp mode = enable

Communicates with host for which no DNS query was performed (4 events)

host	217.116.122.143
host	79.141.72.138
host	79.141.72.156
host	79.141.72.52

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Application Manager

reg_value

C:\Users\test22\Windows Application Manager\winappmgr.exe

Operates on local firewall's policies and settings (8 events)

cmdline	cmd.exe /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	cmd.exe /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe" \|\| netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\test22\windows application manager\winappmgr.exe" program="C:\Users\test22\Windows Application Manager\winappmgr.exe"
cmdline	netsh advfirewall firewall show rule name="c:\users\test22\windows application manager\winappmgr.exe"
cmdline	netsh advfirewall firewall add rule name="Port 61480 c:\users\test22\windows application manager\winappmgr.exe" dir=in action=allow protocol=UDP localport=61480
cmdline	netsh advfirewall firewall show rule "Port 61480 c:\users\test22\windows application manager\winappmgr.exe"

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop18.27677
MicroWorld-eScan	Trojan.GenericKD.37397738
FireEye	Generic.mg.39d6ec1892af37c0
McAfee	Artemis!39D6EC1892AF
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/Starter.ali2000005
Cybereason	malicious.146cbb
BitDefenderTheta	Gen:NN.ZexaE.34058.ruW@aGlBEvmi
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Dropper.Win32.Sysn.gen
BitDefender	Trojan.GenericKD.37397738
Ad-Aware	Trojan.GenericKD.37397738
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.dt
Emsisoft	Trojan.GenericKD.37397738 (B)
Webroot	W32.Trojan.Gen
MAX	malware (ai score=99)
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Script/Phonzy.C!ml
ZoneAlarm	HEUR:Trojan-Dropper.Win32.Sysn.gen
GData	Trojan.GenericKD.37397738
Cynet	Malicious (score: 100)
Rising	Spyware.ClipBanker!1.D05A (CLASSIC)
SentinelOne	Static AI - Malicious PE
Fortinet	Malicious_Behavior.SB
MaxSecure	Trojan.Malware.300983.susgen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	Win32/TrojanDropper.Sysn.HgIASaUA

456.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All