Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 13, 2021, 8:51 a.m.	Sept. 13, 2021, 8:53 a.m.

Size	125.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`86ec1c19a29d25b109102faa921c7796`
SHA256	`a390e37424852274a627183769d43e7015e88fbb02e54d1b2b8367abdc18ec7e`
CRC32	`77C52025`
ssdeep	`3072:6S5MV1iKq6X2yFaw98p+jcgkLXYlfr/gmSEYLVi:6SnYFaw98p+AjLYtgmSxM`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

conhost.exe "C:\Users\test22\AppData\Local\Temp\conhost.exe"
1944
- java.exe "C:\Users\test22\AppData\Local\Temp\java.exe"
  2860

Name	Response	Post-Analysis Lookup
xmr.f2pool.com	A 203.107.32.162 CNAME gf.f2pool.com	203.107.32.162

IP Address	Status	Action
154.91.1.118	Active	Moloch
164.124.101.2	Active	Moloch
203.107.32.162	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49163 -> 154.91.1.118:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2014819	ET INFO Packed Executable Download	Misc activity
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49166 -> 203.107.32.162:13531	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 13, 2021, 8:51 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2021, 8:51 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 8:51 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2021, 8:51 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://154.91.1.118/WinRing0x64.sys
suspicious_features	Connection to IP address				suspicious_request	GET http://154.91.1.118/java.exe

Performs some HTTP requests (2 events)

request	GET http://154.91.1.118/WinRing0x64.sys
request	GET http://154.91.1.118/java.exe

A process attempted to delay the analysis task. (1 event)

description

conhost.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\java.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (27 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: mobsync.exe process_identifier: 1928	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: sdclt.exe process_identifier: 2076	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: sppsvc.exe process_identifier: 2576	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: cmd.exe process_identifier: 2496	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: SearchProtocolHost.exe process_identifier: 2504	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: conhost.exe process_identifier: 2480	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: conhost.exe process_identifier: 1944	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: SearchFilterHost.exe process_identifier: 1328	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x0000000000000090 process_name: pw.exe process_identifier: 1616	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002cc process_name: java.exe process_identifier: 2860	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002d0 process_name: taskhost.exe process_identifier: 2428	1	1
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002d8 process_name: conhost.exe process_identifier: 508	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000001f0 process_name: cmd.exe process_identifier: 2240	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000001f0 process_name: conhost.exe process_identifier: 2392	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000001f0 process_name: pw.exe process_identifier: 2920	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000304 process_name: cmd.exe process_identifier: 2808	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000304 process_name: conhost.exe process_identifier: 1044	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000304 process_name: pw.exe process_identifier: 2924	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000230 process_name: cmd.exe process_identifier: 2984	1	1
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000230 process_name: pw.exe process_identifier: 2112	1	1
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000320 process_name: cmd.exe process_identifier: 108	1	1
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000320 process_name: conhost.exe process_identifier: 2616	1	1
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000320 process_name: pw.exe process_identifier: 2608	1	1
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000334 process_name: cmd.exe process_identifier: 2572	1	1
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000334 process_name: conhost.exe process_identifier: 1964	1	1
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000338 process_name: pw.exe process_identifier: 1136	1	1
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x000000000000034c process_name: conhost.exe process_identifier: 2296	1	1

An executable file was downloaded by the process conhost.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 13, 2021, 8:51 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $5:nüq[¯q[¯q[¯q[¯}[¯V{¯t[¯V}¯p[¯Vm¯r[¯Vq¯p[¯V\|¯p[¯Vx¯p[¯Richq[¯PEdÁ&Hð" PpdP<`À@`Ðp p.textÆ h.rdata\| @H.data0@È.pdata`@@HINIT"P â.rsrcÀ`@B request_handle: 0x0000000000cc000c	1	1	0
InternetReadFile Sept. 13, 2021, 8:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $³u2÷\Ú÷\Ú÷\ÚCÚú\ÚC¯ÚD\ÚC®Ú×\Úi´Úó\Ú¥\|_Ûþ\Ú¥\|YÛ\Ú¥\|XÛÒ\ÚR}XÛå\ÚC³Úø\Ú÷]ÚØ\ÚR}UÛ_\ÚR}£Úö\Ú÷ËÚö\ÚR}^Ûö\ÚRich÷\ÚPEd°5að"ðP< 9E`<@`E`$UEPE$DàÍ°VEEE(°EEUPX0P<àUPX1ð`<è@à.rsrcPEì@À3.94UPX! $ sß\I×[EÙ¨I#2 request_handle: 0x0000000000cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001ee00', u'virtual_address': u'0x00036000', u'entropy': 7.990786737437224, u'name': u'UPX1', u'virtual_size': u'0x0001f000'}

entropy

7.99078673744

description

A section with a high entropy has been found

entropy

0.991967871486

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (40 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002c0 process_name: pw.exe process_identifier: 1616		0	0
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002cc process_name: java.exe process_identifier: 2860		0	0
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002d0 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002d4 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002d8 process_name: pw.exe process_identifier: 776		0	0
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002dc process_name: pw.exe process_identifier: 776		0	0
Process32NextW Sept. 13, 2021, 8:51 a.m.	snapshot_handle: 0x00000000000002e0 process_name: pw.exe process_identifier: 776		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000002e4 process_name: pw.exe process_identifier: 776		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000002e8 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000002ec process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000001f0 process_name: pw.exe process_identifier: 2920		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000002f0 process_name: pw.exe process_identifier: 2920		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000002f4 process_name: pw.exe process_identifier: 2920		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000002f8 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x00000000000002fc process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000300 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000304 process_name: pw.exe process_identifier: 2924		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000308 process_name: pw.exe process_identifier: 2924		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x000000000000030c process_name: pw.exe process_identifier: 2924		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000310 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000248 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000314 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000230 process_name: pw.exe process_identifier: 2112		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000200 process_name: pw.exe process_identifier: 2112		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000204 process_name: pw.exe process_identifier: 2112		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000234 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:52 a.m.	snapshot_handle: 0x0000000000000318 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x000000000000031c process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000320 process_name: pw.exe process_identifier: 2608		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000324 process_name: pw.exe process_identifier: 2608		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000328 process_name: pw.exe process_identifier: 2608		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x000000000000032c process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000330 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000334 process_name: conhost.exe process_identifier: 1964		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000338 process_name: pw.exe process_identifier: 1136		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x000000000000033c process_name: pw.exe process_identifier: 1136		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000340 process_name: pw.exe process_identifier: 1136		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000344 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x0000000000000348 process_name: taskhost.exe process_identifier: 2428		0	0
Process32NextW Sept. 13, 2021, 8:53 a.m.	snapshot_handle: 0x000000000000034c process_name: conhost.exe process_identifier: 2296		0	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

154.91.1.118

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\java.exe

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 13, 2021, 8:51 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.Win64.Miner.4!c
MicroWorld-eScan	Trojan.GenericKD.37564838
McAfee	Artemis!86EC1C19A29D
Cylance	Unsafe
Alibaba	TrojanDownloader:Win64/Generic.33aa8754
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.IY
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win64.Miner.anow
BitDefender	Trojan.GenericKD.37564838
Avast	Win64:Trojan-gen
Ad-Aware	Trojan.GenericKD.37564838
FireEye	Generic.mg.86ec1c19a29d25b1
Emsisoft	Trojan.GenericKD.37564838 (B)
Ikarus	Trojan-Downloader.Win64.Agent
Avira	TR/Dldr.Agent.avkgp
MAX	malware (ai score=86)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Trojan.GenericKD.37564838
Cynet	Malicious (score: 100)
Malwarebytes	Trojan.Downloader
Tencent	Win64.Trojan-downloader.Agent.Edei
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_81%
Fortinet	W32/Malicious_Behavior.SBX
AVG	Win64:Trojan-gen
Cybereason	malicious.58f92e
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.300983.susgen

conhost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All