Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 13, 2021, 9:30 a.m.	Sept. 13, 2021, 9:32 a.m.

Size	180.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5120630343cdfdc8698f7ce9d9991894`
SHA256	`9831ce1230a68322d442ae5732a4974846e7c9ab7318c41d7382a986428fcb8e`
CRC32	`B2D58846`
ssdeep	`3072:u7lm+ZrvtFckqaGuI5x5puWpMoSFQ9oToqMrdhHI3IIad69/N:uEIrZBIPfp7Sq9tdZI3IIw6dN`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

task.exe "C:\Users\test22\AppData\Local\Temp\task.exe"
1116

Name	Response	Post-Analysis Lookup
xmr.f2pool.com	A 203.107.32.162 CNAME gf.f2pool.com	203.107.32.162

IP Address	Status	Action
154.91.1.118	Active	Moloch
164.124.101.2	Active	Moloch
203.107.32.162	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 203.107.32.162:13531	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 154.91.1.118:80 -> 192.168.56.101:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 154.91.1.118:80 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 154.91.1.118:80 -> 192.168.56.101:49198	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49198 -> 154.91.1.118:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 154.91.1.118:80 -> 192.168.56.101:49198	2014819	ET INFO Packed Executable Download	Misc activity
TCP 154.91.1.118:80 -> 192.168.56.101:49198	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 154.91.1.118:80 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 154.91.1.118:80 -> 192.168.56.101:49198	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2021, 9:23 a.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

EXE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://154.91.1.118/WinRing0x64.sys
suspicious_features	Connection to IP address				suspicious_request	GET http://154.91.1.118/java.exe

Performs some HTTP requests (2 events)

request	GET http://154.91.1.118/WinRing0x64.sys
request	GET http://154.91.1.118/java.exe

Foreign language identified in PE resource (1 event)

name

EXE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000230b0

size

0x0001f200

Creates executable files on the filesystem (1 event)

file	C:\Windows\System32\nicosoft.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002c800', u'virtual_address': u'0x0001a000', u'entropy': 7.996583887711546, u'name': u'UPX1', u'virtual_size': u'0x0002d000'}

entropy

7.99658388771

description

A section with a high entropy has been found

entropy

0.994413407821

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

154.91.1.118

Installs itself for autorun at Windows startup (1 event)

service_name

NsSvc

service_path

C:\Windows\System32\nicosoft.exe

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Sept. 13, 2021, 9:23 a.m.	service_start_name: start_type: 2 password: display_name: NicoSoft Cloud Service filepath: C:\Windows\System32\nicosoft.exe service_name: NsSvc filepath_r: C:\Windows\System32\nicosoft.exe desired_access: 2 service_handle: 0x000000000043b8f0 error_control: 1 service_type: 16 service_manager_handle: 0x000000000043b8c0	1	4438256	0

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Elastic	malicious (high confidence)
CrowdStrike	win/malicious_confidence_70% (D)
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.IW
APEX	Malicious
Kaspersky	VHO:Trojan-Downloader.Win32.Genome.gen
Avast	Win64:CoinminerX-gen [Trj]
Tencent	Win64.Trojan-downloader.Agent.Srwq
FireEye	Generic.mg.5120630343cdfdc8
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Bingoml.beh
Cylance	Unsafe
eGambit	Unsafe.AI_Score_88%
AVG	Win64:CoinminerX-gen [Trj]
MaxSecure	Trojan.Malware.300983.susgen

task.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All