Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 13, 2021, 5:33 p.m.	Sept. 13, 2021, 5:34 p.m.

Size	180.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5120630343cdfdc8698f7ce9d9991894`
SHA256	`9831ce1230a68322d442ae5732a4974846e7c9ab7318c41d7382a986428fcb8e`
CRC32	`B2D58846`
ssdeep	`3072:u7lm+ZrvtFckqaGuI5x5puWpMoSFQ9oToqMrdhHI3IIad69/N:uEIrZBIPfp7Sq9tdZI3IIw6dN`
Yara	UPX_Zero - UPX packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature

task.exe "C:\Users\test22\AppData\Local\Temp\task.exe"
1944

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
154.91.1.118	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49163 -> 154.91.1.118:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2014819	ET INFO Packed Executable Download	Misc activity
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 154.91.1.118:80 -> 192.168.56.102:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2021, 5:33 p.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

EXE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://154.91.1.118/WinRing0x64.sys
suspicious_features	Connection to IP address				suspicious_request	GET http://154.91.1.118/java.exe

Performs some HTTP requests (2 events)

request	GET http://154.91.1.118/WinRing0x64.sys
request	GET http://154.91.1.118/java.exe

Foreign language identified in PE resource (1 event)

name

EXE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000230b0

size

0x0001f200

Creates executable files on the filesystem (1 event)

file	C:\Windows\System32\nicosoft.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002c800', u'virtual_address': u'0x0001a000', u'entropy': 7.996583887711546, u'name': u'UPX1', u'virtual_size': u'0x0002d000'}

entropy

7.99658388771

description

A section with a high entropy has been found

entropy

0.994413407821

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

154.91.1.118

Installs itself for autorun at Windows startup (1 event)

service_name

NsSvc

service_path

C:\Windows\System32\nicosoft.exe

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Sept. 13, 2021, 5:33 p.m.	service_start_name: start_type: 2 password: display_name: NicoSoft Cloud Service filepath: C:\Windows\System32\nicosoft.exe service_name: NsSvc filepath_r: C:\Windows\System32\nicosoft.exe desired_access: 2 service_handle: 0x00000000002fb740 error_control: 1 service_type: 16 service_manager_handle: 0x00000000002fb710	1	3127104	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Lionic	Trojan.Win32.Genome.a!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.5120630343cdfdc8
McAfee	Artemis!5120630343CD
Cylance	Unsafe
K7GW	Trojan-Downloader ( 00578ee71 )
Cybereason	malicious.4391b1
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.IW
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win64.Miner
Avast	Win64:CoinminerX-gen [Trj]
Tencent	Win64.Trojan-downloader.Agent.Srwq
McAfee-GW-Edition	BehavesLike.Win64.Trojan.cc
Sophos	Mal/Generic-S
Jiangmin	Trojan.Bingoml.beh
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_88%
AVG	Win64:CoinminerX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (W)

task.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All