Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 19, 2021, 10:42 a.m.	Sept. 19, 2021, 11:14 a.m.

Size	7.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`af3e98549b975158f54ef8b171182d50`
SHA256	`43a1ee058eb0b771d9f9b179cb51a5b56a1c3ae8bdc211edeb8486f89e3bc10f`
CRC32	`86EDEEEF`
ssdeep	`96:ZeLUneX1Oe4HEWjOIgydPtboynun/AqiCtq9:0AeXcCcP1oynW/Ag`
PDB Path
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description)

753.exe "C:\Users\test22\AppData\Local\Temp\753.exe"
2232
- wincfg.exe C:\Users\test22\wincfg.exe
  2084
  - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\85B3.tmp\85B4.tmp\85B5.bat C:\Users\test22\wincfg.exe"
    656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.84:80 -> 192.168.56.101:49198	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.101:49198 -> 185.215.113.84:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49198 -> 185.215.113.84:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.84:80 -> 192.168.56.101:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.84:80 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 19, 2021, 10:35 a.m.	buffer: Press any key to continue . . . console_handle: 0x0000000000000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

The executable uses a known packer (1 event)

packer

Armadillo v1.71

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.215.113.84/etc.exe

Performs some HTTP requests (1 event)

request

GET http://185.215.113.84/etc.exe

A process attempted to delay the analysis task. (1 event)

description

wincfg.exe tried to sleep 586 seconds, actually delayed analysis time by 586 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\85B3.tmp\85B4.tmp\85B5.bat
file	C:\Users\test22\AppData\Local\Temp\85B3.tmp\Defender.exe
file	C:\Users\test22\wincfg.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 19, 2021, 10:42 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000ac filepath: C:\Users\test22\5s4d.txt desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\5s4d.txt create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\85B3.tmp\85B4.tmp\85B5.bat C:\Users\test22\wincfg.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\85B3.tmp\Defender.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 19, 2021, 10:35 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\85B3.tmp\85B4.tmp\85B5.bat C:\Users\test22\wincfg.exe" filepath: C:\Windows\System32\cmd	1	1	0

An executable file was downloaded by the process 753.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 19, 2021, 10:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdE@]ð/2bC@ÀDñÈ ¨BÐÔ¨öH.codeZ\ `.textµp` `.rdata=KLf@@.pdata request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\85B3.tmp\85B4.tmp\85B5.bat C:\Users\test22\wincfg.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\85B3.tmp\85B4.tmp\85B5.bat C:\Users\test22\wincfg.exe"

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.84

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration				reg_value	C:\Users\test22\wincfg.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Configuration				reg_value	C:\Users\test22\wincfg.exe

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\wincfg.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 resumed a thread in remote process 656
NtResumeThread Sept. 19, 2021, 10:35 a.m.	thread_handle: 0x00000000000001f4 suspend_count: 1 process_identifier: 656	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Generic.a!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader.origin
MicroWorld-eScan	Trojan.GenericKD.37595827
ALYac	Trojan.GenericKD.37595827
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005823881 )
Alibaba	TrojanDownloader:Win32/MalwareX.95a1a994
K7GW	Trojan-Downloader ( 005823881 )
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZexaF.34142.auW@a8m3bHai
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Tiny.NTK
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.Win32.Generic
BitDefender	Trojan.GenericKD.37595827
Avast	Win32:MalwareX-gen [Trj]
Tencent	Win32.Trojan-downloader.Generic.Lohy
Ad-Aware	Trojan.GenericKD.37595827
Sophos	Mal/Generic-S (PUA)
TrendMicro	TROJ_FRS.0NA103II21
McAfee-GW-Edition	BehavesLike.Win32.Generic.zt
FireEye	Generic.mg.af3e98549b975158
Emsisoft	Trojan-Downloader.Tiny (A)
SentinelOne	Static AI - Malicious PE
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=84)
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
GData	Trojan.GenericKD.37595827
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.C4204685
Acronis	suspicious
McAfee	RDN/Generic Downloader.x
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Trojan.Downloader
TrendMicro-HouseCall	TROJ_FRS.0NA103II21
Rising	Trojan.Generic@ML.91 (RDML:HYCzEUpYBrFhWCy5trk1yg)
Ikarus	Trojan-Downloader.Win32.Tiny
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Tiny.NTK!tr.dldr
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.49b975

753.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All