Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 2, 2021, 12:51 p.m.	Oct. 2, 2021, 1 p.m.

Size	71.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c532ac418f3e867907c2757a7ca56a53`
SHA256	`555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99`
CRC32	`D7551D62`
ssdeep	`1536:+3Mz8oy284usnjFzuNXoaSTM98qKH5Fn:FwofxFK5oagMNO5F`
Yara	Malicious_Packer_Zero - Malicious Packer Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

mup.exe "C:\Users\test22\AppData\Local\Temp\mup.exe"
2444
- wsecsvcmgr.exe C:\Windows\wsecsvcmgr.exe
  1772

Name	Response	Post-Analysis Lookup
www.update.microsoft.com	CNAME redir.update.microsoft.com.nsatc.net CNAME www.update.microsoft.com.nsatc.net A 52.137.90.34	52.185.71.28

IP Address	Status	Action
151.234.111.115	Active	Moloch
151.239.29.44	Active	Moloch
164.124.101.2	Active	Moloch
178.169.31.126	Active	Moloch
178.253.102.214	Active	Moloch
186.94.107.91	Active	Moloch
187.156.53.199	Active	Moloch
187.230.102.45	Active	Moloch
2.178.208.211	Active	Moloch
2.190.108.57	Active	Moloch
213.230.69.229	Active	Moloch
217.219.197.194	Active	Moloch
217.30.163.6	Active	Moloch
31.184.160.220	Active	Moloch
42.248.182.142	Active	Moloch
42.248.182.162	Active	Moloch
42.248.182.199	Active	Moloch
42.248.182.94	Active	Moloch
42.248.183.204	Active	Moloch
46.41.210.169	Active	Moloch
46.70.75.105	Active	Moloch
5.236.202.102	Active	Moloch
52.137.90.34	Active	Moloch
78.154.58.250	Active	Moloch
80.191.99.108	Active	Moloch
88.204.223.198	Active	Moloch
89.236.216.4	Active	Moloch
89.236.233.147	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 2, 2021, 12:51 p.m.			0	0

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (23 events)

ip	42.248.182.162
ip	100.88.41.176
ip	100.89.1.141
ip	151.234.111.115
ip	151.239.29.44
ip	178.169.31.126
ip	186.94.107.91
ip	187.156.53.199
ip	187.230.102.45
ip	2.178.208.211
ip	2.190.108.57
ip	213.230.69.229
ip	217.30.163.6
ip	42.248.182.142
ip	42.248.182.199
ip	42.248.182.94
ip	46.41.210.169
ip	5.236.202.102
ip	78.154.58.250
ip	80.191.99.108
ip	88.204.223.198
ip	89.236.216.4
ip	89.236.233.147

A process attempted to delay the analysis task. (1 event)

description

wsecsvcmgr.exe tried to sleep 121 seconds, actually delayed analysis time by 121 seconds

Creates hidden or system file (17 events)

Time & API	Arguments	Status
NtCreateFile Oct. 2, 2021, 12:52 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001e0 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001a8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001bc filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001bc filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001bc filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001bc filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001bc filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001bc filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodesinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodesinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Oct. 2, 2021, 12:53 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001bc filepath: C:\Users\test22\cmdinfo.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\cmdinfo.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1

Communicates with host for which no DNS query was performed (26 events)

host	151.234.111.115
host	151.239.29.44
host	178.169.31.126
host	178.253.102.214
host	186.94.107.91
host	187.156.53.199
host	187.230.102.45
host	2.178.208.211
host	2.190.108.57
host	213.230.69.229
host	217.219.197.194
host	217.30.163.6
host	31.184.160.220
host	42.248.182.142
host	42.248.182.162
host	42.248.182.199
host	42.248.182.94
host	42.248.183.204
host	46.41.210.169
host	46.70.75.105
host	5.236.202.102
host	78.154.58.250
host	80.191.99.108
host	88.204.223.198
host	89.236.216.4
host	89.236.233.147

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service

reg_value

C:\Windows\wsecsvcmgr.exe

Modifies security center warnings (7 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\mup.exe:Zone.Identifier
file	C:\Windows\wsecsvcmgr.exe:Zone.Identifier

Generates some ICMP traffic

Disables Windows Security features (5 events)

description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Fwdisable.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37675794
CAT-QuickHeal	Trojan.Generic
ALYac	Trojan.GenericKD.37675794
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005533551 )
Alibaba	Worm:Win32/Phorpiex.8efc1669
K7GW	Trojan ( 005533551 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D23EE312
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.V
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.37675794
Avast	Win32:KadrBot [Trj]
Tencent	Win32.Trojan.Generic.Swkg
Ad-Aware	Trojan.GenericKD.37675794
Sophos	ML/PE-A
Comodo	Malware@#1focjyur33i1g
DrWeb	DLOADER.Trojan
McAfee-GW-Edition	BehavesLike.Win32.Generic.lh
FireEye	Generic.mg.c532ac418f3e8679
Emsisoft	Trojan.GenericKD.37675794 (B)
Ikarus	Worm.Win32.Phorpiex
Webroot	W32.Trojan.FWDisable.emW@aCxrSb
Avira	HEUR/AGEN.1135016
Kingsoft	Win32.Heur.KVMH012.a.(kcloud)
Gridinsoft	Malware.Win32.GenericMC.cc
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKD.37675794
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4630408
Acronis	suspicious
McAfee	GenericRXQF-OJ!C532AC418F3E
MAX	malware (ai score=80)
Malwarebytes	Trojan.Phorpiex
TrendMicro-HouseCall	TROJ_GEN.R002H0CIS21
Rising	Trojan.Generic@ML.86 (RDMK:y7ivWWGuFPyeanKUnks+fg)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Phorpiex.V!tr
BitDefenderTheta	AI:Packer.2619E80B1E
AVG	Win32:KadrBot [Trj]
Panda	Adware/SecurityProtection

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	46.70.75.105:40555
dead_host	217.219.197.194:40555
dead_host	178.253.102.214:40555
dead_host	192.168.56.101:49208
dead_host	31.184.160.220:40555
dead_host	42.248.183.204:40555

mup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All