Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 23, 2021, 9:43 a.m.	Oct. 23, 2021, 9:46 a.m.

Size	401.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`07f5f3b04b3997354115cc715febc848`
SHA256	`7a7a128a51a5e153c55481518bdffe67093e94d99845531918ff50875a13e5fe`
CRC32	`78C05EB7`
ssdeep	`6144:R5VybgaUV4kgV4YHRBduhafN7FY7WXGNJ:JybgvAxHweFY7WXm`
PDB Path	OfficeDesktop.pdb
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

os.zip "C:\Users\test22\AppData\Local\Temp\os.zip"
3024
- dllhost.exe "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe"
  1444
  - cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\3e5d740863\
    556
    - reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\3e5d740863\
      2032
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F
    2672

Name	Response	Post-Analysis Lookup
web.xmlpost.xyz
web.jsonpost.xyz	A 169.197.142.162	169.197.142.162

IP Address	Status	Action
164.124.101.2	Active	Moloch
169.197.142.162	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49206 -> 169.197.142.162:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 23, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 23, 2021, 9:43 a.m.	buffer: SUCCESS: The scheduled task "dllhost.exe" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Oct. 23, 2021, 9:43 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

OfficeDesktop.pdb

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 23, 2021, 9:43 a.m.	stacktrace: os+0x10e0 @ 0x4010e0 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 8b 45 f0 83 60 64 00 8b 45 f0 83 60 70 00 fc exception.symbol: os+0x630d exception.instruction: int3 exception.module: os.zip exception.exception_code: 0x80000003 exception.offset: 25357 exception.address: 0x40630d registers.esp: 1638056 registers.edi: 0 registers.eax: 9091120 registers.ebp: 1638140 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 4074962944	1	0	0
__exception__ Oct. 23, 2021, 9:43 a.m.	stacktrace: dllhost+0x10e0 @ 0x4010e0 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cc 8b 45 f0 83 60 64 00 8b 45 f0 83 60 70 00 fc exception.symbol: dllhost+0x630d exception.instruction: int3 exception.module: dllhost.exe exception.exception_code: 0x80000003 exception.offset: 25357 exception.address: 0x40630d registers.esp: 1638056 registers.edi: 0 registers.eax: 5421120 registers.ebp: 1638140 registers.edx: 2130566132 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 3850174464	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://web.jsonpost.xyz/sj2vMs/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://web.jsonpost.xyz/sj2vMs/index.php?scr=1

Performs some HTTP requests (2 events)

request	POST http://web.jsonpost.xyz/sj2vMs/index.php
request	POST http://web.jsonpost.xyz/sj2vMs/index.php?scr=1

Sends data using the HTTP POST Method (2 events)

request	POST http://web.jsonpost.xyz/sj2vMs/index.php
request	POST http://web.jsonpost.xyz/sj2vMs/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 3024 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efa0000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773e6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 3024 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef90000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 1444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 1444 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efa0000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 1444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773e6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 23, 2021, 9:43 a.m.	process_identifier: 1444 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef90000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0xffffffff	1

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\3e5d740863\

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 23, 2021, 9:43 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe	1	1
ShellExecuteExW Oct. 23, 2021, 9:43 a.m.	show_type: 0 filepath_r: cmd parameters: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\3e5d740863\ filepath: cmd	1	1
ShellExecuteExW Oct. 23, 2021, 9:43 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F filepath: SCHTASKS	1	1

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F
cmdline	cmd /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\3e5d740863\
cmdline	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\3e5d740863\
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\3e5d740863\

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN dllhost.exe /TR "C:\Users\test22\AppData\Local\Temp\3e5d740863\dllhost.exe" /F

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Swizzor.l8Pw
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00588b3e1 )
BitDefender	Trojan.GenericKD.37823254
K7GW	Trojan ( 00588b3e1 )
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Generic.D2412316
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMUW
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.Win32.Bobik.gen
Alibaba	Trojan:Win32/Kryptik.4f5b5137
NANO-Antivirus	Virus.Win32.Gen.ccmw
MicroWorld-eScan	Trojan.GenericKD.37823254
Avast	Win32:CrypterX-gen [Trj]
Rising	Trojan.Generic@ML.88 (RDMK:6vwUYEhpGEvMId2uu2lEqQ)
Ad-Aware	Trojan.GenericKD.37823254
Sophos	ML/PE-A
TrendMicro	TROJ_GEN.R002C0WJI21
McAfee-GW-Edition	BehavesLike.Win32.Generic.gm
FireEye	Generic.mg.07f5f3b04b399735
Emsisoft	Trojan.GenericKD.37823254 (B)
Jiangmin	Trojan.Fsysna.nhh
Avira	TR/Fraud.Gen8
MAX	malware (ai score=84)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Script/Phonzy.B!ml
GData	Win32.Trojan.BSE.TTUNZ7
AhnLab-V3	Trojan/Win.Generic.R445985
VBA32	BScope.TrojanSpy.Bobik
ALYac	Trojan.GenericKD.37823254
TrendMicro-HouseCall	TROJ_GEN.R002C0WJI21
Tencent	Malware.Win32.Gencirc.11d327a0
Yandex	Trojan.Kryptik!0JPmqTA7D64
Ikarus	Trojan.Win32.Crypt
Fortinet	W32/Kryptik.HMUW!tr
BitDefenderTheta	Gen:NN.ZexaF.34236.zq0@autzNPdi
AVG	Win32:CrypterX-gen [Trj]
Cybereason	malicious.f8ea07
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.74196578.susgen

os.zip

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All