Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 27, 2021, 9:24 a.m.	Oct. 27, 2021, 9:26 a.m.

Size	571.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2626a621fab10eec02e1c3dc2ab29361`
SHA256	`33c72f7177a297ca3c396a50c7ad4bb85d20693d8cdc2fbc26b979d1cf0bddd4`
CRC32	`9078E5F3`
ssdeep	`12288:GY7Lwe5zzrtK6HOWUGmuulkI7o8XEqxcAMR3D0oil4bUEpRzW3rd6b1PXpfQE8r1:G0Lwu3InErq3+P5IEj4D`
PDB Path	E:\123\All in Desktop\crown-demo-01-07-2019\cross3\Release\cross3.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

cross2007.exe "C:\Users\test22\AppData\Local\Temp\cross2007.exe"
1868
- taskmgr.exe "C:\Windows\System32\taskmgr.exe"
  584
- cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM explorer.exe -f
  2724
  - taskkill.exe taskkill /IM explorer.exe -f
    1808

Name	Response	Post-Analysis Lookup
prodownload.live	A 74.208.236.24	74.208.236.24

IP Address	Status	Action
164.124.101.2	Active	Moloch
74.208.236.24	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49202 -> 74.208.236.24:80	2029286	ET MALWARE CrownAdPro CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 74.208.236.24:80	2029287	ET MALWARE CrownAdPro CnC Activity M4	Malware Command and Control Activity Detected
TCP 192.168.56.101:49199 -> 74.208.236.24:80	2029143	ET MALWARE CrownAdPro CnC Activity M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 74.208.236.24:80	2029285	ET MALWARE CrownAdPro CnC Activity M2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 74.208.236.24:80	2029288	ET MALWARE CrownAdPro CnC Activity M5	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 27, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 27, 2021, 9:24 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 9:24 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 27, 2021, 9:24 a.m.	buffer: SUCCESS: The process "explorer.exe" with PID 1848 has been terminated. console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

E:\123\All in Desktop\crown-demo-01-07-2019\cross3\Release\cross3.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 27, 2021, 9:24 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://prodownload.live/iam//index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://prodownload.live/ixset.php?ip=175.208.134.150&mcid=1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://prodownload.live/ixpkey.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://prodownload.live/ixptexts.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://prodownload.live/setad.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://prodownload.live/ixlive.php?uid=1

Performs some HTTP requests (6 events)

request	GET http://prodownload.live/iam//index.php
request	GET http://prodownload.live/ixset.php?ip=175.208.134.150&mcid=1
request	GET http://prodownload.live/ixpkey.php
request	GET http://prodownload.live/ixptexts.php
request	GET http://prodownload.live/setad.php
request	GET http://prodownload.live/ixlive.php?uid=1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 27, 2021, 9:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 27, 2021, 9:24 a.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c taskkill /IM explorer.exe -f

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 27, 2021, 9:24 a.m.	show_type: 0 filepath_r: taskmgr.exe parameters: filepath: taskmgr.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 27, 2021, 9:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Oct. 27, 2021, 9:24 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{528AC0BA-D2D1-4286-A5A4-49ACDC3FB5D6} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{528AC0BA-D2D1-4286-A5A4-49ACDC3FB5D6}		2	0
RegOpenKeyExW Oct. 27, 2021, 9:24 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{528AC0BA-D2D1-4286-A5A4-49ACDC3FB5D6} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{528AC0BA-D2D1-4286-A5A4-49ACDC3FB5D6}		2	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 27, 2021, 9:24 a.m.	status_code: 0x00000001 process_identifier: 1848 process_handle: 0x00000194		0	0
NtTerminateProcess Oct. 27, 2021, 9:24 a.m.	status_code: 0x00000001 process_identifier: 1848 process_handle: 0x00000194	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	taskkill /IM explorer.exe -f
cmdline	C:\Windows\system32\cmd.exe /c taskkill /IM explorer.exe -f

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 27, 2021, 9:24 a.m.	thread_identifier: 1396 thread_handle: 0x000002d8 process_identifier: 584 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\taskmgr.exe track: 1 command_line: "C:\Windows\System32\taskmgr.exe" filepath_r: C:\Windows\System32\taskmgr.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e0	1	1	0
ShellExecuteExW Oct. 27, 2021, 9:24 a.m.	show_type: 0 filepath_r: taskmgr.exe parameters: filepath: taskmgr.exe	1	1	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Win32.Mikey.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Mikey.112480
ALYac	Gen:Variant.Mikey.112480
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.QBF
K7AntiVirus	Spyware ( 005712c61 )
BitDefender	Gen:Variant.Mikey.112480
K7GW	Spyware ( 005712c61 )
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Mikey.D1B760
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.Agent.QBF
APEX	Malicious
Paloalto	generic.ml
Alibaba	TrojanSpy:Win32/Cryptoload.1cdd878d
Avast	Win32:Trojan-gen
Ad-Aware	Gen:Variant.Mikey.112480
Emsisoft	Gen:Variant.Mikey.112480 (B)
McAfee-GW-Edition	GenericRXJO-MB!2626A621FAB1
FireEye	Generic.mg.2626a621fab10eec
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Cryptoload
Avira	HEUR/AGEN.1123838
MAX	malware (ai score=84)
Gridinsoft	Trojan.Win32.Agent.dd!n
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan-Spy.Agent.ASH
Cynet	Malicious (score: 99)
AhnLab-V3	Downloader/Win.Cryptoload.R445611
McAfee	GenericRXJO-MB!2626A621FAB1
VBA32	BScope.Trojan.Gasti
Malwarebytes	Rogue.TechSupportScam
TrendMicro-HouseCall	TROJ_GEN.R002H0CJQ21
Fortinet	W32/Agent.QBF!tr
BitDefenderTheta	Gen:NN.ZexaF.34236.Jy0@a85p6Ypi
AVG	Win32:Trojan-gen
Cybereason	malicious.1fab10
Panda	Trj/Genetic.gen

cross2007.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All