Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 10:58 a.m.	Nov. 1, 2021, 11:05 a.m.

Size	82.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a4a8a89ce20e6f60d67140336e0a53cc`
SHA256	`bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df`
CRC32	`ADC6A8BE`
ssdeep	`1536:ORC2p2bHgBjEAKsQHzIRiuoSL6EWCOSSUnEy9ZjBiVcUvnZjgf2c:O8bAuAfuIlHGEXTUqAcUBUuc`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Netwire_prevent.exe "C:\Users\test22\AppData\Local\Temp\Netwire_prevent.exe"
1116
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Prevent windows from sleeping.vbs"
  2384
- nwire733.exe "C:\Users\test22\AppData\Local\Temp\nwire733.exe"
  1444

Name	Response	Post-Analysis Lookup
nwire733.duckdns.org	A 185.228.19.147	185.228.19.147

IP Address	Status	Action
103.151.123.194	Active	Moloch
164.124.101.2	Active	Moloch
185.228.19.147	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:58 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2021, 10:58 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

MicroJoiner 1.7 -> coban2k

Connects to a Dynamic DNS Domain (1 event)

domain

nwire733.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d02000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\nwire733.exe
file	C:\Users\test22\AppData\Local\Temp\Prevent windows from sleeping.vbs

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\Prevent windows from sleeping.vbs
file	C:\Users\test22\AppData\Local\Temp\nwire733.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nwire733.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000141d8', u'virtual_address': u'0x00002000', u'entropy': 7.9329436539567775, u'name': u'.rsrc', u'virtual_size': u'0x000141d8'}

entropy

7.93294365396

description

A section with a high entropy has been found

entropy

0.981698598799

description

Overall entropy of this PE file is high

Yara rule detected in process memory (24 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

103.151.123.194

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 resumed a thread in remote process 2384
Process injection	Process 1116 resumed a thread in remote process 1444
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2384	1	0	0
NtResumeThread Nov. 1, 2021, 10:58 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 1444	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.228.19.147:7920

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Lionic	Trojan.Win32.Microjoin.l4WK
Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop.1161
MicroWorld-eScan	Trojan.Clicker.Delf.KG
FireEye	Generic.mg.a4a8a89ce20e6f60
CAT-QuickHeal	Trojan.Microjoin.16709
ALYac	Trojan.Clicker.Delf.KG
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
Alibaba	Malware:Win32/km_2a02.None
K7GW	Trojan ( 0007233e1 )
K7AntiVirus	Trojan ( 0007233e1 )
BitDefenderTheta	AI:Packer.AC7EEC021E
Cyren	W32/Joiner.B.gen!Eldorado
Symantec	Downloader
ESET-NOD32	Win32/TrojanDropper.Microjoin.C
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Joiner-6
Kaspersky	Trojan-Dropper.Win32.Pincher.hp
BitDefender	Trojan.Clicker.Delf.KG
NANO-Antivirus	Trojan.Win32.Pincher.covlcf
Avast	Win32:Joiner-C [Trj]
Tencent	Win32.Trojan-dropper.Pincher.Lmui
Ad-Aware	Trojan.Clicker.Delf.KG
Sophos	Mal/Generic-R + Mal/Dropper-C
Comodo	TrojWare.Win32.TrojanDropper.Microjoin.C@1r72
Baidu	Win32.Trojan-Dropper.Microjoin.c
VIPRE	BehavesLike.Win32.Malware.dss (mx-v)
TrendMicro	TROJ_DROPPER.MX
McAfee-GW-Edition	BehavesLike.Win32.VirRansom.mc
Emsisoft	Trojan.Clicker.Delf.KG (B)
Ikarus	Trojan-Dropper.Win32.Microjoin
Jiangmin	TrojanDropper.Win32.Joiner.ae
Avira	DR/Injector.toian
Antiy-AVL	Trojan[Dropper]/Win32.Pincher.hp
Microsoft	TrojanDropper:Win32/Joiner.AJ
ZoneAlarm	Trojan-Dropper.Win32.Pincher.hp
GData	Trojan.Clicker.Delf.KG
Cynet	Malicious (score: 100)
AhnLab-V3	Dropper/Win32.Microjoin.C4198
Acronis	suspicious
McAfee	BackDoor-CEO.c
MAX	malware (ai score=85)
VBA32	Trojan-Droper.MTA.0465
Malwarebytes	Trojan.Dropper
TrendMicro-HouseCall	TROJ_DROPPER.MX
Rising	Backdoor.Win32.SdBot.xd (CLASSIC)
Yandex	Constructor.Microjoiner.AC

Netwire_prevent.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All