Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 10, 2021, 8:18 a.m.	Nov. 10, 2021, 8:27 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`5f20b46e52c413a9a4d79b1fb7a85b18`
SHA256	`6e454ecf5c2f73905e82ab278f57ad49170fded322b5abb568f0a0721a12ff86`
CRC32	`C3EDD1AA`
ssdeep	`24576:kBXu9HGaVHXYLF7GToj1tD5TIYDoSBiA:kw9VHXYLQ8JtD5MY0Z`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

winapi32.exe "C:\Users\test22\AppData\Local\Temp\winapi32.exe"
2316
- cmd.exe C:\Windows\system32\cmd.exe /c icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "test22:(R,REA,RA,RD)"
  2452
  - icacls.exe icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    2564
  - icacls.exe icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    2612
  - icacls.exe icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "test22:(R,REA,RA,RD)"
    2660

Name	Response	Post-Analysis Lookup
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
164.124.101.2	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 10, 2021, 8:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 8:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 8:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 8:18 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 10, 2021, 8:18 a.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 10, 2021, 8:18 a.m.	buffer: processed file: C:\Users\test22\AppData\Roaming\Mxmetamux console_handle: 0x00000007	1	1
WriteConsoleW Nov. 10, 2021, 8:18 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW Nov. 10, 2021, 8:18 a.m.	buffer: processed file: C:\Users\test22\AppData\Roaming\Mxmetamux console_handle: 0x00000007	1	1
WriteConsoleW Nov. 10, 2021, 8:18 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW Nov. 10, 2021, 8:18 a.m.	buffer: processed file: C:\Users\test22\AppData\Roaming\Mxmetamux console_handle: 0x00000007	1	1
WriteConsoleW Nov. 10, 2021, 8:18 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 10, 2021, 8:18 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET https://iplogger.org/1hkvy7

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "test22:(R,REA,RA,RD)"

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Nov. 10, 2021, 8:18 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\Mxmetamux\libmfxsw32.exe flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\winapi32.exe newfilepath: C:\Users\test22\AppData\Roaming\Mxmetamux\libmfxsw32.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\winapi32.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00056400', u'virtual_address': u'0x0012e000', u'entropy': 7.93583975595991, u'name': u'UPX1', u'virtual_size': u'0x00057000'}

entropy

7.93583975596

description

A section with a high entropy has been found

entropy

0.334951456311

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses suspicious command line tools or Windows utilities (4 events)

cmdline	icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	C:\Windows\system32\cmd.exe /c icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"

Generates some ICMP traffic

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47342425
FireEye	Trojan.GenericKD.47342425
ALYac	Trojan.GenericKD.47342425
Cylance	Unsafe
Alibaba	Trojan:Win32/Starter.ali2000005
Arcabit	Trojan.Generic.D2D26359
Cyren	W32/Nymeria.E.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.MNNMTCX
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Bingoml.cqiq
BitDefender	Trojan.GenericKD.47342425
Avast	Win32:Malware-gen
Ad-Aware	Trojan.GenericKD.47342425
Sophos	Mal/Generic-S
DrWeb	Trojan.Siggen15.35763
TrendMicro	TrojanSpy.Win32.BINGOML.USMANK721
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Trojan.GenericKD.47342425 (B)
Avira	TR/Redcap.oibly
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan.QuilMiner.46SS8S
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4762557
McAfee	Artemis!5F20B46E52C4
MAX	malware (ai score=84)
Malwarebytes	Trojan.MalPack
Zoner	Trojan.Win32.79630
TrendMicro-HouseCall	TrojanSpy.Win32.BINGOML.USMANK721
Ikarus	Trojan.SuspectCRC
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_70% (W)

winapi32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All