Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 5, 2022, 9:50 a.m.	Dec. 5, 2022, 9:52 a.m.

Size	80.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b8d23f55d8924b617a57035db1cd3eb0`
SHA256	`921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8`
CRC32	`E3D02692`
ssdeep	`1536:Q+uA+pnOZyTfpU9tE6lrY4eOmunPXqDMlsKrKN08LpSMm+IEQFTm:RuBA+hME6+SnPQasBN0cSN+IlFTm`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
800
- cmd.exe cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\test22\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")
  2128
  - PING.EXE ping 127.0.0.1
    2216
  - service.exe "C:\ProgramData\service.exe"
    2304

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.149.180.212	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameA Dec. 5, 2022, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 5, 2022, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 5, 2022, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 5, 2022, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 5, 2022, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 5, 2022, 9:50 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Dec. 5, 2022, 9:50 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 5, 2022, 9:50 a.m.		1	1	0

Creates a suspicious process (1 event)

cmdline

cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\test22\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\svchost.exe

Executes one or more WMI queries (1 event)

wmi

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32FirstW Dec. 5, 2022, 9:50 a.m.	snapshot_handle: 0x00000138 process_name: Pack 1 process_identifier: 1		0	0

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping 127.0.0.1
cmdline	cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\test22\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")

Communicates with host for which no DNS query was performed (1 event)

host

193.149.180.212

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension

reg_value

C:\ProgramData\service.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 resumed a thread in remote process 2304
NtResumeThread Dec. 5, 2022, 9:50 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2304	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.149.180.212:443

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Trojan.Win32.Fsysna.4!c
DrWeb	Trojan.MulDrop20.52562
MicroWorld-eScan	Gen:Variant.Fragtor.142091
FireEye	Gen:Variant.Fragtor.142091
ALYac	Gen:Variant.Fragtor.142091
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.3013728
Sangfor	Trojan.Win32.Agent.Vvjy
K7AntiVirus	Trojan ( 0058ecdd1 )
Alibaba	Trojan:Win32/Generic.6bbcbf4b
K7GW	Trojan ( 0058ecdd1 )
Arcabit	Trojan.Fragtor.D22B0B
BitDefenderTheta	Gen:NN.ZexaF.36106.fu0@ayCZ@Pji
Cyren	W32/ABTrojan.BLWN-8726
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Agent.ADYK
APEX	Malicious
Kaspersky	Trojan.Win32.Fsysna.ihjv
BitDefender	Gen:Variant.Fragtor.142091
NANO-Antivirus	Trojan.Win32.Fsysna.jsthyw
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Fsysna.Ckjl
Ad-Aware	Gen:Variant.Fragtor.142091
Emsisoft	Gen:Variant.Fragtor.142091 (B)
VIPRE	Gen:Variant.Fragtor.142091
TrendMicro	TROJ_GEN.R067C0PIB22
McAfee-GW-Edition	BehavesLike.Win32.Dropper.mh
Sophos	Mal/Generic-S
Jiangmin	Trojan.Fsysna.ohp
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Crypt.XPACK.Gen3
Antiy-AVL	Trojan/Win32.Fsysna
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Gen:Variant.Fragtor.142091
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5235390
McAfee	RDN/Generic.dx
MAX	malware (ai score=84)
TrendMicro-HouseCall	TROJ_GEN.R067C0PIB22
Rising	Trojan.Agent!8.B1E (TFE:3:lVmKEGZ4QoP)
Ikarus	Trojan.Win32.Agent
MaxSecure	Trojan.Malware.188080196.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/Chgt.AD

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All