Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 12, 2023, 2:50 p.m.	Feb. 12, 2023, 3:03 p.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6cc7d9664c1a89c58549e57b5959bb38`
SHA256	`27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4`
CRC32	`D355486A`
ssdeep	`49152:kHEP1Ytp7MnOYoH7NzvsfZHXlIZELxmuY88jIvnPojMuHmsMtTQpw:GEPuBSONzvsfZ3eCxmQ8cWmsM`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

WW2.exe "C:\Users\test22\AppData\Local\Temp\WW2.exe"
2544

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.43.165.105
ipinfo.io	A 34.117.59.81	34.117.59.81
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
www.maxmind.com	A 104.17.215.67 A 104.17.214.67	104.17.214.67
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
172.217.175.68	Active	Moloch
104.17.214.67	Active	Moloch
121.254.136.27	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
23.254.227.214	Active	Moloch
34.117.59.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 104.17.214.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49163 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.101:49163	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49165 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc
TLSv1 192.168.56.101:49163 34.117.59.81:443	C=US, O=Let's Encrypt, CN=R3	CN=ipinfo.io	63:03:85:17:32:f2:5e:25:3f:4e:ca:14:a9:16:fe:4d:7c:c4:54:bf
TLSv1 192.168.56.101:49165 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 12, 2023, 2:50 p.m.			0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://23.254.227.214/api/tracemap.php

Performs some HTTP requests (5 events)

request	GET http://23.254.227.214/api/tracemap.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Sends data using the HTTP POST Method (1 event)

request

POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00247970

size

0x000002ac

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Feb. 12, 2023, 2:50 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 12, 2023, 2:50 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.175.68
host	23.254.227.214

Disables Windows Security features (10 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8AE8A912-87E2-4EE0-851E-922C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

MicroWorld-eScan	Gen:Heur.Mint.PrivateLoader.1
McAfee	Artemis!6CC7D9664C1A
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.PrivateLoader.1
Sangfor	Trojan.Win32.Agent.Vzn3
K7AntiVirus	Trojan ( 0057eb8e1 )
Alibaba	Trojan:Win32/Nekark.a05e38b9
K7GW	Trojan ( 0057eb8e1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Mint.PrivateLoader.1
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.PrivateLoader
ESET-NOD32	a variant of Win32/Agent.ADGH
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Heur.Mint.PrivateLoader.1
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan.Generic.Jtgl
Emsisoft	Gen:Heur.Mint.PrivateLoader.1 (B)
DrWeb	Trojan.DownLoader45.42282
TrendMicro	Trojan.Win32.PRIVATELOADER.YXDBKZ
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Heur.Mint.PrivateLoader.1
Avira	TR/AD.Nekark.jtxwk
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Casdet!rfn
GData	Gen:Heur.Mint.PrivateLoader.1
AhnLab-V3	Trojan/Win.Generic.C5272956
BitDefenderTheta	Gen:NN.ZexaF.36276.tw0@aOND2PkQ
ALYac	Gen:Heur.Mint.PrivateLoader.1
VBA32	BScope.TrojanPSW.Arkei
Malwarebytes	Trojan.WDDisabler
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXDBKZ
Rising	Downloader.Agent!1.D93C (CLASSIC)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.ADGH!tr
AVG	Win32:PWSX-gen [Trj]

WW2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All