Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 24, 2023, 6:07 p.m.	March 24, 2023, 6:16 p.m.

Size	141.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`50e9958bb2a5b6ae6ed8da1b1d97a5bb`
SHA256	`f24438de391eac0b538c0f2f19697daeace979bf8657a8bcc74db6cb4ecb52c5`
CRC32	`B89CCE08`
ssdeep	`3072:ca+7cuLPeNoqEcBwokMUHb8uwX6SVjfLq3fNh9kPfe3:ca0vL2HEcmokbzEVzeVgfe3`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

rc.exe "C:\Users\test22\AppData\Local\Temp\rc.exe"
2656
- cmd.exe "C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
  2812
  - taskkill.exe TASKKILL /IM chrome.exe /F
    2896
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\test22\AppData\Roaming\extension_chrome"
  3004
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef435f1e8,0x7fef435f1f8,0x7fef435f208
    1964
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3008 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6
    2284
- cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\rc.exe"
  1120
  - PING.EXE ping 1.1.1.1 -n 1 -w 3000
    1356
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
techcosupportservice.com	A 198.251.84.36	198.251.84.36

IP Address	Status	Action
164.124.101.2	Active	Moloch
198.251.84.36	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 24, 2023, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2023, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2023, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2023, 6:07 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 24, 2023, 6:07 p.m.			0	0
IsDebuggerPresent March 24, 2023, 6:07 p.m.			0	0
IsDebuggerPresent March 24, 2023, 6:07 p.m.			0	0
IsDebuggerPresent March 24, 2023, 6:07 p.m.			0	0
IsDebuggerPresent March 24, 2023, 6:07 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 24, 2023, 6:07 p.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2023, 6:07 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://techcosupportservice.com/ext/manifest.json
suspicious_features	GET method with no useragent header	suspicious_request	GET http://techcosupportservice.com/ext/background.js
suspicious_features	GET method with no useragent header	suspicious_request	GET http://techcosupportservice.com/ext/main.js

Performs some HTTP requests (3 events)

request	GET http://techcosupportservice.com/ext/manifest.json
request	GET http://techcosupportservice.com/ext/background.js
request	GET http://techcosupportservice.com/ext/main.js

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 24, 2023, 6:08 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 24, 2023, 6:07 p.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 24, 2023, 6:07 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 24, 2023, 6:07 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323866112 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Roaming\extension_chrome\background.js
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\extension_chrome\main.js
file	C:\Users\test22\Desktop\Google Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW March 24, 2023, 6:07 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\extension_chrome filepath: C:\Users\test22\AppData\Roaming\extension_chrome	1	1	0

Creates a shortcut to an executable file (18 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\Desktop\Google Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
cmdline	cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\rc.exe"
cmdline	cmd.exe /c TASKKILL /IM chrome.exe /F

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\rc.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 24, 2023, 6:07 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c TASKKILL /IM chrome.exe /F filepath: cmd.exe	1	1	0
CreateProcessInternalW March 24, 2023, 6:07 p.m.	thread_identifier: 604 thread_handle: 0x00000300 process_identifier: 1120 current_directory: filepath: track: 1 command_line: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\rc.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000378	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 24, 2023, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
cmdline	ping 1.1.1.1 -n 1 -w 3000
cmdline	TASKKILL /IM chrome.exe /F
cmdline	cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\rc.exe"
cmdline	cmd.exe /c TASKKILL /IM chrome.exe /F

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef435f1e8,0x7fef435f1f8,0x7fef435f208
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3008 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 resumed a thread in remote process 2812
NtResumeThread March 24, 2023, 6:07 p.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2812	1	0	0

Generates some ICMP traffic

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Lionic	Trojan.Win32.Doina.4!c
MicroWorld-eScan	Gen:Variant.Doina.26970
FireEye	Generic.mg.50e9958bb2a5b6ae
ALYac	Gen:Variant.Doina.26970
Cylance	unsafe
Sangfor	Trojan.Win32.Agent.Vnku
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Doina.D695A
BitDefenderTheta	Gen:NN.ZexaF.36344.iuW@aaNToTki
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 99)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Doina.26970
VIPRE	Gen:Variant.Doina.26970
McAfee-GW-Edition	BehavesLike.Win32.NetLoader.ch
Trapmine	suspicious.low.ml.score
Emsisoft	Gen:Variant.Doina.26970 (B)
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1319003
Gridinsoft	Malware.Win32.Downloader.cc
Microsoft	Trojan:Win32/Casdet!rfn
GData	Gen:Variant.Doina.26970
McAfee	Artemis!50E9958BB2A5
MAX	malware (ai score=88)
VBA32	suspected of Trojan.Downloader.gen
TrendMicro-HouseCall	TROJ_GEN.R002H07CN23
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Malicious_Behavior.SBX
Panda	Trj/Chgt.AD

rc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All