Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 9, 2023, 7 p.m.	May 9, 2023, 7:03 p.m.

Size	7.5MB
Type	7-zip archive data, version 0.3
MD5	`f91cf94c3ba6073a885f53e8c32bfa1b`
SHA256	`6477b1ea0cc53d0c508295dcc53a0d465acc3fa712a56d846ca3bf0e296c83a5`
CRC32	`578B7284`
ssdeep	`196608:6IF0dGrJLTnsDh4yIZJDa7CD3Dgkd5eqYeA5jhgx+//bbFqbdLO:QdGrJvnu+TECrNJ1Ah68/bbFUK`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "XFpANgjtLh" C:\Users\test22\AppData\Local\Temp\103.40.123.34_update.7z
3008
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\103.40.123.34_update.7z"
  1784

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
180.69.10.237	Active	Moloch
180.69.101.7	Active	Moloch
180.69.102.117	Active	Moloch
180.69.102.175	Active	Moloch
180.69.104.13	Active	Moloch
180.69.104.63	Active	Moloch
180.69.105.127	Active	Moloch
180.69.106.13	Active	Moloch
180.69.106.15	Active	Moloch
180.69.107.153	Active	Moloch
180.69.109.225	Active	Moloch
180.69.109.47	Active	Moloch
180.69.11.137	Active	Moloch
180.69.11.51	Active	Moloch
180.69.111.121	Active	Moloch
180.69.111.227	Active	Moloch
180.69.111.41	Active	Moloch
180.69.112.143	Active	Moloch
180.69.113.167	Active	Moloch
180.69.114.123	Active	Moloch
180.69.114.199	Active	Moloch
180.69.115.13	Active	Moloch
180.69.115.239	Active	Moloch
180.69.115.240	Active	Moloch
180.69.115.31	Active	Moloch
180.69.115.97	Active	Moloch
180.69.118.61	Active	Moloch
180.69.119.123	Active	Moloch
180.69.119.155	Active	Moloch
180.69.119.219	Active	Moloch
180.69.119.53	Active	Moloch
180.69.12.145	Active	Moloch
180.69.120.207	Active	Moloch
180.69.121.181	Active	Moloch
180.69.121.191	Active	Moloch
180.69.122.1	Active	Moloch
180.69.123.235	Active	Moloch
180.69.124.155	Active	Moloch
180.69.124.95	Active	Moloch
180.69.125.155	Active	Moloch
180.69.128.179	Active	Moloch
180.69.13.153	Active	Moloch
180.69.130.35	Active	Moloch
180.69.130.99	Active	Moloch
180.69.132.47	Active	Moloch
180.69.135.117	Active	Moloch
180.69.135.235	Active	Moloch
180.69.136.29	Active	Moloch
180.69.137.145	Active	Moloch
180.69.137.213	Active	Moloch
180.69.138.189	Active	Moloch
180.69.14.105	Active	Moloch
180.69.140.157	Active	Moloch
180.69.140.213	Active	Moloch
180.69.140.214	Active	Moloch
180.69.143.167	Active	Moloch
180.69.143.97	Active	Moloch
180.69.145.185	Active	Moloch
180.69.146.107	Active	Moloch
180.69.146.131	Active	Moloch
180.69.146.181	Active	Moloch
180.69.148.215	Active	Moloch
180.69.149.169	Active	Moloch
180.69.149.255	Active	Moloch
180.69.150.139	Active	Moloch
180.69.150.221	Active	Moloch
180.69.151.69	Active	Moloch
180.69.155.101	Active	Moloch
180.69.155.105	Active	Moloch
180.69.156.233	Active	Moloch
180.69.158.29	Active	Moloch
180.69.158.45	Active	Moloch
180.69.159.237	Active	Moloch
180.69.16.185	Active	Moloch
180.69.16.189	Active	Moloch
180.69.16.193	Active	Moloch
180.69.161.53	Active	Moloch
180.69.166.157	Active	Moloch
180.69.167.169	Active	Moloch
180.69.167.247	Active	Moloch
180.69.168.181	Active	Moloch
180.69.168.35	Active	Moloch
180.69.168.57	Active	Moloch
180.69.169.205	Active	Moloch
180.69.17.203	Active	Moloch
180.69.17.249	Active	Moloch
180.69.170.107	Active	Moloch
180.69.171.177	Active	Moloch
180.69.172.111	Active	Moloch
180.69.173.57	Active	Moloch
180.69.174.47	Active	Moloch
180.69.175.197	Active	Moloch
180.69.176.219	Active	Moloch
180.69.18.93	Active	Moloch
180.69.181.193	Active	Moloch
180.69.183.9	Active	Moloch
180.69.184.105	Active	Moloch
180.69.184.107	Active	Moloch
180.69.184.27	Active	Moloch
180.69.19.21	Active	Moloch
180.69.191.223	Active	Moloch
180.69.192.181	Active	Moloch
180.69.192.63	Active	Moloch
180.69.193.63	Active	Moloch
180.69.193.79	Active	Moloch
180.69.194.251	Active	Moloch
180.69.195.87	Active	Moloch
180.69.196.213	Active	Moloch
180.69.196.3	Active	Moloch
180.69.196.33	Active	Moloch
180.69.199.215	Active	Moloch
180.69.2.231	Active	Moloch
180.69.20.111	Active	Moloch
180.69.20.159	Active	Moloch
180.69.20.61	Active	Moloch
180.69.200.75	Active	Moloch
180.69.200.83	Active	Moloch
180.69.201.67	Active	Moloch
180.69.202.137	Active	Moloch
180.69.203.179	Active	Moloch
180.69.204.205	Active	Moloch
180.69.205.11	Active	Moloch
180.69.205.12	Active	Moloch
180.69.206.71	Active	Moloch
180.69.207.35	Active	Moloch
180.69.208.89	Active	Moloch
180.69.208.93	Active	Moloch
180.69.209.173	Active	Moloch
180.69.209.91	Active	Moloch
180.69.21.61	Active	Moloch
180.69.21.87	Active	Moloch
180.69.210.131	Active	Moloch
180.69.210.147	Active	Moloch
180.69.210.223	Active	Moloch
180.69.211.107	Active	Moloch
180.69.211.7	Active	Moloch
180.69.212.255	Active	Moloch
180.69.213.1	Active	Moloch
180.69.213.161	Active	Moloch
180.69.213.175	Active	Moloch
180.69.214.33	Active	Moloch
180.69.216.141	Active	Moloch
180.69.216.43	Active	Moloch
180.69.217.49	Active	Moloch
180.69.217.50	Active	Moloch
180.69.217.9	Active	Moloch
180.69.219.181	Active	Moloch
180.69.22.149	Active	Moloch
180.69.22.247	Active	Moloch
180.69.222.103	Active	Moloch
180.69.222.185	Active	Moloch
180.69.223.249	Active	Moloch
180.69.224.209	Active	Moloch
180.69.226.111	Active	Moloch
180.69.226.71	Active	Moloch
180.69.227.75	Active	Moloch
180.69.228.141	Active	Moloch
180.69.228.149	Active	Moloch
180.69.228.217	Active	Moloch
180.69.228.73	Active	Moloch
180.69.229.35	Active	Moloch
180.69.23.207	Active	Moloch
180.69.230.151	Active	Moloch
180.69.231.235	Active	Moloch
180.69.234.167	Active	Moloch
180.69.235.131	Active	Moloch
180.69.235.135	Active	Moloch
180.69.236.65	Active	Moloch
180.69.236.9	Active	Moloch
180.69.237.215	Active	Moloch
180.69.238.237	Active	Moloch
180.69.239.139	Active	Moloch
180.69.239.211	Active	Moloch
180.69.24.189	Active	Moloch
180.69.24.53	Active	Moloch
180.69.242.1	Active	Moloch
180.69.243.167	Active	Moloch
180.69.243.221	Active	Moloch
180.69.243.5	Active	Moloch
180.69.245.27	Active	Moloch
180.69.245.69	Active	Moloch
180.69.246.233	Active	Moloch
180.69.246.249	Active	Moloch
180.69.246.250	Active	Moloch
180.69.247.213	Active	Moloch
180.69.247.221	Active	Moloch
180.69.248.225	Active	Moloch
180.69.249.157	Active	Moloch
180.69.249.251	Active	Moloch
180.69.25.51	Active	Moloch
180.69.250.147	Active	Moloch
180.69.250.247	Active	Moloch
180.69.251.209	Active	Moloch
180.69.252.59	Active	Moloch
180.69.252.83	Active	Moloch
180.69.254.1	Active	Moloch
180.69.255.125	Active	Moloch
180.69.255.199	Active	Moloch
180.69.27.33	Active	Moloch
180.69.28.35	Active	Moloch
180.69.3.169	Active	Moloch
180.69.3.17	Active	Moloch
180.69.30.201	Active	Moloch
180.69.31.217	Active	Moloch
180.69.31.71	Active	Moloch
180.69.32.35	Active	Moloch
180.69.33.245	Active	Moloch
180.69.35.181	Active	Moloch
180.69.38.101	Active	Moloch
180.69.39.39	Active	Moloch
180.69.41.123	Active	Moloch
180.69.41.143	Active	Moloch
180.69.41.5	Active	Moloch
180.69.43.245	Active	Moloch
180.69.45.215	Active	Moloch
180.69.46.77	Active	Moloch
180.69.47.65	Active	Moloch
180.69.49.123	Active	Moloch
180.69.49.235	Active	Moloch
180.69.5.247	Active	Moloch
180.69.5.65	Active	Moloch
180.69.50.219	Active	Moloch
180.69.50.95	Active	Moloch
180.69.51.55	Active	Moloch
180.69.52.165	Active	Moloch
180.69.54.117	Active	Moloch
180.69.55.103	Active	Moloch
180.69.55.229	Active	Moloch
180.69.6.29	Active	Moloch
180.69.6.87	Active	Moloch
180.69.60.19	Active	Moloch
180.69.60.199	Active	Moloch
180.69.66.155	Active	Moloch
180.69.67.185	Active	Moloch
180.69.68.53	Active	Moloch
180.69.7.77	Active	Moloch
180.69.71.141	Active	Moloch
180.69.71.187	Active	Moloch
180.69.72.167	Active	Moloch
180.69.75.77	Active	Moloch
180.69.76.33	Active	Moloch
180.69.77.123	Active	Moloch
180.69.77.87	Active	Moloch
180.69.8.193	Active	Moloch
180.69.80.51	Active	Moloch
180.69.81.219	Active	Moloch
180.69.82.13	Active	Moloch
180.69.82.35	Active	Moloch
180.69.82.99	Active	Moloch
180.69.83.193	Active	Moloch
180.69.84.109	Active	Moloch
180.69.84.217	Active	Moloch
180.69.85.179	Active	Moloch
180.69.87.237	Active	Moloch
180.69.88.231	Active	Moloch
180.69.89.27	Active	Moloch
180.69.9.13	Active	Moloch
180.69.9.237	Active	Moloch
180.69.90.19	Active	Moloch
180.69.90.63	Active	Moloch
180.69.90.71	Active	Moloch
180.69.91.249	Active	Moloch
180.69.92.29	Active	Moloch
180.69.94.1	Active	Moloch
180.69.94.125	Active	Moloch
180.69.94.141	Active	Moloch
180.69.94.99	Active	Moloch
180.69.95.237	Active	Moloch
180.69.95.239	Active	Moloch
180.69.95.240	Active	Moloch
180.69.95.93	Active	Moloch
180.69.96.17	Active	Moloch
180.69.96.241	Active	Moloch
180.69.97.199	Active	Moloch
180.69.98.3	Active	Moloch
180.69.98.4	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49398 -> 180.69.16.193:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:49688 -> 180.69.150.139:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 9, 2023, 7 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 9, 2023, 7 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 9, 2023, 7 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74062000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 9, 2023, 7 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\7zE8F683C7D\sqhost_new.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8F683C7D\install.cmd
file	C:\Users\test22\AppData\Local\Temp\7zE8F683C7D\rdpcIip_new.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 9, 2023, 7 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW May 9, 2023, 7:01 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (50 out of 276 events)

host	180.69.10.237
host	180.69.101.7
host	180.69.102.117
host	180.69.102.175
host	180.69.104.13
host	180.69.104.63
host	180.69.105.127
host	180.69.106.13
host	180.69.106.15
host	180.69.107.153
host	180.69.109.225
host	180.69.109.47
host	180.69.11.137
host	180.69.11.51
host	180.69.111.121
host	180.69.111.227
host	180.69.111.41
host	180.69.112.143
host	180.69.113.167
host	180.69.114.123
host	180.69.114.199
host	180.69.115.13
host	180.69.115.239
host	180.69.115.240
host	180.69.115.31
host	180.69.115.97
host	180.69.118.61
host	180.69.119.123
host	180.69.119.155
host	180.69.119.219
host	180.69.119.53
host	180.69.12.145
host	180.69.120.207
host	180.69.121.181
host	180.69.121.191
host	180.69.122.1
host	180.69.123.235
host	180.69.124.155
host	180.69.124.95
host	180.69.125.155
host	180.69.128.179
host	180.69.13.153
host	180.69.130.35
host	180.69.130.99
host	180.69.132.47
host	180.69.135.117
host	180.69.135.235
host	180.69.136.29
host	180.69.137.145
host	180.69.137.213

103.40.123.34_update.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All