Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 9, 2023, 11:02 a.m.	June 9, 2023, 11:04 a.m.

Size	2.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`1e7094119ed8a4415c7549c19d771a71`
SHA256	`1dbe16e04438694c62bb747d0073bf463a2a9525f6b637432d2f1381dad04608`
CRC32	`4D4FAD93`
ssdeep	`49152:g4A6TH7YA/AoKRQvdTq4WpYlV7QdJUqxU5b+5318PNSC8uDo:lFr7lINRqpq47lVAJM5g1OYCFs`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

xmrig.exe "C:\Users\test22\AppData\Local\Temp\xmrig.exe"
1200
- cmd.exe cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
  2116
  - attrib.exe attrib -s -h -r -a C:\Windows\Fonts
    2416
- net.exe net stop MicrosotMaims
  2152
  - net1.exe C:\Windows\system32\net1 stop MicrosotMaims
    2468
- sc.exe sc delete MicrosotMaims
  2216
- net.exe net stop MicrosotMais
  2260
  - net1.exe C:\Windows\system32\net1 stop MicrosotMais
    2572
- sc.exe sc delete MicrosotMais
  2316
- net.exe net stop mssecsvc2.0
  2380
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.0
    2800
- net.exe net stop mssecsvc2.1
  2644
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.1
    2920
- sc.exe sc delete mssecsvc2.1
  2708
- svchost.exe c:\windows\Fonts\svchost.exe install MicrosotMaims c:\windows\Fonts\conhost.exe
  2772
- sc.exe sc delete mssecsvc2.0
  2524
- svchost.exe c:\windows\Fonts\svchost.exe set MicrosotMaims DisplayName Network Location Service
  2876
- svchost.exe c:\windows\Fonts\svchost.exe set MicrosotMaims Description Provides performance library information from Windows Management.
  2964
- svchost.exe c:\windows\Fonts\svchost.exe start MicrosotMaims
  3040
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\tem.vbs"
  2184

Name	Response	Post-Analysis Lookup
mys.cloudbase-init.pw	A 186.125.222.162	186.125.222.162
my.cloudbase-init.pw	A 186.125.222.162	186.125.222.162

IP Address	Status	Action
164.124.101.2	Active	Moloch
186.125.222.162	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW June 9, 2023, 11:02 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 9, 2023, 11:02 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	mys.cloudbase-init.pw				description	Palau domain TLD
domain	my.cloudbase-init.pw				description	Palau domain TLD

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e3c08

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e3c08

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e3c08

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e40f8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e40f8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e40f8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e40f8

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009e5800

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ea1a0

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ea1a0

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009eb3e8

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe30

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe7c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe7c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebe7c

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebef4

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebef4

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x009ebef4

size

0x00000014

Creates executable files on the filesystem (3 events)

file	c:\Windows\Fonts\svchost.exe
file	C:\Users\test22\AppData\Local\Temp\tem.vbs
file	c:\Windows\Fonts\conhost.exe

Creates hidden or system file (4 events)

Time & API	Arguments	Status	Return
SetFileAttributesW June 9, 2023, 11:02 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: c:\windows\Fonts\conhost.exe filepath: c:\Windows\Fonts\conhost.exe	1	1
SetFileAttributesW June 9, 2023, 11:02 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: c:\windows\Fonts\svchost.exe filepath: c:\Windows\Fonts\svchost.exe	1	1
SetFileAttributesW June 9, 2023, 11:02 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: c:\windows\Fonts\WinRing0x64.sys filepath: c:\Windows\Fonts\WinRing0x64.sys	1	1
SetFileAttributesW June 9, 2023, 11:02 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\tem.vbs filepath: C:\Users\test22\AppData\Local\Temp\tem.vbs	1	1

Creates a suspicious process (4 events)

cmdline	c:\windows\Fonts\svchost.exe install MicrosotMaims c:\windows\Fonts\conhost.exe
cmdline	c:\windows\Fonts\svchost.exe set MicrosotMaims Description Provides performance library information from Windows Management.
cmdline	c:\windows\Fonts\svchost.exe set MicrosotMaims DisplayName Network Location Service
cmdline	c:\windows\Fonts\svchost.exe start MicrosotMaims

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\tem.vbs

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\xmrig.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002df800', u'virtual_address': u'0x00711000', u'entropy': 7.999930707885404, u'name': u'UPX1', u'virtual_size': u'0x002e0000'}

entropy

7.99993070789

description

A section with a high entropy has been found

entropy

0.992745064957

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	net stop mssecsvc2.1
cmdline	net stop MicrosotMais
cmdline	net stop MicrosotMaims
cmdline	net stop mssecsvc2.0
cmdline	sc delete MicrosotMais
cmdline	sc delete MicrosotMaims
cmdline	sc delete mssecsvc2.1
cmdline	sc delete mssecsvc2.0
cmdline	cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
cmdline	attrib -s -h -r -a C:\Windows\Fonts

Installs itself for autorun at Windows startup (1 event)

service_name

MicrosotMaims

service_path

c:\Windows\Fonts\svchost.exe

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW June 9, 2023, 11:02 a.m.	service_start_name: start_type: 2 password: display_name: MicrosotMaims filepath: c:\Windows\Fonts\svchost.exe service_name: MicrosotMaims filepath_r: c:\windows\Fonts\svchost.exe desired_access: 983551 service_handle: 0x0000000000343a80 error_control: 1 service_type: 16 service_manager_handle: 0x0000000000343a50	1	3422848	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Generic.Dacic.1.BitCoinMiner.A.EB9F1B60
ClamAV	Win.Malware.Temr-7070541-0
FireEye	Generic.mg.1e7094119ed8a441
CAT-QuickHeal	Trojan.GenericRI.S8512615
McAfee	GenericRXMB-TZ!1E7094119ED8
Cylance	Unsafe
Zillya	Trojan.Swisyn.Win32.36015
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/Coinminer.449
Cybereason	malicious.19ed8a
Arcabit	Generic.Dacic.1.BitCoinMiner.A.EB9F1B60
Cyren	W32/MadoMiner.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/TrojanDropper.FlyStudio.CO
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Generic.Dacic.1.BitCoinMiner.A.EB9F1B60
NANO-Antivirus	Trojan.Win32.Graftor.dwyqeb
Avast	FileRepMalware [Trj]
Tencent	Win32.Risk.Bitcoinminer.Ymhl
Ad-Aware	Generic.Dacic.1.BitCoinMiner.A.EB9F1B60
Sophos	Mal/Generic-S (PUA)
Comodo	Packed.Win32.MUPX.Gen@24tbus
DrWeb	Trojan.Siggen8.10580
VIPRE	Generic.Dacic.1.BitCoinMiner.A.EB9F1B60
McAfee-GW-Edition	BehavesLike.Win32.Flyagent.vc
Trapmine	malicious.high.ml.score
Emsisoft	Generic.Dacic.1.BitCoinMiner.A.EB9F1B60 (B)
Ikarus	Trojan.Win32.CoinMiner
Jiangmin	Trojan.Swisyn.dzb
Webroot	W32.Adware.Gen
Avira	HEUR/AGEN.1200869
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Generic.ASCommon.FA
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/CoinMiner!MTB
ZoneAlarm	not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
GData	Win32.Trojan.PSE.10S0A6W
Google	Detected
AhnLab-V3	Trojan/Win.TZ.R431774
BitDefenderTheta	Gen:NN.ZexaF.34726.5oKfaG1QWcab
ALYac	Generic.Dacic.1.BitCoinMiner.A.EB9F1B60
VBA32	BScope.Trojan.Miner
Malwarebytes	Trojan.BitCoinMiner

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (33 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49212
dead_host	192.168.56.103:49205
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49208
dead_host	186.125.222.162:9001
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49213
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49209
dead_host	192.168.56.103:49206
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49214
dead_host	192.168.56.103:49207
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49210
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49204
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49211
dead_host	192.168.56.103:49200
dead_host	186.125.222.162:9009

xmrig.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All