Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 9, 2023, 11:04 a.m.	June 9, 2023, 11:06 a.m.

Size	112.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`67dfc7730a6d14715de7b28db5f23c0b`
SHA256	`47adf8083f73c20364fb88abce106f4e2126dbb08be18d0a066a9a8fc10ec436`
CRC32	`1CF02C4A`
ssdeep	`1536:vqEA70HzLJksPEOajozLElnqiO27dJ/tHi:vXTLJkQ7zAV3HtC`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature hide_executable_file - Hide executable file IsPE32 - (no description)

64.exe "C:\Users\test22\AppData\Local\Temp\64.exe"
2560
- cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\64.exe"
  2676
  - PING.EXE ping 127.0.0.1 -n 1
    2748

Name	Response	Post-Analysis Lookup
cloudbase-init.pw	A 114.202.175.143	114.202.175.143

IP Address	Status	Action
114.202.175.143	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA June 9, 2023, 11:04 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 9, 2023, 11:04 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

cloudbase-init.pw

description

Palau domain TLD

Creates executable files on the filesystem (1 event)

file	C:\Program Files (x86)\Google\36061329.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 9, 2023, 11:04 a.m.	service_start_name: start_type: 2 password: display_name: System Remote Data Simulation Layer filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "conhost" service_name: conhost filepath_r: %SystemRoot%\System32\svchost.exe -k "conhost" desired_access: 983551 service_handle: 0x005a8d98 error_control: 0 service_type: 272 service_manager_handle: 0x005a8e38	1	5934488	0

Creates a suspicious process (2 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\64.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\64.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\64.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 9, 2023, 11:04 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\64.exe" filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: pw.exe process_identifier: 2324	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: wsqmcons.exe process_identifier: 2360	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: sdclt.exe process_identifier: 2384	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: 64.exe process_identifier: 2560	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: schtasks.exe process_identifier: 2612	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: conhost.exe process_identifier: 2620	1	1
Process32NextW June 9, 2023, 11:04 a.m.	snapshot_handle: 0x000000dc process_name: conhost.exe process_identifier: 6815854		0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\64.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\64.exe"
cmdline	ping 127.0.0.1 -n 1

Installs itself for autorun at Windows startup (2 events)

service_name	conhost				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "conhost"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\conhost\Parameters\ServiceDll				reg_value	C:\Program Files (x86)\Google\36061329.dll

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\64.exe

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.FamVT.Renamer1.Trojan
Lionic	Trojan.Win32.Siscos.tpvk
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.40455963
FireEye	Generic.mg.67dfc7730a6d1471
CAT-QuickHeal	Backdoor.VenikRI.S16788663
ALYac	Trojan.GenericKD.40455963
Cylance	unsafe
VIPRE	Trojan.GenericKD.40455963
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 00522d7f1 )
Alibaba	Malware:Win32/km_2ee9d.None
K7GW	Trojan ( 00522d7f1 )
Cybereason	malicious.30a6d1
BitDefenderTheta	Gen:NN.ZexaF.36196.hy0@am1sDGne
VirIT	Trojan.Win32.Dnldr23.CGCL
Cyren	W32/Siscos.E.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Farfli.CEN
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Gh0stRAT-6997745-0
Kaspersky	Trojan.Win32.Siscos.wbm
BitDefender	Trojan.GenericKD.40455963
NANO-Antivirus	Trojan.Win32.Siscos.enrcbv
SUPERAntiSpyware	Adware.Farli/Variant
Avast	Win32:CoinminerX-gen [Trj]
Tencent	Trojan.Win32.Siscos.za
Sophos	Troj/AutoG-AD
F-Secure	Trojan.TR/AD.Farfli.cznig
DrWeb	Trojan.DownLoader23.39271
Zillya	Trojan.Siscos.Win32.4780
TrendMicro	BKDR_ZEGOST.SM35
McAfee-GW-Edition	GenericRXBH-NF!67DFC7730A6D
Emsisoft	Trojan.Farfli (A)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Siscos.cd
Webroot	W32.Siscos
Avira	TR/AD.Farfli.cznig
Antiy-AVL	Trojan/Win32.Siscos
Microsoft	Backdoor:Win32/Farfli.BH!MTB
Gridinsoft	Trojan.Win32.Agent.vb!n
Xcitium	TrojWare.Win32.GameThief.Magania.~NWABU@18g2sq
Arcabit	Trojan.Generic.D2694F1B
ViRobot	Trojan.Win32.Agent.114688.DM
ZoneAlarm	Trojan.Win32.Siscos.wbm
GData	Win32.Trojan.Siscos.A
Google	Detected
AhnLab-V3	Trojan/Win32.Siscos.R199489

64.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All