Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 10, 2023, 7:43 a.m.	Aug. 10, 2023, 7:51 a.m.

Size	267.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`f46119800d530db454ce9d90e12d2d67`
SHA256	`7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3`
CRC32	`DB416824`
ssdeep	`6144:/Ya6a+ZJ+EylwsHBTZ84rH69vRYfVC9dDpzALHmGp:/Yk+ZVy6kC4zpUrALG+`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

WmiPrvSE.exe "C:\Users\test22\AppData\Local\Temp\WmiPrvSE.exe"
2556
- WmiPrvSE.exe "C:\Users\test22\AppData\Local\Temp\WmiPrvSE.exe"
  2668

Name	Response	Post-Analysis Lookup
www.weinbrenner-stiftung.org	A 46.30.213.165	46.30.213.165
www.expelledclothing.com	A 96.126.123.244 A 198.58.118.167 A 45.33.30.197 A 45.33.23.183 A 45.79.19.196 A 72.14.185.43 A 72.14.178.174 A 45.33.20.235 A 45.56.79.23 A 45.33.2.79 A 45.33.18.44 A 173.255.194.134	45.79.19.196
www.help-hair.info	A 172.67.181.247 A 104.21.83.214	104.21.83.214
www.ceravolt.life	A 203.161.53.83	203.161.53.83
www.aquatic-organisms.info	A 199.59.243.224	199.59.243.224
www.eventz9.com	A 35.241.18.84	35.241.18.84
www.brownie.rest	A 202.172.26.52	202.172.26.52
www.ridonestore.shop	CNAME ridonestore.shop A 84.32.84.32	84.32.84.32
www.hncovnyyra.best	A 172.67.145.145 A 104.21.73.140	104.21.73.140
www.rva.info	A 3.64.163.50	3.64.163.50
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.potent-tech.com	A 119.28.69.86	119.28.69.86

IP Address	Status	Action
119.28.69.86	Active	Moloch
164.124.101.2	Active	Moloch
172.67.145.145	Active	Moloch
172.67.181.247	Active	Moloch
199.59.243.224	Active	Moloch
202.172.26.52	Active	Moloch
203.161.53.83	Active	Moloch
3.64.163.50	Active	Moloch
35.241.18.84	Active	Moloch
45.33.23.183	Active	Moloch
45.33.6.223	Active	Moloch
46.30.213.165	Active	Moloch
84.32.84.32	Active	Moloch
5.8.18.42	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 10, 2023, 7:43 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (23 events)

request	POST http://www.hncovnyyra.best/mv9h/
request	GET http://www.hncovnyyra.best/mv9h/?V6=HcykeIqVbXhfppJwoSsM/lzOWEv/63sUc26l9Pyzi/RiJWpkCKG7rYCg+zEFiCvlKsq6aaTMW0S7wU6+gIahRGdD6ziJ49MY8t7Y4AU=&2OQv=L0u7oq
request	GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
request	POST http://www.rva.info/mv9h/
request	GET http://www.rva.info/mv9h/?V6=VRRqi/ql977uvieqYsG4fOrDt8dXLrN86EfRdYcOQNSbko9uA8lJYMBA/4W5F4bPxRFvp/KzmV+IiXK6fR3lqPQiRqLY9cobKkCJQRY=&2OQv=L0u7oq
request	POST http://www.expelledclothing.com/mv9h/
request	GET http://www.expelledclothing.com/mv9h/?V6=9a4cyonTP0e6NuzSlLJ27FO37WvMSZ0WaVw1AMtOxtaCv+m5JRKGBAYKzIKL0anZ1A3e1EfBSBxBW9/OLTmFzaHtcxx2Mn8hsStbcMw=&2OQv=L0u7oq
request	POST http://www.brownie.rest/mv9h/
request	GET http://www.brownie.rest/mv9h/?V6=vmn/PMHMKvttZlwOVZyOjTJZ+WpUZFfmH6ozGnWYHclktmcXFHgsldQI8V2t6yLP30Sy4KtKyocnDpxwpleQA38uNlwzTJH7fcDgzks=&2OQv=L0u7oq
request	POST http://www.ceravolt.life/mv9h/
request	GET http://www.ceravolt.life/mv9h/?V6=9IeKlzzeiCBmV6GZneJqnhQdGcMOrN2zpJl1PcRdXHgPlBFjKoUh2wO5Xuu1XzrnlBtm9u1a/Ow39lO36+F22xQtyEIwfDBXWZJ5lHc=&2OQv=L0u7oq
request	POST http://www.eventz9.com/mv9h/
request	GET http://www.eventz9.com/mv9h/?V6=DhN/pfZhMnl4HQr18JX+oR8+aYaT8DsUwwvwmuFtuqFZv8xoKl2cv7n6clvWh1ER01rwIDgQIfjRcGmRjQxyMnOEIFklWxiWmR0afZM=&2OQv=L0u7oq
request	POST http://www.weinbrenner-stiftung.org/mv9h/
request	GET http://www.weinbrenner-stiftung.org/mv9h/?V6=KriJDkyr9ZSDK5SncDruUH89KQPsZisyljIEVA7ACCuqryEISDWc4fIbxiwjaj9YllKMJ4K263YcXqSukN/9eRkxhZw6ZQvhn0MgKpA=&2OQv=L0u7oq
request	POST http://www.aquatic-organisms.info/mv9h/
request	GET http://www.aquatic-organisms.info/mv9h/?V6=iptoip7pWRsS9xKJtuuMpZ3pZju1uspYTD6Awsn8x9vJeBkpaHApDsxm5SKYRJmJIPm4Br1em9F8LnG0RKBgEpAwWbXUGUe5zk5WzmM=&2OQv=L0u7oq
request	POST http://www.help-hair.info/mv9h/
request	GET http://www.help-hair.info/mv9h/?V6=GNz0FM0e5ScvNElU2Hu2om6Rqm4e+67FZh9yl10aFczOUMs8DWUv0BGRHOdPh5hc0CAdyJzRrvN/qShJrEMPe4vi0TNirV+929KqINs=&2OQv=L0u7oq
request	POST http://www.ridonestore.shop/mv9h/
request	GET http://www.ridonestore.shop/mv9h/?V6=9VxnjTCqrqAAIhZwG9PoTS29kvYV+Vsyiu2Fvyx7VLgNyAFzPPwxiPtN8AaY7yAV9hQiJzLhpdoSmgIbJxvhNzuKboEGgwYKJo7uw1I=&2OQv=L0u7oq
request	POST http://www.potent-tech.com/mv9h/
request	GET http://www.potent-tech.com/mv9h/?V6=5LG9sGJ0Xy0tGBfy/i4n941Vae72eun7+06/2kSJ2Ijal4TzL2poOVQfz4pDEpYGJhcAHBjd7wBR7BL0Fryth6nc1D7NW/kGG+pkqcI=&2OQv=L0u7oq

Sends data using the HTTP POST Method (11 events)

request	POST http://www.hncovnyyra.best/mv9h/
request	POST http://www.rva.info/mv9h/
request	POST http://www.expelledclothing.com/mv9h/
request	POST http://www.brownie.rest/mv9h/
request	POST http://www.ceravolt.life/mv9h/
request	POST http://www.eventz9.com/mv9h/
request	POST http://www.weinbrenner-stiftung.org/mv9h/
request	POST http://www.aquatic-organisms.info/mv9h/
request	POST http://www.help-hair.info/mv9h/
request	POST http://www.ridonestore.shop/mv9h/
request	POST http://www.potent-tech.com/mv9h/

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 10, 2023, 7:43 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2023, 7:43 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2023, 7:43 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2023, 7:43 a.m.	process_identifier: 2668 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsoEE98.tmp\knbxxpu.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsoEE98.tmp\knbxxpu.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 10, 2023, 7:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

5.8.18.42

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2668
NtSetContextThread Aug. 10, 2023, 7:43 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199520 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000218 process_identifier: 2668	1	0	0

Generates some ICMP traffic

WmiPrvSE.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All