Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 3, 2023, 10:02 a.m.	Nov. 3, 2023, 10:04 a.m.

Size	472.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`1b4bc7eb054142c70e87755de845e039`
SHA256	`d0cbf22d6b18d9544e3c1488b363c099a29b698205bcca18a7eb1ae1c92d4343`
CRC32	`35B64393`
ssdeep	`12288:1a1rrvMZImfPZl/g7U2l4vW2klU1gQ3sfJ:eroZ3wP6+XrVfJ`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

marikolock2.1.exe "C:\Users\test22\AppData\Local\Temp\marikolock2.1.exe"
2540
- umesd.exe "C:\Users\test22\AppData\Local\Temp\umesd.exe"
  2644
  - umesd.exe "C:\Users\test22\AppData\Local\Temp\umesd.exe"
    2700
    - chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
      2920
      - cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\umesd.exe"
        2996

Name	Response	Post-Analysis Lookup
www.commandintelhub.xyz
www.new-minerals.com	A 103.146.179.167 CNAME cname.xg167.lhxh.cn	103.146.179.167
www.hcoarrih.com

IP Address	Status	Action
103.146.179.167	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49169 -> 103.146.179.167:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2023, 10:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.new-minerals.com/t6tg/?b6A=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&DbG=_DKHFz

Performs some HTTP requests (1 event)

request

GET http://www.new-minerals.com/t6tg/?b6A=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&DbG=_DKHFz

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 3, 2023, 10:02 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73272000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 10:02 a.m.	process_identifier: 2644 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 10:02 a.m.	process_identifier: 2700 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 10:02 a.m.	process_identifier: 2920 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\umesd.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\umesd.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\umesd.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Nov. 3, 2023, 10:02 a.m.	thread_identifier: 3000 thread_handle: 0x000000b8 process_identifier: 2996 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /c del "C:\Users\test22\AppData\Local\Temp\umesd.exe" filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000108	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 3, 2023, 10:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 3, 2023, 10:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/c del "C:\Users\test22\AppData\Local\Temp\umesd.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\umesd.exe

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2644 called NtSetContextThread to modify thread in remote process 2700
NtSetContextThread Nov. 3, 2023, 10:02 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f0 process_identifier: 2700	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Lionic	Trojan.Win32.Strab.4!c
DrWeb	Trojan.Siggen21.52418
MicroWorld-eScan	Trojan.Generic.34257413
FireEye	Generic.mg.1b4bc7eb054142c7
CAT-QuickHeal	Trojan.Strab
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Trojan.Generic.34257413
Malwarebytes	Malware.AI.2421161474
VIPRE	Trojan.Generic.34257413
Sangfor	Trojan.Win32.Formbook.V4ry
K7AntiVirus	Trojan ( 005ad2291 )
BitDefender	Trojan.Generic.34257413
K7GW	Trojan ( 005ad2291 )
Cybereason	malicious.3d2371
BitDefenderTheta	Gen:NN.ZexaF.36792.pyW@aKTUBFai
VirIT	Trojan.Win32.GenusT.DTHX
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Formbook.AA
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/FormBook.4e0cd5ea
ViRobot	Trojan.Win.Z.Formbook.483842
Rising	Trojan.Formbook!8.F858 (TFE:5:qqrzCAtliq)
Emsisoft	Trojan.Generic.34257413 (B)
F-Secure	Trojan.TR/Injector.gehio
TrendMicro	Ransom.Win32.FORMBOOK.USPAXJS23
Sophos	Mal/Generic-S
GData	Win32.Trojan.PSE.KA8TWI
Google	Detected
Avira	HEUR/AGEN.1337943
Antiy-AVL	Trojan/Win32.Injector
Kingsoft	Win32.Trojan.Strab.gen
Gridinsoft	Trojan.Win32.FormBook.bot
Xcitium	Malware@#2tm0vu0jvq2n7
Arcabit	Trojan.Generic.D20ABA05
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Formbook!ml
Varist	W32/ABRisk.WEKL-4169
AhnLab-V3	Trojan/Win.MalwareX-gen.R618381
McAfee	Artemis!1B4BC7EB0541
DeepInstinct	MALICIOUS
VBA32	Trojan.Formbook
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Ransom.Win32.FORMBOOK.USPAXJS23
Tencent	Win32.Trojan.Strab.Qimw
Ikarus	Trojan.Win32.Injector
Fortinet	NSIS/Agent.DCAC!tr

marikolock2.1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All