Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 6, 2023, 9:30 a.m.	Nov. 6, 2023, 9:37 a.m.

Size	320.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e4c5c50d9c573109411348e4c7f79dd8`
SHA256	`7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce`
CRC32	`74565325`
ssdeep	`6144:gU4LI9VtOpy4NT+Cxe0eAb8R5DI1bUUzJ6Gor:g989VQpy4NDe48R5s1dJn+`
PDB Path	C:\hoxi\hobokepeteye46\kum9\cagotihit4-pow.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

s5.exe "C:\Users\test22\AppData\Local\Temp\s5.exe"
1280
- s5.exe "C:\Users\test22\AppData\Local\Temp\s5.exe"
  2088
  - cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "s5.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\s5.exe" & exit
    2600
    - taskkill.exe taskkill /im "s5.exe" /f
      2668

Name	Response	Post-Analysis Lookup
script.googleusercontent.com	CNAME googlehosted.l.googleusercontent.com A 142.251.220.33	142.250.206.225
script.google.com	A 172.217.24.78	142.250.206.238

IP Address	Status	Action
142.251.220.33	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.78	Active	Moloch
85.209.11.204	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 172.217.24.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 142.251.220.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 172.217.24.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	fd:ee:45:21:a2:3c:95:82:9b:ba:3f:7a:59:3c:f6:c2:7b:c7:84:8f
TLSv1 192.168.56.103:49171 142.251.220.33:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.googleusercontent.com	cb:bb:d8:fc:60:aa:94:8f:47:5c:88:bb:c3:30:22:92:26:d3:85:2f

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 6, 2023, 7:51 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 6, 2023, 7:51 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 6, 2023, 7:51 a.m.	buffer: ERROR: The process "s5.exe" not found. console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\hoxi\hobokepeteye46\kum9\cagotihit4-pow.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 6, 2023, 7:51 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	AFX_DIALOG_LAYOUT
resource name	None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://85.209.11.204/ip.php
suspicious_features	Connection to IP address	suspicious_request	GET http://85.209.11.204/api/files/client/s51
suspicious_features	Connection to IP address	suspicious_request	GET http://85.209.11.204/api/files/client/s52
suspicious_features	Connection to IP address	suspicious_request	GET http://85.209.11.204/api/files/client/s53
suspicious_features	Connection to IP address	suspicious_request	GET http://85.209.11.204/api/files/client/s54
suspicious_features	GET method with no useragent header	suspicious_request	GET http://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000&param=empty
suspicious_features	GET method with no useragent header	suspicious_request	GET https://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000&param=empty
suspicious_features	GET method with no useragent header	suspicious_request	GET https://script.googleusercontent.com/macros/echo?user_content_key=rq3I6Pvq31ESr42SRVFCcH8cBMrOvGfc9LjrAFAjXKqooXQVZnHoVSKZ49ywNUr7mn_h-t_4xp16ZbQUh0u7vYizKKleUSwSOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa0CRDStSlAiWe9EsIf9E4ZPsnymwtpgwALY3ZEKNbUPKTwCm-q5YBdK9ax9ulRNROyEZlBVHKdgUzc9XRB8G-pFIaTITfR7fJ9yLw_QwlOLh3sVTfjuTogDzV_l7Cl_ErHbadLHwSTw0RLfCUlcjW3aqDyDBdoyuR54_mWWztr2JN0ZmedBznvo&lib=MGiFI8QOoThWusP0Kv6sJRfccXc-Ar0ZC

Performs some HTTP requests (8 events)

request	GET http://85.209.11.204/ip.php
request	GET http://85.209.11.204/api/files/client/s51
request	GET http://85.209.11.204/api/files/client/s52
request	GET http://85.209.11.204/api/files/client/s53
request	GET http://85.209.11.204/api/files/client/s54
request	GET http://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000&param=empty
request	GET https://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000&param=empty
request	GET https://script.googleusercontent.com/macros/echo?user_content_key=rq3I6Pvq31ESr42SRVFCcH8cBMrOvGfc9LjrAFAjXKqooXQVZnHoVSKZ49ywNUr7mn_h-t_4xp16ZbQUh0u7vYizKKleUSwSOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa0CRDStSlAiWe9EsIf9E4ZPsnymwtpgwALY3ZEKNbUPKTwCm-q5YBdK9ax9ulRNROyEZlBVHKdgUzc9XRB8G-pFIaTITfR7fJ9yLw_QwlOLh3sVTfjuTogDzV_l7Cl_ErHbadLHwSTw0RLfCUlcjW3aqDyDBdoyuR54_mWWztr2JN0ZmedBznvo&lib=MGiFI8QOoThWusP0Kv6sJRfccXc-Ar0ZC

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002be000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1280 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c taskkill /im "s5.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\s5.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im "s5.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\s5.exe" & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\s5.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\s5.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "s5.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 6, 2023, 7:51 a.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c taskkill /im "s5.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\s5.exe" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00038c00', u'virtual_address': u'0x00001000', u'entropy': 7.711129839146155, u'name': u'.text', u'virtual_size': u'0x00038b66'}

entropy

7.71112983915

description

A section with a high entropy has been found

entropy

0.711598746082

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 6, 2023, 7:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://api.ipify.org
url	https://api.my-ip.io

Yara rule detected in process memory (11 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over HTTP	rule	Network_HTTP
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\System32\cmd.exe /c taskkill /im "s5.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\s5.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im "s5.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\s5.exe" & exit
cmdline	taskkill /im "s5.exe" /f

Communicates with host for which no DNS query was performed (1 event)

host

85.209.11.204

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 2088 region_size: 266240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 6, 2023, 7:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x0000009c	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 called NtSetContextThread to modify thread in remote process 2088
NtSetContextThread Nov. 6, 2023, 7:51 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4255877 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2088	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 resumed a thread in remote process 2088
NtResumeThread Nov. 6, 2023, 7:51 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2088	1	0	0

Executed a process and injected code into it, probably while unpacking (10 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 6, 2023, 7:51 a.m.	thread_identifier: 2092 thread_handle: 0x00000098 process_identifier: 2088 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\s5.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\s5.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\s5.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000009c	1	1
NtGetContextThread Nov. 6, 2023, 7:51 a.m.	thread_handle: 0x00000098	1	0
NtUnmapViewOfSection Nov. 6, 2023, 7:51 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2088 process_handle: 0x0000009c	1	0
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 2088 region_size: 266240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0
WriteProcessMemory Nov. 6, 2023, 7:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x0000009c	1	1
NtSetContextThread Nov. 6, 2023, 7:51 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4255877 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2088	1	0
NtResumeThread Nov. 6, 2023, 7:51 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Nov. 6, 2023, 7:51 a.m.	thread_handle: 0x000000f4 suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW Nov. 6, 2023, 7:51 a.m.	thread_identifier: 2604 thread_handle: 0x00000594 process_identifier: 2600 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c taskkill /im "s5.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\s5.exe" & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000598	1	1
CreateProcessInternalW Nov. 6, 2023, 7:51 a.m.	thread_identifier: 2672 thread_handle: 0x00000084 process_identifier: 2668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\taskkill.exe track: 1 command_line: taskkill /im "s5.exe" /f filepath_r: C:\Windows\system32\taskkill.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
FireEye	Generic.mg.e4c5c50d9c573109
CAT-QuickHeal	Ransom.Stop.P5
Skyhigh	BehavesLike.Win32.Lockbit.fc
McAfee	Artemis!E4C5C50D9C57
Malwarebytes	Trojan.MalPack.GS
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005ace911 )
K7GW	Trojan ( 005ace911 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HVDW
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Zenpak.gen
Rising	Trojan.Generic@AI.100 (RDML:rHLxQ2CYCM0Jx6m5hruroA)
Trapmine	malicious.moderate.ml.score
Sophos	Troj/Krypt-VK
Ikarus	Trojan.Win32.SmokeLoader
Antiy-AVL	Trojan/Win32.Sabsik.fl
Kingsoft	malware.kb.a.1000
Microsoft	Trojan:Win32/Znyonm
Gridinsoft	Ransom.Win32.STOP.bot!n
ZoneAlarm	UDS:Trojan.Win32.Zenpak.gen
Google	Detected
Acronis	suspicious
VBA32	BScope.Trojan.Klubdepa
DeepInstinct	MALICIOUS
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H07K523
Tencent	Trojan.Win32.Obfuscated.gen
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.ERHN!tr
AVG	BotX-gen [Trj]
Cybereason	malicious.6d6d10
Avast	BotX-gen [Trj]

s5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All