Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 4, 2023, 5:59 p.m.	Dec. 4, 2023, 6:27 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8ea7dc740a4d382a7dc9322b1649f6f2`
SHA256	`a557a22f96f6e9e23c5743609151e4d4225fb600a719351c4a4accf77a0024f2`
CRC32	`205496B1`
ssdeep	`24576:2opGDjnvrPpkjos0OtjcFc5kM49dj+IuxWQOIjuJuVvhbqL0HtFcgekRP9dT0WBI:OnvrPGT0Egyudc4tI3bqL0NFchaP9dTO`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

good.exe "C:\Users\test22\AppData\Local\Temp\good.exe"
1372
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2220
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
  2284
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
193.233.132.51	Active	Moloch
34.117.59.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.233.132.51:50500 -> 192.168.56.103:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.51:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49168 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 4, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 4, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 4, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 4, 2023, 5:59 p.m.	buffer: SUCCESS: The scheduled task "OfficeTrackerNMP131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Dec. 4, 2023, 5:59 p.m.	buffer: SUCCESS: The scheduled task "OfficeTrackerNMP131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Dec. 4, 2023, 5:59 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Dec. 4, 2023, 5:59 p.m.	thread_identifier: 2224 thread_handle: 0x000000dc process_identifier: 2220 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000100	1	1	0
CreateProcessInternalW Dec. 4, 2023, 5:59 p.m.	thread_identifier: 2288 thread_handle: 0x00000250 process_identifier: 2284 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000025c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 4, 2023, 5:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW Dec. 4, 2023, 5:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host

193.233.132.51

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131	reg_value	C:\Users\test22\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Disables Windows Security features (10 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{FDC3E3F7-9B67-464A-A356-AE744BEBBAF5}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.th
McAfee	GenericRXAA-AA!8EA7DC740A4D
Malwarebytes	RiskWare.Agent
Zillya	Trojan.Agent.Win32.3773140
K7AntiVirus	Riskware ( 00584baa1 )
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.b1eae3
Arcabit	Generic.Dacic.7CB2327F.A.28870786
VirIT	Trojan.Win32.Genus.UEA
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Agent.ADVG
APEX	Malicious
ClamAV	Win.Malware.Zard-10015589-0
Kaspersky	HEUR:Trojan-PSW.Win32.RisePro.gen
BitDefender	Generic.Dacic.7CB2327F.A.28870786
NANO-Antivirus	Trojan.Win32.Mint.kegarr
MicroWorld-eScan	Generic.Dacic.7CB2327F.A.28870786
Avast	Win32:TrojanX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bf6423
Sophos	Troj/RisePro-C
F-Secure	Trojan.TR/AD.Nekark.exgfn
DrWeb	Trojan.MulDrop24.22194
VIPRE	Generic.Dacic.7CB2327F.A.28870786
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.8ea7dc740a4d382a
Emsisoft	Generic.Dacic.7CB2327F.A.28870786 (B)
Ikarus	Trojan.Win32.Agent
Jiangmin	Trojan.Generic.hryzt
Avira	TR/AD.Nekark.exgfn
Antiy-AVL	Trojan/Win32.Agent.advg
Gridinsoft	Trojan.Win32.Agent.oa!s1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan-PSW.Win32.RisePro.gen
GData	Win32.Trojan.PSE.DJFZVU
Varist	W32/Sdum.Z.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R624285
ALYac	Generic.Dacic.7CB2327F.A.28870786
MAX	malware (ai score=80)
Cylance	unsafe
Panda	Trj/GdSda.A
Rising	Downloader.Agent!1.D93C (CLASSIC)
Yandex	Trojan.Agent!E34nJNo+lBI
Fortinet	W32/Agent.ADVG!tr
BitDefenderTheta	Gen:NN.ZexaF.36608.Dv1@a4aq2Fpk
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_70% (W)

good.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All