Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 10, 2024, 7:56 a.m.	Jan. 10, 2024, 8:01 a.m.

Size	6.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d872ad98ce3e3db8497ccd15e0baad33`
SHA256	`d77a59decea0b458372ccc3ace96fcf3726346ef030fb6dd35e0ba64ba734f0b`
CRC32	`C40E1043`
ssdeep	`196608:x90qA5Ae48OeGc1GbJjL7d/jKczNljQgK/:x93qMpYG1v8WTQgK`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

288c47bbc187122b439df19ff4df68f076.exe "C:\Users\test22\AppData\Local\Temp\288c47bbc187122b439df19ff4df68f076.exe"
2556
- InstallSetup9.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe"
  2632
  - BroomSetup.exe C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
    2788
  - nsc4CA7.tmp C:\Users\test22\AppData\Local\Temp\nsc4CA7.tmp
    2996
- 288c47bbc1871b439df19ff4df68f076.exe "C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2684

Name	Response	Post-Analysis Lookup
iplogger.com	A 172.67.188.178 A 104.21.76.57	172.67.188.178
api.ipify.org	A 64.185.227.156 CNAME api4.ipify.org A 173.231.16.76 A 104.237.62.212	64.185.227.156

IP Address	Status	Action
104.21.76.57	Active	Moloch
164.124.101.2	Active	Moloch
173.231.16.76	Active	Moloch
185.172.128.53	Active	Moloch
91.92.255.226	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:50062 -> 185.172.128.53:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.101:50062 -> 185.172.128.53:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.53:80 -> 192.168.56.101:50062	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.53:80 -> 192.168.56.101:50062	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:50064 -> 104.21.76.57:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:50064 -> 104.21.76.57:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 173.231.16.76:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49166 -> 173.231.16.76:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:50064 104.21.76.57:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplogger.com	58:f1:b8:44:37:6f:27:f8:01:6a:79:0e:7e:47:5b:b5:88:ec:1d:cc

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 10, 2024, 7:56 a.m.			0	0
IsDebuggerPresent Jan. 10, 2024, 7:56 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 10, 2024, 7:56 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.172.128.53/syncUpd.exe

Performs some HTTP requests (3 events)

request	GET http://api.ipify.org/?format=dfg
request	GET http://185.172.128.53/syncUpd.exe
request	GET https://iplogger.com/19nVA4

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2024, 7:57 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f30000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:57 a.m.	process_identifier: 2684 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:56 a.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2024, 7:57 a.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2024, 7:57 a.m.	process_identifier: 2996 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (12 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13303537664 free_bytes_available: 13303537664 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13385584640 free_bytes_available: 13385584640 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13465022464 free_bytes_available: 13465022464 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13465022464 free_bytes_available: 13465022464 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13465022464 free_bytes_available: 13465022464 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13465022464 free_bytes_available: 13465022464 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13465022464 free_bytes_available: 13465022464 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:57 a.m.	total_number_of_free_bytes: 13465022464 free_bytes_available: 13465022464 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:58 a.m.	total_number_of_free_bytes: 13462474752 free_bytes_available: 13462474752 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:58 a.m.	total_number_of_free_bytes: 13466079232 free_bytes_available: 13466079232 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:58 a.m.	total_number_of_free_bytes: 13466079232 free_bytes_available: 13466079232 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 10, 2024, 7:58 a.m.	total_number_of_free_bytes: 13466079232 free_bytes_available: 13466079232 root_path: C: total_number_of_bytes: 34252779520	1	1

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\nscF416.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file	C:\Users\test22\AppData\Local\Temp\nscF416.tmp\Math.dll

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file	C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file	C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
file	C:\Users\test22\AppData\Local\Temp\288c47bbc187122b439df19ff4df68f076.exe
file	C:\Users\test22\AppData\Local\Temp\nscF416.tmp\Math.dll
file	C:\Users\test22\AppData\Local\Temp\nsc4CA7.tmp
file	C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file	C:\Users\test22\AppData\Local\Temp\nscF416.tmp\INetC.dll

An executable file was downloaded by the process installsetup9.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Jan. 10, 2024, 7:57 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¯Õbà ú2E{@G¨Àè5PPD¸ /@d.textMùú `.rdata.0þ@@.data¸B@.@À.rsrc¸PDºD@@ff ÃÌÌÌÌÌÌÌÌÌ ÃÌÌÌÌÌÌÌÌÌÌÌá4ïÆÃÌÌÌÌÌÌÌÌÌUìì8=9ESV0@WEøuh¨+BÿlB ØPBÜPBEèÇEèMÔUÐè¤ÿÿÿ}è¡àPB äPBÇ?}èEàMÜ» ÿÇEôEô 9ÆÁàEüùuDjUÌRjjjÿ@Bjÿ,B3É3ÀUÈRfEäfMæEäPQh,BQÿBEü 9EàEüù©uÇ9@.ëíë"ùëujÿ\|Bjÿ BÇ¼27MìMôÖÓêÇ9î=êôUÜEì1Eü3UüUØEØEød)EømødUøÁâUüEÔEüÇEðEèEðEøEðEðEìUøMôÂÓèMüÇGÈa}èEÐ3Eì3È+ñëMüÙþÿÿ=9m }7uSSSSÿXBEøG_^[å]ÂW_^[å]ÂÌÌÌUì¡9ìDÁèV5À2Àv@SDBWø=9Y ujjÿÓE¼PÿHBjjÿxBVèáýÿÿÆïuÌ_[^å]ÃÌÌUìQÇEüEü/5EüÀ2å]ÃÌUììh0,Bÿ<B±t²rh@aBP£Ä2Æ@aBVÆAaBiBaBÆGaBP MaBÆNaB CaBÆLaBcÆDaBuÆEaBaÆFaBlHaBÆIaBo JaBÆKaBeÿTB£¸2ÇEü Eü Mü9EøP¡À2QRPÿ¸2å]ÃÌÌÌÌÌÌÌUìd¡jÿh( BP¸4d%èÎ¡9SVW=uyjÿBhP,Bh-BjÿBh¨-Bh .BÿpBEðPÿ Bjjÿ\BEÀèIMÜÇEüèMÜèAjjè°jjè§ÄjèS ðRBKPj pC£9ÿdB£À2èmþÿÿ=B¾LÖÿUÜRjjjÿ×îuï959vw=B$Bë ¤$ÿ¡pC0KÀ22=9u6hØ.Bjÿ×jjEðPÿÓjÿBMìQÀïÿÿRÿBjjÿBF;59r 5LB=tBB3ÀEð 9Èùu!jjhø.BÿÖjÿ×jÿÓh-Bÿ\BEð@=Eð\|Äèøüÿÿ=PB3öjÿ×þbuèBýÿÿFþÛt\|é5hB=0BBÇEð{=9u>jÀóÿÿRhô-BÿÖjh(/Bh4/Bÿ×jÀûÿÿPjjÿÓMèQÀçÿÿRÿ(Bmðu°hH/Bÿ`BÿÀ2Mô_^d [å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì$=9VWu-3É3ÀUüRfEüfMþEüPQQQÿBEÜè×uÜèï=BS]ü3öIÿ×þò*~û~xu Fþ]\|å=PB4B3ö¤$jÿ×ÿÓÿBþGm Fþ¤ö\|ã]ü=8B3öjÿ×þ%+~ûÕtPxu Fþ\|ã SB 9èªüÿÿ5B¿[=9ujjÿÖïué_3À^å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌVQðÄèÆè~jèGÆ^ÃÌÌÌjè9ÃÌÌÌÌÌÌÌÌVQðÄèµÆèjègÆ^ÃÌÌÌjèYÃÌÌÌÌÌÌÌÌUì}t~rFè¹ÆÇFè{]ÂÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUì}t~rFèÆÇFèk]ÂÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ3ÉMÿHèÐEÿè%øÿÿå]ÃÌxr@ÃÀÃÌÌPèYÃÌÌÌÌÌÌÌÌUìQ3ÉMüHèÐEüèÕ÷ÿÿå]ÃÌPè\YÃÌÌÌÌÌÌÌÌxr@ÃÀÃÁ``ÇÐBÃÿUìS]VWùÇÐBÀt&PèâðFVèYYGÀtÿ3VPè=ÄëgÇGÇ_^[]ÂÿUìS]VñÇÐBCFÀCWt1Àt'PèøGWè¨YYFÀtÿsWPèÞÄë fëF_Æ^[]ÂyÇÐBt ÿqèÈYÃAÀu¸ØBÃÿUìVñèÐÿÿÿöEtVèGYÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌW\|$ën¤$ÿL$W÷ÁtÁÀt=÷Áuïÿºÿþþ~Ððÿ3ÂÁ©tèAüÀt#ät©ÿt©ÿtëÍyÿë yþëyýëyüL$÷ÁtÁÒtfÇ÷ÁuêëÇºÿþþ~Ððÿ3ÂÁ©táÒt4öt'÷Âÿt÷ÂÿtëÇD$_ÃfD$ÆG_ÃfD$_ÃD$_ÃÿUìj jÿuè¼Ä]ÃÿUìÿuj jÿuèÎÄ]ÃÿUì]éÜÿÿÿÿUì]éNÿUìW¿èWÿBÿuÿBÇèÿ`êwÀtÞ_]ÃÿUìèxÿuèÅÿ5 @BèhÿÿÐÄ]ÃÿUìhüBÿBÀthìBPÿTBÀtÿuÿÐ]ÃÿUìÿuèÈÿÿÿYÿuÿ BÌjèÄYÃjèáYÃÿUìVðëÀtÿÐÆ;urð^]ÃÿUìVu3ÀëÀuÉtÿÑÆ;urì^]ÃÿUì=äBthäBèÜYÀt ÿuÿäBYè hBhlBè¡ÿÿÿYYÀuBh6@è¸dBÇ$hBècÿÿÿ=´DYth´DèYÀt request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00698400', u'virtual_address': u'0x00002000', u'entropy': 7.976002646896117, u'name': u'.text', u'virtual_size': u'0x00698234'}

entropy

7.9760026469

description

A section with a high entropy has been found

entropy

0.99970392302

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	185.172.128.53
host	91.92.255.226

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe

Drops 105 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 105 events)

file	C:\Windows\Prefetch\SDIAGNHOST.EXE-8D72177C.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\INJECT-X86.EXE-6FB1ED76.pf
file	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-7BCB21A1.pf
file	C:\Windows\Prefetch\INJECT-X64.EXE-AAEEB6EB.pf
file	C:\Windows\Prefetch\Layout.ini
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\SETUP.EXE-A9A86358.pf
file	C:\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pf
file	C:\Windows\Prefetch\288C47BBC1871B439DF19FF4DF68F-1A38A6C2.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-CF79EE4C.pf
file	C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\uglified_jindo[1].js
file	C:\Windows\Prefetch\ReadyBoot\Trace9.fx
file	C:\Windows\Prefetch\SETUP-STUB.EXE-8F842224.pf
file	C:\Windows\Prefetch\288C47BBC187122B439DF19FF4DF6-92B82F76.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\MSIEXEC.EXE-A2D55CB6.pf
file	C:\Windows\Prefetch\REGSVR32.EXE-8461DBEE.pf
file	C:\Windows\Prefetch\ReadyBoot\Trace1.fx
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Windows\Prefetch\DEFAULT-BROWSER-AGENT.EXE-01C82E17.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\ReadyBoot\Trace8.fx
file	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-5901D5E8.pf
file	C:\Windows\Prefetch\MMC.EXE-561C5A40.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
file	C:\Windows\Prefetch\W32TM.EXE-1101AF41.pf
file	C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-57D17DAF.pf
file	C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000009.log
file	C:\Windows\Prefetch\SVCHOST.EXE-A1476A17.pf
file	C:\Windows\Prefetch\PfSvPerfStats.bin
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-C3C515BD.pf
file	C:\Windows\Prefetch\EDITPLUS.EXE-BB0BC86D.pf
file	C:\Windows\Prefetch\MPCMDRUN.EXE-6AA90EA5.pf
file	C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 982 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[10].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[3].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\013[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\sprite-20210713@2x[2].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\7028d2d448816aeaab0e_20211029092933036[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\spr_lft_white_150916[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAUKPFFO.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\m_920_294_0729[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_196x196_38699317823237099[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\e84a7e15-e6a9-41ec-9eb7-883e9b5e7249[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\348acc74d7ad9acbdda7_20211101182838273[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\1_237[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\favicon[3].png
file	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[9].jpg
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-1.12.4.min_v1[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\w[1].css
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\S6uyw4BMUTPHjx4wWA[1].woff
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\icon_spacer-vflN3BYt2[1].gif
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3a7f4c4cb962a54fae75_20200728093632144[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\cropImg_728x360_77691188554226350[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\8c9b6e5b-4abb-45c6-9aa7-aa28806e8e84[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\adf7905c-28ea-4ddf-93b2-aa96dad57752[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\977[1].png
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\015[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAR5WT7S.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\smart_editor2.me.min.200716[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[3].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\nsd13728808[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\327[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\sample-doc-download[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\images[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f1e83251-9248-4d4e-8d2e-d1505a55bc83[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\3de5642a-2629-4625-9a63-d96768537b11[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\974[1].png

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

91.92.255.226:80

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.ShortLoader.a!c
DrWeb	Trojan.MulDropNET.43
MicroWorld-eScan	IL:Trojan.MSILZilla.9891
Skyhigh	BehavesLike.Win32.Generic.vc
McAfee	GenericRXPI-VQ!D872AD98CE3E
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Ransomware ( 005a8b921 )
Alibaba	TrojanDownloader:MSIL/Mokes.51aef0a1
K7GW	Ransomware ( 005a8b921 )
Cybereason	malicious.ac6545
BitDefenderTheta	Gen:NN.ZemsilF.36680.@p0@aC@zlvf
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Agent.UZA
APEX	Malicious
ClamAV	Win.Packed.Msilzilla-10018301-0
Kaspersky	HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
BitDefender	IL:Trojan.MSILZilla.9891
Avast	Win32:DropperX-gen [Drp]
Tencent	Msil.Trojan-Downloader.Shortloader.Ximw
Emsisoft	IL:Trojan.MSILZilla.9891 (B)
F-Secure	Heuristic.HEUR/AGEN.1365025
VIPRE	IL:Trojan.MSILZilla.9891
TrendMicro	Trojan.Win32.SMOKELOADER.YXEAIZ
Sophos	Troj/ILAgent-I
Ikarus	Trojan.MSIL.Krypt
Webroot	W32.Trojan.MSILZilla
Google	Detected
Avira	HEUR/AGEN.1365025
Varist	W32/MSIL_Kryptik.FFY.gen!Eldorado
Kingsoft	MSIL.Trojan-Downloader.ShortLoader.gen
Microsoft	Trojan:MSIL/Mokes.B!MTB
Gridinsoft	Trojan.Win32.Downloader.ns
Xcitium	Malware@#ngtmjep2aye9
Arcabit	IL:Trojan.MSILZilla.D26A3
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
GData	IL:Trojan.MSILZilla.9891
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Generic.C4478643
VBA32	Trojan.MSIL.Injector.gen
Malwarebytes	Trojan.Crypt.MSIL.Generic
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXEAIZ
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.FFMZ!tr
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS

288c47bbc187122b439df19ff4df68f076.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All