Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 22, 2024, 7:28 a.m.	March 22, 2024, 7:41 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`589ddf53393fe19f58105dfdf56879e3`
SHA256	`7af470dc705da73063fc90cbb2b7746ef2eaba7604ecb371d7ff234845025649`
CRC32	`AEE5A922`
ssdeep	`24576:HAHnh+eWsN3skA4RV1Hom2KXMmHa9LBZQWCEDIm/uiUkl5Cc00ML2j5:6h+ZkldoPK8Ya9rQWo6Ukd0Tu`
Yara	Malicious_Library_Zero - Malicious_Library Process_Snapshot_Kill_Zero - Process Kill Zero PE_Header_Zero - PE File Signature FindFirstVolume_Zero - FindFirstVolume Zero CryptGenKey_Zero - CryptGenKey Zero Device_Check_Zero - Device Check Zero IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
800
- excel.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
  2488
  - svchost.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
    2532

Name	Response	Post-Analysis Lookup
shgoini.com	A 107.175.229.143	107.175.229.143
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
107.175.229.143	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 107.175.229.143:30902	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49168 107.175.229.143:30902	None	None	None

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2024, 7:28 a.m.			0	0
IsDebuggerPresent March 22, 2024, 7:28 a.m.			0	0
IsDebuggerPresent March 22, 2024, 7:28 a.m.			0	0
IsDebuggerPresent March 22, 2024, 7:28 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2024, 7:28 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2024, 7:28 a.m.	process_identifier: 800 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 22, 2024, 7:28 a.m.	process_identifier: 2488 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs
file	C:\Users\test22\AppData\Local\directory\excel.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\directory\excel.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\directory\excel.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007c200', u'virtual_address': u'0x000c8000', u'entropy': 7.93348878421446, u'name': u'.rsrc', u'virtual_size': u'0x0007c084'}

entropy

7.93348878421

description

A section with a high entropy has been found

entropy

0.380459770115

description

Overall entropy of this PE file is high

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 22, 2024, 7:28 a.m.	thread_identifier: 2536 thread_handle: 0x0000013c process_identifier: 2532 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\wininit.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000134	1	1	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2488 called NtSetContextThread to modify thread in remote process 2532
NtSetContextThread March 22, 2024, 7:28 a.m.	registers.eip: 2005598660 registers.esp: 654680 registers.edi: 0 registers.eax: 4409839 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000013c process_identifier: 2532	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

"C:\Users\test22\AppData\Local\Temp\wininit.exe"

The process excel.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\directory\excel.exe

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Win32.AutoIt.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.TrojanAitInject.tc
Cylance	unsafe
Sangfor	Virus.Win32.Save.a
ESET-NOD32	a variant of Win32/Injector.Autoit.FWA
APEX	Malicious
McAfee	Artemis!589DDF53393F
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/Strab.dcae1ac0
Rising	Trojan.Injector/Autoit!1.F5AA (CLASSIC)
FireEye	Generic.mg.589ddf53393fe19f
Sophos	Troj/AutoIt-DGJ
Google	Detected
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Strab.GPX!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Varist	W32/AutoIt.IJ.gen!Eldorado
DeepInstinct	MALICIOUS
VBA32	Trojan-Downloader.Autoit.gen
Malwarebytes	Trojan.Injector.AutoIt
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	AutoIt/Injector.AAD!tr
CrowdStrike	win/malicious_confidence_90% (W)

wininit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All