Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 16, 2024, 10:57 a.m.	July 16, 2024, 10:59 a.m.

Size	88.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ababca6d12d96e8dd2f1d7114b406fae`
SHA256	`a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba`
CRC32	`6C526A17`
ssdeep	`1536:wL0IGzbFmav82XwudP6+0MTqEjXm/D5AKHK:c0poOfP6+JuEjaaKHK`
Yara	Network_Downloader - File Downloader Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

tdrpload.exe "C:\Users\test22\AppData\Local\Temp\tdrpload.exe"
1156
- sysmablsvr.exe C:\Windows\sysmablsvr.exe
  1532

Name	Response	Post-Analysis Lookup
www.update.microsoft.com	A 20.72.235.82 CNAME redir.update.msft.com.trafficmanager.net	20.72.235.82

IP Address	Status	Action
117.236.188.177	Active	Moloch
134.35.106.7	Active	Moloch
146.70.53.161	Active	Moloch
151.234.69.79	Active	Moloch
151.235.83.141	Active	Moloch
164.124.101.2	Active	Moloch
178.217.173.26	Active	Moloch
185.215.113.66	Active	Moloch
20.72.235.82	Active	Moloch
217.30.171.37	Active	Moloch
46.248.37.21	Active	Moloch
5.233.65.104	Active	Moloch
78.106.189.161	Active	Moloch
82.137.218.134	Active	Moloch
94.183.35.131	Active	Moloch
95.59.234.182	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52762 -> 94.183.35.131:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.103:52762 -> 151.234.69.79:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.103:52762 -> 5.233.65.104:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 185.215.113.66:80 -> 192.168.56.103:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
UDP 192.168.56.103:52762 -> 146.70.53.161:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.103:52762 -> 178.217.173.26:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.103:52762 -> 117.236.188.177:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 16, 2024, 10:57 a.m.			0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://185.215.113.66/1
suspicious_features	Connection to IP address				suspicious_request	GET http://185.215.113.66/2

Performs some HTTP requests (2 events)

request	GET http://185.215.113.66/1
request	GET http://185.215.113.66/2

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (11 events)

ip	117.236.188.177
ip	146.70.53.161
ip	151.234.69.79
ip	151.235.83.141
ip	178.217.173.26
ip	217.30.171.37
ip	46.248.37.21
ip	5.233.65.104
ip	78.106.189.161
ip	94.183.35.131
ip	95.59.234.182

A process attempted to delay the analysis task. (1 event)

description

sysmablsvr.exe tried to sleep 190 seconds, actually delayed analysis time by 190 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\1095022896.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 16, 2024, 10:58 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000374 filepath: C:\Users\test22\tbtnds.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\tbtnds.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Communicates with host for which no DNS query was performed (14 events)

host	117.236.188.177
host	134.35.106.7
host	146.70.53.161
host	151.234.69.79
host	151.235.83.141
host	178.217.173.26
host	185.215.113.66
host	217.30.171.37
host	46.248.37.21
host	5.233.65.104
host	78.106.189.161
host	82.137.218.134
host	94.183.35.131
host	95.59.234.182

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings

reg_value

C:\Windows\sysmablsvr.exe

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Modifies security center warnings (7 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride

Attempts to remove evidence of file being downloaded from the Internet (3 events)

file	C:\Users\test22\AppData\Local\Temp\tdrpload.exe:Zone.Identifier
file	C:\Windows\sysmablsvr.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1095022896.exe:Zone.Identifier

Disables Windows Security features (5 events)

description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

Stops Windows services (2 events)

service	wuauserv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start)
service	BITS (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start)

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.BeeyWcsjvulF.Trojan
Lionic	Trojan.Win32.Phorpiex.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Multi
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.Zard.39
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005533551 )
K7GW	Trojan ( 005533551 )
Cybereason	malicious.d12d96
VirIT	Trojan.Win32.Genus.VXH
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Phorpiex.V
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Phorpiex-10030343-0
Alibaba	Worm:Win32/Phorpiex.5c685c46
NANO-Antivirus	Trojan.Win32.Phorpiex.koniga
MicroWorld-eScan	Gen:Heur.Mint.Zard.39
Rising	Worm.Phorpiex!8.48D (TFE:3:2wXnuqqcioP)
Emsisoft	Gen:Heur.Mint.Zard.39 (B)
F-Secure	Heuristic.HEUR/AGEN.1366496
DrWeb	Trojan.DownLoader46.2135
BitDefenderTheta	AI:Packer.46E3DD1D1E
McAfeeD	Real Protect-LS!ABABCA6D12D9
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.ababca6d12d96e8d
Sophos	W32/Trizt-Gen
Ikarus	Trojan.Win32.Phorpiex
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1366496
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Phorpiex
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Downloader.sa
Xcitium	Malware@#2w9v0gjci7x32
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C4630408
VBA32	BScope.Worm.Propriex
DeepInstinct	MALICIOUS
Malwarebytes	Phorpiex.Trojan.Bot.DDS
TrendMicro-HouseCall	TROJ_GEN.R06CC0DFC24
Tencent	Malware.Win32.Gencirc.10c01086
Yandex	Trojan.Agent!d7bZodg/Ml0
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Malicious_Behavior.SBX
Panda	Adware/SecurityProtection
CrowdStrike	win/malicious_confidence_100% (D)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	82.137.218.134:40500
dead_host	134.35.106.7:40500

tdrpload.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All