Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 20, 2024, 10:37 a.m.	Aug. 20, 2024, 10:39 a.m.

Size	401.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5	`1a29969a7538662884fffe237d32fbc1`
SHA256	`e2ec72032cfefee79fa379698041762175aeca8d7c3801951e5bd8f4c8d47e89`
CRC32	`5611A143`
ssdeep	`6144:DOL6crmZTR//VYHBS+9iqVZcuMuyI5GwWAbBh4RurNtN3IVi/sFvhOwoXd1m4Rmn:zcSjMFII5bbERu7N3h6n4Rj`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

ow.exe "C:\Users\test22\AppData\Local\Temp\ow.exe"
2544
- cmd.exe "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\test22\AppData\Local\Temp\ow.exe"
  2772

Name	Response	Post-Analysis Lookup
ip.cn	A 104.21.64.12 A 172.67.174.23	172.67.174.23
cdn.cuilet.com	A 23.225.34.75	23.225.34.75
cdn.sackow.com	A 23.225.34.75	23.225.34.75
21yp37sq.sched.sma.tdnsv5.com	A 119.176.27.237 A 116.196.150.173 A 123.6.37.172 A 14.205.93.60 A 116.196.152.179 A 60.13.97.138 A 116.136.189.55 A 112.84.131.219 A 119.176.27.126 A 119.188.149.190 A 113.201.158.62 A 119.188.150.101 A 42.177.83.115	60.13.97.138
58.common.gazigz.cn
sp0.baidu.com	CNAME www.a.shifen.com A 119.63.197.151 A 119.63.197.139 CNAME www.wshifen.com	119.63.197.139
site.ip138.com	A 124.156.105.121	124.156.105.121
apps.game.qq.com	A 43.129.138.220 CNAME ins-5qs8jncn.ias.tencent-cloud.net A 43.129.139.164	43.129.139.164
cdn.cuilet.com		23.225.34.75
d76b29f56b8bed99.gazigz.cn
cdn.qqb3.com	A 198.54.117.242	198.54.117.242

IP Address	Status	Action
104.21.64.12	Active	Moloch
119.176.27.237	Active	Moloch
119.63.197.139	Active	Moloch
124.156.105.121	Active	Moloch
164.124.101.2	Active	Moloch
198.54.117.242	Active	Moloch
223.5.5.5	Active	Moloch
23.225.34.75	Active	Moloch
43.129.138.220	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49183 -> 124.156.105.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:57081 -> 164.124.101.2:53	2047079	ET INFO External IP Check Domain in DNS Lookup (ip .cn)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49184 -> 104.21.64.12:443	2047080	ET INFO Observed External IP Lookup Domain (ip .cn in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49184 -> 104.21.64.12:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:57082 -> 8.8.8.8:53	2047079	ET INFO External IP Check Domain in DNS Lookup (ip .cn)	Device Retrieving External IP Address Detected
TCP 198.54.117.242:80 -> 192.168.56.101:49161	2527003	ET Threatview.io High Confidence Cobalt Strike C2 IP group 4	Misc Attack
TCP 192.168.56.101:49164 -> 119.63.197.139:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49183 124.156.105.121:443	C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G4	CN=site.ip138.com	1f:4a:7e:5a:dd:da:5b:38:e0:1d:40:26:d9:97:cc:dc:1c:db:bc:36
TLSv1 192.168.56.101:49184 104.21.64.12:443	C=US, O=Google Trust Services, CN=WE1	CN=ip.cn	15:f7:45:c7:89:82:91:c9:28:a1:91:a4:e0:c9:e1:00:f1:64:f3:a1
TLSv1 192.168.56.101:49164 119.63.197.139:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	ef:0f:be:13:02:e2:c4:d4:89:ba:8f:ba:88:ef:6f:95:dc:cf:7b:e0

The executable uses a known packer (1 event)

packer

PECompact 2.xx --> BitSum Technologies

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 20, 2024, 10:37 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 a9 2b 24 exception.symbol: ow+0x27e84 exception.instruction: mov dword ptr [eax], ecx exception.module: ow.exe exception.exception_code: 0xc0000005 exception.offset: 163460 exception.address: 0xa7e84 registers.esp: 3931764 registers.edi: 0 registers.eax: 0 registers.ebp: 3931780 registers.edx: 687726 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0
__exception__ Aug. 20, 2024, 10:37 a.m.	stacktrace: ow+0x154a0 @ 0x954a0 ow+0xae464 @ 0x12e464 ow+0x27e03 @ 0xa7e03 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.symbol: ow+0x15395 exception.instruction: in eax, dx exception.module: ow.exe exception.exception_code: 0xc0000096 exception.offset: 86933 exception.address: 0x95395 registers.esp: 3931248 registers.edi: 62 registers.eax: 1447909480 registers.ebp: 3931304 registers.edx: 22104 registers.ebx: 0 registers.esi: 8208808 registers.ecx: 10	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

HTTP version 1.0 used

suspicious_request

GET http://cdn.cuilet.comhttp://cdn.cuilet.com/api/filegoto1/d76b29f56b8bed99

Performs some HTTP requests (9 events)

request	GET http://cdn.qqb3.com/API/General/client_log_user
request	GET http://apps.game.qq.com/comm-htdocs/ip/get_ip.php
request	GET http://cdn.qqb3.com/API/General/lsrpu
request	GET http://cdn.cuilet.com/api/filegoto1/d76b29f56b8bed99
request	GET http://cdn.sackow.com/api/filegoto1/d76b29f56b8bed99
request	GET http://cdn.qqb3.com/api/filegoto1/d76b29f56b8bed99
request	GET http://cdn.cuilet.comhttp://cdn.cuilet.com/api/filegoto1/d76b29f56b8bed99
request	GET https://site.ip138.com/domain/read.do?domain=cdn.cuilet.com&time=1724129865281
request	GET https://ip.cn/api/index?ip=cdn.cuilet.com&type=1

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f34000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ef20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bfd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ef20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bfd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 10:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf4000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b40a0

size

0x000001b4

Creates a suspicious process (2 events)

cmdline	cmd.exe /c del /Q /F "C:\Users\test22\AppData\Local\Temp\ow.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\test22\AppData\Local\Temp\ow.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ow.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 20, 2024, 10:37 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del /Q /F "C:\Users\test22\AppData\Local\Temp\ow.exe" filepath: cmd.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00062c00', u'virtual_address': u'0x00001000', u'entropy': 7.9993368600110655, u'name': u'.text', u'virtual_size': u'0x000b3000'}

entropy

7.99933686001

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001400', u'virtual_address': u'0x000b4000', u'entropy': 6.948009551352002, u'name': u'.rsrc', u'virtual_size': u'0x00002000'}

entropy

6.94800955135

description

A section with a high entropy has been found

entropy

0.998751560549

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 20, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 20, 2024, 10:37 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /c del /Q /F "C:\Users\test22\AppData\Local\Temp\ow.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\test22\AppData\Local\Temp\ow.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\ow.exe

Network activity contains more than one unique useragent (2 events)

process	ow.exe				useragent	CHM_MSDN
process	ow.exe				useragent	HttpSend

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 20, 2024, 10:37 a.m.	stacktrace: ow+0x154a0 @ 0x954a0 ow+0xae464 @ 0x12e464 ow+0x27e03 @ 0xa7e03 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.symbol: ow+0x15395 exception.instruction: in eax, dx exception.module: ow.exe exception.exception_code: 0xc0000096 exception.offset: 86933 exception.address: 0x95395 registers.esp: 3931248 registers.edi: 62 registers.eax: 1447909480 registers.ebp: 3931304 registers.edx: 22104 registers.ebx: 0 registers.esi: 8208808 registers.ecx: 10	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.GenericRI.S28495932
McAfee	Artemis!1A29969A7538
ALYac	Gen:Variant.Barys.324050
Cylance	Unsafe
VIPRE	Gen:Variant.Barys.324050
Sangfor	Backdoor.Win32.Gulpix.Vjy5
K7AntiVirus	Trojan ( 00577f261 )
BitDefender	Gen:Variant.Barys.324050
K7GW	Trojan ( 00577f261 )
Cybereason	malicious.a75386
Arcabit	Trojan.Barys.D4F1D2
Cyren	W32/Agent.DIA.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Agent.ZJL
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Gulpix.0306363c
NANO-Antivirus	Trojan.Win32.Gulpix.jswfot
MicroWorld-eScan	Gen:Variant.Barys.324050
Rising	Trojan.Agent!1.CF5E (CLOUD)
Ad-Aware	Gen:Variant.Barys.324050
Emsisoft	Gen:Variant.Barys.324050 (B)
DrWeb	Trojan.Siggen17.40820
TrendMicro	TROJ_GEN.R011C0DK622
McAfee-GW-Edition	GenericRXSX-JQ!0FAE95D36ED6
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.1a29969a75386628
Sophos	ML/PE-A + Mal/Behav-010
Ikarus	Trojan.Win32.Agent
Avira	HEUR/AGEN.1242537
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Generic.ASMalwS.1F6B
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Backdoor:Win32/Gulpix.MA!MTB
GData	Win32.Trojan.PSE.1DDXPNX
Google	Detected
AhnLab-V3	Trojan/Win32.Agent.C3143770
BitDefenderTheta	AI:Packer.0CE8BD601F
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Malware.AI.3768592590
TrendMicro-HouseCall	TROJ_GEN.R011C0DK622
Tencent	Win32.Trojan.Generic.Osmw
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.ZJL!tr
AVG	Win32:TrojanX-gen [Trj]

ow.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All