Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 12, 2021, 2:11 p.m.	March 12, 2021, 2:13 p.m.

Size	4.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cf75f0b1db8bf6733a56de4e83185314`
SHA256	`9cce73fbafd0149e985992dbe138bd01025890f46e45e0e20ed4dca36dd5f5cd`
CRC32	`75C7DA3D`
ssdeep	`49152:xYpMYLS1Bdv38f8SZGO2ZojdD/5XEYTVi:xYyYA3cYCD/5g`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero network_tor - Communications over TOR network network_dropper - File downloader/dropper screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check

1740773763.exe "C:\Users\test22\AppData\Local\Temp\1740773763.exe"
5032
- cmd.exe C:\Windows\system32\cmd.exe /c Start c:\Users\Public\Documents\1123411.exe
  7636

Name	Response	Post-Analysis Lookup
stone-premium.com	A 108.167.142.232	108.167.142.232

IP Address	Status	Action
108.167.142.232	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49807 -> 108.167.142.232:80	2021697	ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 12, 2021, 2:11 p.m.	buffer: The system cannot find the file c:\Users\Public\Documents\1123411.exe. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 12, 2021, 2:11 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didata

Performs some HTTP requests (1 event)

request

GET http://stone-premium.com/wp-content/uploads/2021/02/ximw.exe

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 12, 2021, 2:11 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 12, 2021, 2:11 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	c:\Users\Public\Documents\1123411.exe

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c Start c:\Users\Public\Documents\1123411.exe

Potentially malicious URLs were found in the process memory dump (50 out of 824 events)

url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://wwwimages.adobe.com/www.adobe.com/swf/software/flash/about/flash_about_793x170.swf
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1031%2Fupload_20063893240744871RiJjV.jpg%22
url	http://175.208.134.150:8282/test/test.eml
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/905.png
url	https://s.pstatic.net/static/www/mobile/edit/2020/1103/mobile_142459883835.gif
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	http://blogimgs.naver.net/nblog/guestbook/btn_close2.gif
url	https://ssl.pstatic.net/static/nid/login/rw_captcha01.png
url	http://www.snee.com/xml/xslt/sample.doc
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	http://t.static.blog.naver.net/mylog/versioning/nhn.keywordHighlighter-99428789.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	https://castbox.shopping.naver.com/js/lazyload.js
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1021%2Fupload_19201541624342101mWI1T.jpg%22
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://s.pstatic.net/shopping.phinf/20201103_21/701f9083-a72b-4ef6-ac1c-0daf1907c51d.jpg?type=f214_292
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	https://www.google.com/pagead/drt/ui
url	https://s.pstatic.net/shopping.phinf/20201102_18/6131e135-0b61-4b61-86ca-480bf7612785.jpg
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/327.png
url	http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url	https://mail.naver.com/js_src/com/nhncorp/mail/write/se2_new/smart_editor2_inputarea_ie8.html?version=20190704
url	https://static.nid.naver.com/loginv3/img/sp_login_20150113.gif
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/031.png
url	https://tpc.googlesyndication.com/pagead/images/abg/icon.png
url	https://search.pstatic.net/common/?src=http%3A%2F%2Fcafefiles.naver.net%2FMjAxNzExMDdfODcg%2FMDAxNTEwMDY0OTYzNTA5.y-bJj3BgRC8r80hM6EblWFHSqawqo5-vMJAzHBN6rEkg.vAPtUzoeY8mHPRaMuejD3HrMtW5xgv-cdeEaAc0q2Rog.PNG.flashcs7%2FScreenshot_2017-11-07-22-55-08.png%23600x1024
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0804%2FcropImg_336x206_38466352545626545.png%22
url	https://www.naver.com
url	https://t1.daumcdn.net/tistory_admin/blogs/style/menubar.css?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/nid/login/pc_2step_396_110.png
url	https://tpc.googlesyndication.com/pagead/js/r20180205/r20110914/abg.js
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/024.png
url	https://c.microsoft.com/ms.js
url	https://securepubads.g.doubleclick.net/tag/js/gpt.js
url	http://blogimgs.naver.net/nblog/skins/happybean/btn-put.gif
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/957.png
url	https://my.sendinblue.com/public/theme/version4/assets/images/loader_sblue.gif

Yara rule detected in process memory (50 out of 88 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over Toredo network	rule	network_toredo
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (3 events)

url	http://175.208.134.150:8282/test/test.eml
url	http://175.208.134.150:8282/favicon.ico
url	http://175.208.134.150:8282/test/exe1.zip

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

FireEye	Trojan.GenericKD.36455404
McAfee	Artemis!CF75F0B1DB8B
Sangfor	Virus_Suspicious.Win32.Sality.ae
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanDownloader:MSIL/Seraph.be6be65d
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/Trojan.DUII-0522
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Cynet	Malicious (score: 85)
Kaspersky	Trojan-Downloader.MSIL.Seraph.jt
BitDefender	Trojan.GenericKD.36455404
AegisLab	Trojan.MSIL.Seraph.a!c
MicroWorld-eScan	Trojan.GenericKD.36455404
Ad-Aware	Trojan.GenericKD.36455404
Emsisoft	Trojan.GenericKD.36455404 (B)
Paloalto	generic.ml
Avira	TR/Redcap.czoiz
MAX	malware (ai score=82)
Gridinsoft	Trojan.Win32.Downloader.ns
Microsoft	Trojan:Win32/Ymacco.AA9C
GData	Win32.Trojan-Downloader.Generic.CWESPL
AhnLab-V3	Malware/Win32.Generic.C4365985
ALYac	Trojan.GenericKD.36455404
TrendMicro-HouseCall	TROJ_GEN.R049H0CC921
Rising	Downloader.Seraph!8.111C6 (CLOUD)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Malicious_Behavior.VEX
AVG	Win32:Malware-gen
Cybereason	malicious.1db8bf
Panda	Trj/GdSda.A
Qihoo-360	Win32/TrojanDownloader.Generic.HgIASQQA

1740773763.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All