Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 1, 2025, 9:59 a.m.	May 1, 2025, 10:06 a.m.

Size	2.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`427b11f7f59e5efcfc03e8f14e88a58f`
SHA256	`e2a0f035d64258fb0ace43738d7c37f88a9b572e208c690a4db2c531f9f97eaf`
CRC32	`FD019B7D`
ssdeep	`49152:rwT7Zu4MNIOoOVAYoqJD8YkY0VNB72YvnU1KZqLlmqBBLfJ:ra7hMNIaVAYoE8rYgVvnU1KZqLRn`
Yara	PE_Header_Zero - PE File Signature mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

Zc3.exe "C:\Users\test22\AppData\Local\Temp\Zc3.exe"
792
- cmd.exe cmd /c ""C:\Windows\Fonts\clean.cmd" "
  2064
  - conhost.exe C:\Windows\Fonts\conhost.exe install NetTcpConnection svchost
    2152
  - sc.exe sc config "NetTcpConnection" DisplayName= "NetTcpConnection"
    2228
  - sc.exe sc description "NetTcpConnection" "Microsoft .NetTcpConnection"
    2288
  - sc.exe sc config NetTcpConnection start= auto
    2344
  - sc.exe sc failure NetTcpConnection reset= 86400 actions= restart/60000/restart/60000/restart/60000
    2392
  - timeout.exe timeout /T 3
    2440
  - conhost.exe C:\Windows\Fonts\conhost.exe start NetTcpConnection
    2492
  - attrib.exe attrib +a +s +r +h C:\Windows\Fonts\config.json
    2724
  - attrib.exe attrib +a +s +r +h C:\Windows\Fonts\conhost.exe
    2780
  - attrib.exe attrib +a +s +r +h C:\Windows\Fonts\svchost.exe
    2840
  - attrib.exe attrib +a +s +r +h C:\Windows\Fonts\WinRing0x64.sys
    2888
- xsfxdel~.exe "C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe" "C:\Users\test22\AppData\Local\Temp\Zc3.exe"
  2940

Name	Response	Post-Analysis Lookup
gulf.moneroocean.stream	CNAME monerooceans.stream A 5.104.84.79	5.104.84.79

IP Address	Status	Action
164.124.101.2	Active	Moloch
5.104.84.79	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 5.104.84.79:10128	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49171 -> 5.104.84.79:10128	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 1, 2025, 10 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: S console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: e console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: r console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: v console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: i console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: c console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: e console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: N console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: e console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: t console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: T console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: c console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: p console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: C console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: o console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: n console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: n console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: e console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: c console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: t console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: i console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: o console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: n console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: i console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: n console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: s console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: t console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: a console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: l console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: l console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: e console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: d console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: s console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: u console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: c console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: c console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: e console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: s console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: s console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: f console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: u console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: l console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: l console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: y console_handle: 0x000000000000000f	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: [SC] ChangeServiceConfig2 SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: [SC] ChangeServiceConfig2 SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW May 1, 2025, 9:59 a.m.	buffer: Waiting for 3 console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 1, 2025, 9:59 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9933594624 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Windows\Fonts\clean.cmd
file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Windows\Fonts\svchost.exe
file	C:\Windows\Fonts\conhost.exe

Creates a suspicious process (2 events)

cmdline	C:\Windows\Fonts\conhost.exe install NetTcpConnection svchost
cmdline	attrib +a +s +r +h C:\Windows\Fonts\svchost.exe

Drops a binary and executes it (3 events)

file	C:\Windows\Fonts\clean.cmd
file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Windows\Fonts\conhost.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Users\test22\AppData\Local\Temp\Zc3.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 1, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe parameters: "C:\Users\test22\AppData\Local\Temp\Zc3.exe" filepath: C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe	1	1	0

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	attrib +a +s +r +h C:\Windows\Fonts\conhost.exe
cmdline	sc failure NetTcpConnection reset= 86400 actions= restart/60000/restart/60000/restart/60000
cmdline	attrib +a +s +r +h C:\Windows\Fonts\config.json
cmdline	sc config NetTcpConnection start= auto
cmdline	attrib +a +s +r +h C:\Windows\Fonts\svchost.exe
cmdline	attrib +a +s +r +h C:\Windows\Fonts\WinRing0x64.sys
cmdline	sc description "NetTcpConnection" "Microsoft .NetTcpConnection"
cmdline	sc config "NetTcpConnection" DisplayName= "NetTcpConnection"

Installs itself for autorun at Windows startup (1 event)

service_name

NetTcpConnection

service_path

C:\Windows\Fonts\conhost.exe

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 1, 2025, 9:59 a.m.	service_start_name: start_type: 2 password: display_name: NetTcpConnection filepath: C:\Windows\Fonts\conhost.exe service_name: NetTcpConnection filepath_r: C:\Windows\Fonts\conhost.exe desired_access: 983551 service_handle: 0x00000000002635e0 error_control: 1 service_type: 16 service_manager_handle: 0x00000000002635b0	1	2504160	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Skyhigh	BehavesLike.Win32.HLLPPhilis.vc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (D)
Elastic	malicious (high confidence)
ESET-NOD32	Win64/CoinMiner.RO potentially unwanted
APEX	Malicious
Avast	Win32:MalwareX-gen [Drp]
Kaspersky	HEUR:Trojan.Win64.Reincarnation.gen
Alibaba	Trojan:Win32/Miners.32339c82
Rising	HackTool.XMRMiner!1.C2EC (CLASSIC)
DrWeb	Tool.InstSrv.10
Zillya	Trojan.SchoolGirl.Win32.86
McAfeeD	Real Protect-LS!427B11F7F59E
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Antiy-AVL	Trojan/Win32.ShadowBrokers.gg
McAfee	GenericRXAA-FA!427B11F7F59E
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Qhost
Malwarebytes	Generic.Trojan.Malicious.DDS
Ikarus	PUA.CoinMiner
Tencent	Malware.Win32.Gencirc.10bffc62
AVG	Win32:MalwareX-gen [Drp]

Zc3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All