Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 10, 2021, 8:42 a.m.	April 10, 2021, 8:56 a.m.

Size	771.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`ba4658b682eba9d58ba10f74da68b5a5`
SHA256	`c6b31af6aad49b0f8296d01b15e821f1821d585083bc7a2c55ccc4528844b0b0`
CRC32	`84532EC4`
ssdeep	`24576:SBXu9HGaXlcekC612T/OeLXg7hzgkIFLS/CB:Sw9X2pH12T/OeLXuWtFLY`
Yara	screenshot - Take screenshot Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration PE_Header_Zero - PE File Signature Zero UPX_Zero - UPX packed file IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasRichSignature - Rich Signature Check

pixe-updater.exe "C:\Users\test22\AppData\Local\Temp\pixe-updater.exe"
540
- takeown.exe c:\windows\system32\takeown.exe /R /A /D S /F "c:\pixe"
  1976
- icacls.exe c:\windows\system32\icacls.exe "c:\pixe" /reset /C /Q
  2840
- icacls.exe c:\windows\system32\icacls.exe "c:\pixe" /inheritance:d /C /Q
  1892
- cmd.exe cmd /c icacls.exe c:\pixe\update\RunDll32-low.exe /setintegritylevel low
  1164
  - icacls.exe icacls.exe c:\pixe\update\RunDll32-low.exe /setintegritylevel low
    2288

Name	Response	Post-Analysis Lookup
www.pixe.es	A 208.113.170.70	208.113.170.70

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.113.170.70	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 10, 2021, 8:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 10, 2021, 8:42 a.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 10, 2021, 8:42 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW April 10, 2021, 8:42 a.m.	buffer: Invalid syntax. 'S' value is not allowed for '/D' option. Type "TAKEOWN /?" for usage. console_handle: 0x0000000b	1	1
WriteConsoleW April 10, 2021, 8:42 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW April 10, 2021, 8:42 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW April 10, 2021, 8:42 a.m.	buffer: processed file: c:\pixe\update\RunDll32-low.exe console_handle: 0x00000007	1	1
WriteConsoleW April 10, 2021, 8:42 a.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 10, 2021, 8:42 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://www.pixe.es/bin/curl.exe

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 10, 2021, 8:42 a.m.	process_identifier: 540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW April 10, 2021, 8:42 a.m.	total_number_of_free_bytes: 13723922432 free_bytes_available: 13723922432 root_path: c:\pixe\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW April 10, 2021, 8:42 a.m.	total_number_of_free_bytes: 13723283456 free_bytes_available: 13723283456 root_path: c:\pixe\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW April 10, 2021, 8:43 a.m.	total_number_of_free_bytes: 13723148288 free_bytes_available: 13723148288 root_path: c:\pixe\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW April 10, 2021, 8:43 a.m.	total_number_of_free_bytes: 13723148288 free_bytes_available: 13723148288 root_path: c:\pixe\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW April 10, 2021, 8:43 a.m.	total_number_of_free_bytes: 13723148288 free_bytes_available: 13723148288 root_path: c:\pixe\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (2 events)

file	c:\pixe\update\7za.exe
file	c:\pixe\update\curl.exe

Executes one or more WMI queries (1 event)

wmi	Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 10, 2021, 8:42 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 1240	1	1	0
Process32NextW April 10, 2021, 8:42 a.m.	snapshot_handle: 0x00000134 process_name: pixe-updater.exe process_identifier: 540	1	1	0

An executable file was downloaded by the process pixe-updater.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile April 10, 2021, 8:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL Ë»Zà> P@ Nþ àÁðð0 è@ \|B \|ó.text¤<>`P`.data¼PB@`À.rdatac`dD@`@.bssÐ`À.edataÁà¨@0@.idataðð°@0À.CRT4 Ä@0À.tls Æ@0À.rsrcè0 È@0À.reloc\|B@ DÌ@0B request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000bea00', u'virtual_address': u'0x0007a000', u'entropy': 7.863629381011641, u'name': u'UPX1', u'virtual_size': u'0x000bf000'}

entropy

7.86362938101

description

A section with a high entropy has been found

entropy

0.99025974026

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: b3aea131a18e363486ded8f546b3582a401094a3

Connects to an IRC server, possibly part of a botnet

Uses suspicious command line tools or Windows utilities (4 events)

cmdline	icacls.exe c:\pixe\update\RunDll32-low.exe /setintegritylevel low
cmdline	c:\windows\system32\icacls.exe "c:\pixe" /reset /C /Q
cmdline	cmd /c icacls.exe c:\pixe\update\RunDll32-low.exe /setintegritylevel low
cmdline	c:\windows\system32\icacls.exe "c:\pixe" /inheritance:d /C /Q

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.44367987
FireEye	Generic.mg.ba4658b682eba9d5
McAfee	RDN/Generic.grp
Alibaba	Worm:Win32/ScriptSH.5a31b7cf
Arcabit	Trojan.Generic.D2A50073
APEX	Malicious
Paloalto	generic.ml
BitDefender	Trojan.GenericKD.44367987
Ad-Aware	Trojan.GenericKD.44367987
Sophos	ML/PE-A
TrendMicro	TROJ_GEN.R002C0PK820
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.bc
Emsisoft	Trojan.GenericKD.44367987 (B)
Ikarus	Trojan.Worm
Antiy-AVL	GrayWare/Autoit.Execute.a
AegisLab	Trojan.Win32.Generic.4!c
GData	Trojan.GenericKD.44367987
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.Agent.C2127860
ALYac	Trojan.GenericKD.44367987
MAX	malware (ai score=82)
TrendMicro-HouseCall	TROJ_GEN.R002C0PK820
Rising	Trojan.Obfus/Autoit!1.BEDE (CLASSIC)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	JS:ScriptSH-inf [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	Generic/Trojan.Script.393

pixe-updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All