Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2021, 9:57 a.m.	April 13, 2021, 10:11 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`e3959205680c393688204bb538de523c`
SHA256	`01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732`
CRC32	`5383F0C7`
ssdeep	`49152:tx4t969lXp6GjEcsE+4sMq6Kl1PoDE6H1dT+R0:t+L69lXseEcbzQXfQIA1dM0`
Yara	Malicious_Library_Zero - Malicious_Library screenshot - Take screenshot keylogger - Run a keylogger win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasModified_DOS_Message - DOS Message Check

appsetup.exe "C:\Users\test22\AppData\Local\Temp\appsetup.exe"
6420
- makecab.exe "C:\Windows\System32\makecab.exe"
  2224
- makecab.exe "C:\Windows\System32\makecab.exe"
  8604
- makecab.exe "C:\Windows\System32\makecab.exe"
  7632
- makecab.exe "C:\Windows\System32\makecab.exe"
  3012
- makecab.exe "C:\Windows\System32\makecab.exe"
  1596
- makecab.exe "C:\Windows\System32\makecab.exe"
  6316
- makecab.exe "C:\Windows\System32\makecab.exe"
  5264
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Nei.txt
  4684
  - cmd.exe C:\Windows\System32\cmd.exe
    5040

Name	Response	Post-Analysis Lookup
DXTqGlxQqFdnT.DXTqGlxQqFdnT

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2021, 9:57 a.m.			0	0

Command line console output was observed (50 out of 3440 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: C console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: b console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: M console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: k console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: L console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: D console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: C console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: T console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: M console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: K console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: E console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: C console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: B console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: V console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: D console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 10:07 a.m.	buffer: v console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2021, 9:57 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 6420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 13, 2021, 9:58 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13294673920 root_path: C:\Users\test22\AppData\Roaming\yxCcpbjCXZXLo total_number_of_bytes: 0	1	1	0

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Nei.txt
cmdline	cmd /c C:\Windows\System32\cmd.exe < Nei.txt
cmdline	C:\Windows\System32\cmd.exe

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1
ShellExecuteExW April 13, 2021, 9:58 a.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Windows\System32\cmd.exe < Nei.txt filepath: cmd	1	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.46081752
McAfee	Artemis!E3959205680C
Sangfor	Suspicious.Win32.Artemis.E3959205680C
Cybereason	malicious.d10d3e
ESET-NOD32	a variant of Win32/Packed.7zip.AE suspicious
Paloalto	generic.ml
BitDefender	Trojan.GenericKD.46081752
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.46081752
Comodo	TrojWare.Win32.Agent.calii@0
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.e3959205680c3936
Emsisoft	Trojan.GenericKD.46081752 (B)
APEX	Malicious
GData	Trojan.GenericKD.46081752
Jiangmin	TrojanDropper.Agent.gifx
Webroot	W32.Trojan.Gen
Rising	Trojan.HiddenRun/SFX!1.D2BC (CLASSIC)
eGambit	PE.Heur.InvalidSig
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	Trojan.Generic

appsetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All