popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

t-d.exe

APT Armageddon WinRAR AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
    Category Machine Started Completed
    FILE s1_win7_x6402 June 24, 2021, 10 a.m. June 24, 2021, 10:02 a.m.
    Size 310.6KB
    Type PE32 executable (GUI) Intel 80386, for MS Windows
    MD5 95939e9f316d9e5d38e453b5f6095fcd
    SHA256 ca43a9eafac55c626bf34f6131c11d482326b6a55724743f8da8b873040bcae9
    CRC32 E0DE6EA3
    ssdeep 6144:OoNm+qJezPbYhYInTUaWSFrJdMaiGwWK2X+t4p7JBz:ONpszYhvXWSVJdMaeb2X+t4RJBz
    PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
    Yara
    • PE_Header_Zero - PE File Signature
    • OS_Processor_Check_Zero - OS Processor Check
    • IsPE32 - (no description)
    • Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX

    Name Response Post-Analysis Lookup
    No hosts contacted.
    IP Address Status Action
    172.217.25.14 Active Moloch

    Suricata Alerts

    No Suricata Alerts

    Suricata TLS

    No Suricata TLS

    Time & API Arguments Status Return Repeated

    GetComputerNameW

    		 computer_name: TEST22-PC
    		1 1 0

    GetComputerNameW

    		 computer_name: TEST22-PC
    		1 1 0

    GetComputerNameW

    		 computer_name: TEST22-PC
    		1 1 0

    GetComputerNameW

    		 computer_name: TEST22-PC
    		1 1 0

    GetComputerNameW

    		 computer_name: TEST22-PC
    		1 1 0
    Time & API Arguments Status Return Repeated

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Local\Temp\winints.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\winints.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Local\Temp\wininits.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\wininits.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Local\Temp\Servicess.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\Servicess.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Local\Temp\Services.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\Services.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Local\Temp\winintv.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\winintv.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Roaming\winints.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Roaming\winints.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Roaming\wininits.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Roaming\wininits.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Roaming\Servicess.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Roaming\Servicess.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Roaming\Services.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Roaming\Services.exe
    console_handle: 0x0000000b
    		1 1 0

    WriteConsoleW

    		 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: del
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: "C:\Users\test22\AppData\Roaming\winintv.exe"
    console_handle: 0x00000007
    		1 1 0

    WriteConsoleW

    		 buffer: Could Not Find C:\Users\test22\AppData\Roaming\winintv.exe
    console_handle: 0x0000000b
    		1 1 0
    pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
    section .didat
    resource name PNG
    Time & API Arguments Status Return Repeated

    NtProtectVirtualMemory

    		 process_identifier: 8024
    stack_dep_bypass: 0
    stack_pivoted: 0
    heap_dep_bypass: 0
    length: 4096
    protection: 64 (PAGE_EXECUTE_READWRITE)
    base_address: 0x73772000
    process_handle: 0xffffffff
    		1 0 0

    NtProtectVirtualMemory

    		 process_identifier: 812
    stack_dep_bypass: 0
    stack_pivoted: 0
    heap_dep_bypass: 0
    length: 4096
    protection: 64 (PAGE_EXECUTE_READWRITE)
    base_address: 0x73772000
    process_handle: 0xffffffff
    		1 0 0

    NtProtectVirtualMemory

    		 process_identifier: 8992
    stack_dep_bypass: 0
    stack_pivoted: 0
    heap_dep_bypass: 0
    length: 4096
    protection: 64 (PAGE_EXECUTE_READWRITE)
    base_address: 0x73772000
    process_handle: 0xffffffff
    		1 0 0

    NtProtectVirtualMemory

    		 process_identifier: 5980
    stack_dep_bypass: 0
    stack_pivoted: 0
    heap_dep_bypass: 0
    length: 4096
    protection: 64 (PAGE_EXECUTE_READWRITE)
    base_address: 0x73772000
    process_handle: 0xffffffff
    		1 0 0
    Time & API Arguments Status Return Repeated

    GetDiskFreeSpaceExW

    		 total_number_of_free_bytes: 0
    free_bytes_available: 0
    root_path: D:\
    total_number_of_bytes: 0
    		0 0
    file C:\Users\test22\AppData\Local\Temp\RarSFX0\note.vbs
    file C:\Users\test22\AppData\Local\Temp\RarSFX0\del.bat
    file C:\Users\test22\AppData\Local\Temp\RarSFX0\ex.vbs
    file C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs
    file C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs
    wmi Select * from Win32_Process Where Name = 'explorer.exe' OR Name = 'sihost64.exe'
    wmi Select * from Win32_Process Where Name = 'notepad.exe' OR Name = 'sihost64.exe'
    description (no description) rule DebuggerCheck__GlobalFlags
    description (no description) rule DebuggerCheck__QueryInfo
    description (no description) rule DebuggerHiding__Thread
    description (no description) rule DebuggerHiding__Active
    description (no description) rule ThreadControl__Context
    description (no description) rule SEH__vectored
    description Checks if being debugged rule anti_dbg
    description Bypass DEP rule disable_dep
    host 172.217.25.14
    Bkav W32.AIDetect.malware2
    MicroWorld-eScan Trojan.GenericKD.37048835
    FireEye Trojan.GenericKD.37048835
    APEX Malicious
    BitDefender Trojan.GenericKD.37048835
    Ad-Aware Trojan.GenericKD.37048835
    Emsisoft Trojan.GenericKD.37048835 (B)
    McAfee-GW-Edition BehavesLike.Win32.Generic.fh
    Jiangmin Trojan.MSIL.zhaf
    GData Trojan.GenericKD.37048835
    Cynet Malicious (score: 100)
    ALYac Trojan.GenericKD.37048835
    MaxSecure Trojan.Malware.300983.susgen
    parent_process wscript.exe martian_process ex.vbs
    parent_process wscript.exe martian_process "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\note.vbs"
    parent_process wscript.exe martian_process del.bat
    parent_process wscript.exe martian_process "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\ex.vbs"
    parent_process wscript.exe martian_process "C:\Users\test22\AppData\Local\Temp\RarSFX0\del.bat"
    parent_process wscript.exe martian_process note.vbs
    Process injection Process 8024 resumed a thread in remote process 812
    Time & API Arguments Status Return Repeated

    NtResumeThread

    		 thread_handle: 0x000002f0
    suspend_count: 1
    process_identifier: 812
    		1 0 0
    file C:\Windows\SysWOW64\wscript.exe