Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 10 a.m.	June 24, 2021, 10:02 a.m.

Size	310.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`95939e9f316d9e5d38e453b5f6095fcd`
SHA256	`ca43a9eafac55c626bf34f6131c11d482326b6a55724743f8da8b873040bcae9`
CRC32	`E0DE6EA3`
ssdeep	`6144:OoNm+qJezPbYhYInTUaWSFrJdMaiGwWK2X+t4p7JBz:ONpszYhvXWSVJdMaeb2X+t4RJBz`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX

t-d.exe "C:\Users\test22\AppData\Local\Temp\t-d.exe"
8024
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs"
  812
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\ex.vbs"
    8992
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\note.vbs"
    5980
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\del.bat" "
    4716
explorer.exe explorer.exe
6568

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (40 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\winints.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\winints.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\wininits.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\wininits.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\Servicess.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\Servicess.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\Services.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\Services.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\winintv.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\winintv.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Roaming\winints.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Roaming\winints.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Roaming\wininits.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Roaming\wininits.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Roaming\Servicess.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Roaming\Servicess.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Roaming\Services.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Roaming\Services.exe console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: "C:\Users\test22\AppData\Roaming\winintv.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 10 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Roaming\winintv.exe console_handle: 0x0000000b	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 8992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 5980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 24, 2021, 10 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: D:\ total_number_of_bytes: 0		0	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\note.vbs
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\del.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\ex.vbs
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs

Executes one or more WMI queries (2 events)

wmi	Select * from Win32_Process Where Name = 'explorer.exe' OR Name = 'sihost64.exe'
wmi	Select * from Win32_Process Where Name = 'notepad.exe' OR Name = 'sihost64.exe'

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.37048835
FireEye	Trojan.GenericKD.37048835
APEX	Malicious
BitDefender	Trojan.GenericKD.37048835
Ad-Aware	Trojan.GenericKD.37048835
Emsisoft	Trojan.GenericKD.37048835 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.fh
Jiangmin	Trojan.MSIL.zhaf
GData	Trojan.GenericKD.37048835
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.37048835
MaxSecure	Trojan.Malware.300983.susgen

One or more non-whitelisted processes were created (6 events)

parent_process	wscript.exe	martian_process	ex.vbs
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\note.vbs"
parent_process	wscript.exe	martian_process	del.bat
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\ex.vbs"
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\RarSFX0\del.bat"
parent_process	wscript.exe	martian_process	note.vbs

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8024 resumed a thread in remote process 812
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 812	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

t-d.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All