Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 7:06 p.m.	June 24, 2021, 8:44 p.m.

Size	265.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`6192d1233fe0683d14bd980354d8fae9`
SHA256	`6958cc20b390a826778c286a41e3601cbae129d26d4bd2e50b350ba2c336aa5f`
CRC32	`F9939DB1`
ssdeep	`3072:77DhdC6kzWypvaQ0FxyNTBfaeRlaKWh4KaWi8Q/N:7BlkZvaF4NTByeLVWhON`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

clean1.exe "C:\Users\test22\AppData\Local\Temp\clean1.exe"
2776
- cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\5EA3.tmp\5EB4.tmp\5EB5.bat C:\Users\test22\AppData\Local\Temp\clean1.exe"
  1684
  - attrib.exe attrib -s -h -r
    2428
  - attrib.exe attrib +s +h +r clean1.exe
    656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\BAD console_handle: 0x000000000000000b	1	1
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\BAD console_handle: 0x000000000000000b	1	1
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\BAD console_handle: 0x000000000000000b	1	1
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\tt.bat console_handle: 0x000000000000000b	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\5EA3.tmp\5EB4.tmp\5EB5.bat

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.111835561466392, u'name': u'.rdata', u'virtual_size': u'0x000033a5'}

entropy

7.11183556147

description

A section with a high entropy has been found

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 24, 2021, 7:06 p.m.	status_code: 0xffffffff process_identifier: 1684 process_handle: 0x000000d8		0	0
NtTerminateProcess June 24, 2021, 7:06 p.m.	status_code: 0xffffffff process_identifier: 1684 process_handle: 0x000000d8		3221225738	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	attrib +s +h +r clean1.exe
cmdline	"C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\5EA3.tmp\5EB4.tmp\5EB5.bat C:\Users\test22\AppData\Local\Temp\clean1.exe"
cmdline	attrib -s -h -r

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.6192d1233fe0683d
CAT-QuickHeal	Trojan.GenericPMF.S16976269
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (W)
Cyren	W32/Delf.MV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee-GW-Edition	BehavesLike.Win32.Trojan.dm
MaxSecure	Trojan.Malware.300983.susgen
Sophos	Generic ML PUA (PUA)
Antiy-AVL	Trojan/Generic.ASMalwS.2B9E7F9
Cynet	Malicious (score: 100)
Rising	Malware.Heuristic!ET#100% (RDMK:cmRtazpfpM9CRNnG/giMiY/eM6oB)
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_61%
BitDefenderTheta	Gen:NN.ZexaF.34758.quW@aGvrqVb
Panda	Trj/Genetic.gen

clean1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All