Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 25, 2021, 8:44 a.m.	June 25, 2021, 8:51 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d41ed89e802f03dd13dd93b68b1a2053`
SHA256	`6def6dcb544ad06427d74d064fdb2bb91923ca14b3835dc8e017859ecda73ce8`
CRC32	`5DC651F8`
ssdeep	`49152:weGA1Fxn3XeQUf19xhda/sRl0r+8j764wYuToNtG7uIem:weH3uQUfXcQW6zYru1`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

CUTE3532.EXE "C:\Users\test22\AppData\Local\Temp\CUTE3532.EXE"
1468
- 350.exe "C:\Users\test22\AppData\Local\Temp\350.exe" /y
  2364
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 8:44 a.m.			0	0

Command line console output was observed (25 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Microsoft (R) Diamond Extraction Tool - Version (32) 1.00.0601 (03/18/97) Copyright (c) Microsoft Corp 1994-1997. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Cabinet 350.exe console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting 401comupd.exe console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting Ad468x60.gzf console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting Ad468x60.url console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting advert.dll console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting amcis.dll console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting commands.dat console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting cuteftp.CNT console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting CUTEFTP.HLP console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting CuteHTML.cnt console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting CuteHTML.exe console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting CUTEHTML.HLP console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting CuteSearch0018.dll console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting CuteSearch0018.sfo console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting CuteShell.dll console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting cutftp32.exe console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting html.txt console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting notes.TXT console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting smdata3.dat console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting stub.exe console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting tagtips.dat console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting unreg.exe console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting UNWISE32.EXE console_handle: 0x00000007	1	1
WriteConsoleA June 25, 2021, 8:45 a.m.	buffer: Extracting wizdata.dat console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 8:44 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Wise Installer Stub

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a24000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1001d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72541000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72421000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:45 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72401000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW June 25, 2021, 8:44 a.m.	number_of_free_clusters: 3350312 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW June 25, 2021, 8:44 a.m.	total_number_of_free_bytes: 13722877952 free_bytes_available: 13722877952 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW June 25, 2021, 8:45 a.m.	number_of_free_clusters: 3350291 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW June 25, 2021, 8:45 a.m.	total_number_of_free_bytes: 13722791936 free_bytes_available: 13722791936 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 25, 2021, 8:38 a.m.	total_number_of_free_bytes: 13719465984 free_bytes_available: 13719465984 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (20 events)

file	C:\Users\test22\Desktop\CuteFTP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\Uninstall CuteHTML.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML Readme.lnk
file	C:\Users\test22\AppData\Local\Temp\CuteHTML.exe
file	C:\Users\test22\AppData\Local\Temp\401comupd.exe
file	C:\Users\test22\AppData\Local\Temp\advert.dll
file	C:\Users\test22\AppData\Local\Temp\UNWISE32.EXE
file	C:\Users\test22\Desktop\CuteHTML.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\Uninstall CuteFTP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML.lnk
file	C:\Users\test22\AppData\Local\Temp\stub.exe
file	C:\Users\test22\AppData\Local\Temp\CuteSearch0018.dll
file	C:\Users\test22\AppData\Local\Temp\unreg.exe
file	C:\Users\test22\AppData\Local\Temp\cutftp32.exe
file	C:\Users\test22\AppData\Local\Temp\CuteShell.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP Read Me.lnk
file	C:\Users\test22\AppData\Local\Temp\amcis.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML Help.lnk

Creates a shortcut to an executable file (30 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP Help.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML Readme.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\Users\test22\Desktop\CuteHTML.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\Uninstall CuteFTP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP Read Me.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\Uninstall CuteFTP.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\Uninstall CuteHTML.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML Readme.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\Users\test22\Desktop\CuteFTP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\Uninstall CuteHTML.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteHTML\CuteHTML.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlobalSCAPE\CuteFTP\CuteFTP Read Me.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\GLC5FBC.tmp

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (5 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA June 25, 2021, 8:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CuteFTP base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CuteFTP		2
RegOpenKeyExA June 25, 2021, 8:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteFTP base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteFTP		2
RegOpenKeyExA June 25, 2021, 8:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteFTP base_handle: 0x80000002 key_handle: 0x00000304 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteFTP	1	0
RegOpenKeyExA June 25, 2021, 8:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteHTML base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteHTML		2
RegOpenKeyExA June 25, 2021, 8:45 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteHTML base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CuteHTML	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1468 resumed a thread in remote process 2364
NtResumeThread June 25, 2021, 8:45 a.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2364	1	0	0

CUTE3532.EXE

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All