popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cl.exe

UPX AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 16, 2021, 9:24 a.m. July 16, 2021, 9:30 a.m.
Size 342.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fb2fac4f3eab460c3cc7096625cf57d5
SHA256 878635996053b9013c9bcd849e18d33ea040ac7f47c6a1a2e62548e22328ae6f
CRC32 E73F2C87
ssdeep 3072:0C5DVBGUN7ekuEE7ssgDDLRIgYj4X3Od4NzTUiiPlEfZKlYdkaiSP2eiLe8/Gq2F:0QBf2tALRhYMudfhtY3dkaiSP2Re8J2F
PDB Path H:\093492492384938490230492839048.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created.
console_handle: 0x00000007
1 1 0
pdb_path H:\093492492384938490230492839048.pdb
section .rda2193
packer Microsoft Visual C++ V8.0 (Debug)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 732
region_size: 10006528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
cmdline /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2800
thread_handle: 0x000000ac
process_identifier: 2264
current_directory:
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000000b0
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
buffer Buffer with sha1: 5c53d6f3257789b6e0b1d811a95a30a45e4cbb42
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000094
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 204
process_handle: 0x00000094
1 1 0
Process injection Process 732 called NtSetContextThread to modify thread in remote process 204
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4200932
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000090
process_identifier: 204
1 0 0
Process injection Process 732 resumed a thread in remote process 204
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 1
process_identifier: 204
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1972
thread_handle: 0x00000090
process_identifier: 204
current_directory:
filepath:
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\cl.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000094
1 1 0

NtGetContextThread

 thread_handle: 0x00000090
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 204
process_handle: 0x00000094
1 0 0

NtAllocateVirtualMemory

 process_identifier: 204
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000094
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00400000
process_identifier: 204
process_handle: 0x00000094
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 204
process_handle: 0x00000094
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4200932
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000090
process_identifier: 204
1 0 0

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 1
process_identifier: 204
1 0 0

CreateProcessInternalW

 thread_identifier: 2800
thread_handle: 0x000000ac
process_identifier: 2264
current_directory:
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000000b0
1 1 0
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46610963
ALYac Trojan.GenericKD.46610963
Cylance Unsafe
Sangfor Trojan.Win32.Tasker.aqff
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Tasker.fe07970c
K7GW Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D2C73A13
Cyren W32/Trojan.EXOG-3268
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/GenKryptik.FHLB
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan.Win32.Tasker.aqff
BitDefender Trojan.GenericKD.46610963
Avast Win32:PWSX-gen [Trj]
Ad-Aware Trojan.GenericKD.46610963
Sophos Mal/Generic-S
DrWeb Trojan.Siggen14.35523
McAfee-GW-Edition RDN/Generic PWS.y
FireEye Generic.mg.fb2fac4f3eab460c
Emsisoft Trojan.GenericKD.46610963 (B)
Ikarus Trojan.Win32.Krypt
Avira TR/Kryptik.sldev
Gridinsoft Trojan.Win32.Agent.vb
Microsoft Trojan:Win32/Emotet!ml
ZoneAlarm Trojan.Win32.Tasker.aqff
GData Trojan.GenericKD.46610963
Cynet Malicious (score: 100)
McAfee RDN/Generic PWS.y
MAX malware (ai score=82)
VBA32 BScope.Trojan.Inject
Malwarebytes Malware.AI.1760788845
TrendMicro-HouseCall TROJ_GEN.R002H07GA21
Rising Backdoor.Mokes!1.CECE (CLASSIC)
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/PossibleThreat
BitDefenderTheta Gen:NN.ZexaF.34790.vyZ@ai2l@8ic
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Win32/Trojan.Generic.HgIASYIA