Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 30, 2021, 10:57 a.m.	July 30, 2021, 11:05 a.m.

Size	1.9MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`22e4972a8a73e90a38f379ff527759dc`
SHA256	`1c377a9ac966d3cb6950cb27ed3cc2abfa1299e9611a87735f258088e01bf7af`
CRC32	`3660553F`
ssdeep	`49152:V+clb1BRntmeSKZQvQVPWA6LKk7MhU6GuMEHksv95y7PETs7qXnsZtI76:PmF4VPILK/z398PEMqXnIIO`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

WUpdate.exe "C:\Users\test22\AppData\Local\Temp\WUpdate.exe"
2232
- Update.exe "C:\Users\test22\AppData\Local\Temp\Update.exe"
  584
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\944A.tmp\Update.bat" "C:\Users\test22\AppData\Local\Temp\Update.exe""
    2664
    - dC_v13_Scrypt.exe dC_v13_Scrypt.exe -pOWgAUV8kbH7KBETghv5LwESz8Uv13 -dC:\Users\test22\AppData\Local\Temp
      2936
      - DFCTRL1_9.exe "C:\Users\test22\AppData\Local\Temp\DFCTRL1_9.exe"
        2716
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\E94F.tmp\DFCTRL1_9.bat" "C:\Users\test22\AppData\Local\Temp\DFCTRL1_9.exe""
        2020
        
        NSudoLG.exe NSudo\NSudoLG.exe -U:T -ShowWindowMode:Hide DFCTRL1_9\dControl.exe /D
        2576
        
        dControl.exe DFCTRL1_9\dControl.exe /D
        2288

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 10:57 a.m.			0	0
IsDebuggerPresent July 30, 2021, 11:04 a.m.			0	0
IsDebuggerPresent July 30, 2021, 11:04 a.m.			0	0
IsDebuggerPresent July 30, 2021, 11:04 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: dC_v13_Scrypt.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: -pOWgAUV8kbH7KBETghv5LwESz8Uv13 -dC:\Users\test22\AppData\Local\Temp console_handle: 0x0000000000000007	1	1
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: NSudo\NSudoLG.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: -U:T -ShowWindowMode:Hide DFCTRL1_9\dControl.exe /D console_handle: 0x0000000000000007	1	1
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: exit console_handle: 0x0000000000000007	1	1
WriteConsoleW July 30, 2021, 11:04 a.m.	buffer: /b console_handle: 0x0000000000000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2021, 10:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 30, 2021, 11:04 a.m.	stacktrace: Wow64DisableWow64FsRedirection+0x10 Wow64RevertWow64FsRedirection-0x1a kernelbase+0xc6d7 @ 0x76a7c6d7 dcontrol+0x10df1 @ 0x410df1 dcontrol+0x736ac @ 0x4736ac dcontrol+0x41c6 @ 0x4041c6 exception.instruction_r: 89 11 c7 45 fc fe ff ff ff e8 8e 9b fc ff c2 08 exception.symbol: RtlWow64EnableFsRedirectionEx+0x43 RtlTryAcquirePebLock-0x2f7 ntdll+0x6435d exception.instruction: mov dword ptr [ecx], edx exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 410461 exception.address: 0x7740435d registers.esp: 9171552 registers.edi: 4882208 registers.eax: 0 registers.ebp: 9171596 registers.edx: 0 registers.ebx: 9172632 registers.esi: 1 registers.ecx: 1	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 30, 2021, 10:57 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:57 a.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 11:04 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 11:04 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 11:04 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\NSudo\NSudoLC.exe
file	C:\Users\test22\AppData\Local\Temp\dC_v13_Scrypt.exe
file	C:\Users\test22\AppData\Local\Temp\DFCTRL1_9.exe
file	C:\Users\test22\AppData\Local\Temp\Update.exe
file	C:\Users\test22\AppData\Local\Temp\NSudo\NSudoLG.exe
file	C:\Users\test22\AppData\Local\Temp\DFCTRL1_9\dControl.exe
file	C:\Users\test22\AppData\Local\Temp\944A.tmp\Update.bat
file	C:\Users\test22\AppData\Local\Temp\E94F.tmp\DFCTRL1_9.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\DFCTRL1_9\dControl.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 30, 2021, 10:57 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\944A.tmp\Update.bat parameters: "C:\Users\test22\AppData\Local\Temp\Update.exe" filepath: C:\Users\test22\AppData\Local\Temp\944A.tmp\Update.bat	1	1	0
ShellExecuteExW July 30, 2021, 11:04 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\E94F.tmp\DFCTRL1_9.bat parameters: "C:\Users\test22\AppData\Local\Temp\DFCTRL1_9.exe" filepath: C:\Users\test22\AppData\Local\Temp\E94F.tmp\DFCTRL1_9.bat	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW July 30, 2021, 11:04 a.m.	snapshot_handle: 0x000001b4 process_name: pw.exe process_identifier: 3060	1	1
Process32NextW July 30, 2021, 11:04 a.m.	snapshot_handle: 0x000001b4 process_name: taskhost.exe process_identifier: 1164	1	1
Process32NextW July 30, 2021, 11:04 a.m.	snapshot_handle: 0x000001b4 process_name: dControl.exe process_identifier: 2288	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 30, 2021, 11:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (15 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Users\test22\AppData\Local\Temp\E94F.tmp\DFCTRL1_9.bat "C:\Users\test22\AppData\Local\Temp\DFCTRL1_9.exe"
cmdline	C:\Users\test22\AppData\Local\Temp\944A.tmp\Update.bat "C:\Users\test22\AppData\Local\Temp\Update.exe"

Drops a binary and executes it (6 events)

file	C:\Users\test22\AppData\Local\Temp\Update.exe
file	C:\Users\test22\AppData\Local\Temp\944A.tmp\Update.bat
file	C:\Users\test22\AppData\Local\Temp\dC_v13_Scrypt.exe
file	C:\Users\test22\AppData\Local\Temp\DFCTRL1_9.exe
file	C:\Users\test22\AppData\Local\Temp\E94F.tmp\DFCTRL1_9.bat
file	C:\Users\test22\AppData\Local\Temp\NSudo\NSudoLG.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 resumed a thread in remote process 2288
NtResumeThread July 30, 2021, 11:04 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2288	1	0	0

Stops Windows services (1 event)

service

WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start)

Disables Windows Security features (2 events)

description	attempts to modify windows defender policies				registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to disable windows defender				registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

MicroWorld-eScan	Trojan.GenericKD.37161181
FireEye	Generic.mg.22e4972a8a73e90a
ALYac	Trojan.GenericKD.37161181
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.GenericKD.37161181
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W64/Coinminer.C
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win64/GenKryptik.FHBF
Kaspersky	VHO:Trojan.Win32.Convagent.gen
Avast	Win64:Malware-gen
Ad-Aware	Trojan.GenericKD.37161181
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win64.PUPXME.tc
Emsisoft	Trojan.GenericKD.37161181 (B)
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Generic.ASBOL.2F8F
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.GenericKD.37161181
Cynet	Malicious (score: 100)
McAfee	Artemis!22E4972A8A73
Malwarebytes	Malware.AI.4120687121
Zoner	Trojan.Win64.52156
TrendMicro-HouseCall	TROJ_GEN.R002H0CG221
Ikarus	Trojan.BAT.CoinMiner
Fortinet	Malicious_Behavior.SB
AVG	Win64:Malware-gen

WUpdate.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All