Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

clip.exe

Malicious Library PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 6, 2021, 8:14 a.m.	Sept. 6, 2021, 8:16 a.m.

Size	64.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0f41234ce843d72a64c622ed1a7a8cb0`
SHA256	`6b7a2535ceb032e616fff2a08328d38b98a60870e7c08e7c600d7b945d2f8fcc`
CRC32	`3F6FD1B6`
ssdeep	`1536:KjRsWpkPNlmRWpeLKei1yX+oVm6LGHy+6XQYcwCwV1/wf:9ziWpeLKei1yuNynXQYcwC`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

clip.exe "C:\Users\test22\AppData\Local\Temp\clip.exe"
544
- cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2236
  - schtasks.exe schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    2524

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 6, 2021, 8:14 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 6, 2021, 8:14 a.m.	buffer: WARNING: Task may not run because /ST is earlier than current time. console_handle: 0x0000000b	1	1	0
WriteConsoleW Sept. 6, 2021, 8:14 a.m.	buffer: SUCCESS: The scheduled task "\03BD451ED4621855818353" has successfully been created. console_handle: 0x00000007	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 6, 2021, 8:14 a.m.	process_identifier: 544 region_size: 1974272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 6, 2021, 8:14 a.m.	process_identifier: 544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 6, 2021, 8:14 a.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (3 events)

cmdline	schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 6, 2021, 8:14 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f filepath: cmd.exe	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f

Installs itself for autorun at Windows startup (3 events)

cmdline	schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Lionic	Trojan.Win32.Tasker.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.0f41234ce843d72a
McAfee	RDN/Generic.grp
Cylance	Unsafe
Cybereason	malicious.ce843d
BitDefenderTheta	Gen:NN.ZexaF.34126.eu0@ayYnWumi
ESET-NOD32	a variant of Win32/GenKryptik.EOYQ
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Tasker.gen
Avast	FileRepMalware
eGambit	Unsafe.AI_Score_99%
Microsoft	Trojan:Script/Phonzy.B!ml
Rising	Trojan.Generic@ML.90 (RDML:zU+8TvJojuf4mIrkuCXfPA)
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (W)

Uses Sysinternals tools in order to add additional command line functionality (3 events)

cmdline	schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
cmdline	cmd.exe /c schtasks /create /tn \03BD451ED4621855818353 /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\03BD451ED4621855818353\03BD451ED4621855818353.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f