Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 14, 2021, 5:51 p.m.	Sept. 14, 2021, 5:53 p.m.

Size	6.2MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`5930b25610cc3ebdc2543cf8a1bf1906`
SHA256	`df567fbec321a3828643118c5b8f28e9ca7a70d416be9463d267389ec80595ca`
CRC32	`5E3468B5`
ssdeep	`98304:Djv+PGv4y17elko0DU9hsiEsn1cHmyY1/b4Kwz1ua/Ea4UFikLPr1:f+xy17elBcU9hf1ywJkKwrc+iG`
Yara	UPX_Zero - UPX packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

nok.exe "C:\Users\test22\AppData\Local\Temp\nok.exe"
1684
- cmd.exe cmd ver
  2252
- eventvwr.exe eventvwr.exe
  1460
  - WindowsDefender.exe "C:\Users\test22\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
    1632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2021, 5:44 p.m.		1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\WindowsDefender\WindowsDefender.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 14, 2021, 5:44 p.m.	show_type: 0 filepath_r: C:\Windows\system32\eventvwr.msc parameters: filepath: C:\Windows\System32\eventvwr.msc	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 14, 2021, 5:44 p.m.	snapshot_handle: 0x0000000000000124 process_name: mobsync.exe process_identifier: 2140	1	1	0
Process32NextW Sept. 14, 2021, 5:44 p.m.	snapshot_handle: 0x0000000000000124 process_name: process_identifier: -995394635		0	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
ESET-NOD32	a variant of WinGo/Agent.AG
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	not-a-virus:VHO:NetTool.Win32.TorTool.gen
McAfee-GW-Edition	BehavesLike.Win64.Trickbot.vc
Avira	HEUR/AGEN.1141600
MaxSecure	Trojan.Malware.300983.susgen

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0063be00', u'virtual_address': u'0x00b99000', u'entropy': 7.894060106566324, u'name': u'UPX1', u'virtual_size': u'0x0063c000'}

entropy

7.89406010657

description

A section with a high entropy has been found

entropy

0.999843370663

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\WindowsDefender\WindowsDefender.exe

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000ac suspend_count: 1 process_identifier: 1684	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 1684	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 1684	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108	1	0
NtSetContextThread Sept. 14, 2021, 5:44 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 824634308656 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 3681792 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000108 process_identifier: 1684	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000118 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x000000000000011c suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000118 suspend_count: 1 process_identifier: 1684	1	0
CreateProcessInternalW Sept. 14, 2021, 5:44 p.m.	thread_identifier: 2236 thread_handle: 0x0000000000000134 process_identifier: 2252 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd ver filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 1024 (CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x0000000000000138	1	1
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000124 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000120	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000120 suspend_count: 1 process_identifier: 1684	1	0
CreateProcessInternalW Sept. 14, 2021, 5:44 p.m.	thread_identifier: 2908 thread_handle: 0x0000000000000150 process_identifier: 1460 current_directory: filepath: C:\Windows\System32\eventvwr.exe track: 1 command_line: eventvwr.exe filepath_r: C:\Windows\system32\eventvwr.exe stack_pivoted: 0 creation_flags: 1024 (CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x0000000000000154	1	1
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000001b0 suspend_count: 1 process_identifier: 1460	1	0
CreateProcessInternalW Sept. 14, 2021, 5:44 p.m.	thread_identifier: 2840 thread_handle: 0x00000000000001c8 process_identifier: 1632 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\WindowsDefender\WindowsDefender.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\WindowsDefender\WindowsDefender.exe" filepath_r: C:\Users\test22\AppData\Roaming\WindowsDefender\WindowsDefender.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000001d8	1	1
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000ac suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 1632	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 1632	1	0
NtGetContextThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x000000000000011c	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x000000000000011c suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Sept. 14, 2021, 5:44 p.m.	thread_handle: 0x000000000000016c suspend_count: 1 process_identifier: 1632	1	0

nok.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All