Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2021, 9:41 a.m.	Oct. 16, 2021, 9:44 a.m.

Size	235.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`465784e139b2fb62fa2ee0cce3ee5551`
SHA256	`2fb141022b005c0cd9836a27a0679f10816a468855107d515bc7e4d658217f0a`
CRC32	`EA736994`
ssdeep	`6144:JVz/6wB7zS96GyZzlhWIUiOjD7jiH4/a7+9spfnuHifcYcn8oS:JVDpBqa9U3iHGa7jxDcqoS`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Crossrider_Adware_IN - Crossrider Adware

TimeLimit.exe "C:\Users\test22\AppData\Local\Temp\TimeLimit.exe"
1016
- cmd.exe C:\Windows\system32\cmd.exe /c cacls "C:\Users\test22\AppData\Local\Temp\TimeLimit.dat" /e /g users:f
  1772
  - cacls.exe cacls "C:\Users\test22\AppData\Local\Temp\TimeLimit.dat" /e /g users:f
    1444
- cmd.exe C:\Windows\system32\cmd.exe /c cacls "C:\Users\test22\AppData\Local\Temp\token.dat" /e /g users:f
  2936
  - cacls.exe cacls "C:\Users\test22\AppData\Local\Temp\token.dat" /e /g users:f
    3028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (28 events)

Time & API	Arguments	Status	Return
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2021, 9:41 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\TimeLimit.dat console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2021, 9:41 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2021, 9:41 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\token.dat console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2021, 9:41 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 16, 2021, 9:41 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 16, 2021, 9:41 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /c cacls "C:\Users\test22\AppData\Local\Temp\token.dat" /e /g users:f
cmdline	C:\Windows\system32\cmd.exe /c cacls "C:\Users\test22\AppData\Local\Temp\TimeLimit.dat" /e /g users:f

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00034a00', u'virtual_address': u'0x00076000', u'entropy': 7.996645862921374, u'name': u'UPX1', u'virtual_size': u'0x00035000'}

entropy

7.99664586292

description

A section with a high entropy has been found

entropy

0.897654584222

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SamiApp	reg_value	C:\Users\test22\AppData\Local\Temp\TimeLimit.exe \|
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\log32not\DLLName	reg_value	LogNotify.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\log32not\Logon	reg_value	WlxEventLogon
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\log32not\Logoff	reg_value	WlxEventLogoff
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\log32not\Impersonate	reg_value	0
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\log32not\Asynchronous	reg_value	1

Disables Windows' Task Manager (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Uses suspicious command line tools or Windows utilities (4 events)

cmdline	C:\Windows\system32\cmd.exe /c cacls "C:\Users\test22\AppData\Local\Temp\token.dat" /e /g users:f
cmdline	C:\Windows\system32\cmd.exe /c cacls "C:\Users\test22\AppData\Local\Temp\TimeLimit.dat" /e /g users:f
cmdline	cacls "C:\Users\test22\AppData\Local\Temp\token.dat" /e /g users:f
cmdline	cacls "C:\Users\test22\AppData\Local\Temp\TimeLimit.dat" /e /g users:f

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Lionic	Trojan.Win32.Aexlz.4!c
MicroWorld-eScan	Gen:Trojan.WinlogonHook.NG0@aeXlZ3mO
FireEye	Gen:Trojan.WinlogonHook.NG0@aeXlZ3mO
ALYac	Gen:Trojan.WinlogonHook.NG0@aeXlZ3mO
Arcabit	Trojan.WinlogonHook.EA411C
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
BitDefender	Gen:Trojan.WinlogonHook.NG0@aeXlZ3mO
Avast	FileRepMalware
Ad-Aware	Gen:Trojan.WinlogonHook.NG0@aeXlZ3mO
McAfee-GW-Edition	BehavesLike.Win32.Dropper.dc
Emsisoft	Gen:Trojan.WinlogonHook.NG0@aeXlZ3mO (B)
MAX	malware (ai score=80)
Microsoft	Trojan:Win32/Rundis.gen!A
GData	Gen:Trojan.WinlogonHook.NG0@aeXlZ3mO
McAfee	RDN/Generic
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
AVG	FileRepMalware

TimeLimit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All