Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 2, 2021, 11:01 a.m.	Nov. 2, 2021, 11:11 a.m.

Size	1.0MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`3139e939a60a693862671d6b13741d3b`
SHA256	`543c1df1becf83ebd6827cb6d1ad6f36e31f678a7ca5cf608971b7e3867fdc26`
CRC32	`770C283C`
ssdeep	`24576:NIoew+izW8U3TdHi8W6hJuSFpGIC2DVbGXdRs6:lewBy8U3TdHiubuEpGICmVbGDs6`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
2316
- cmd.exe "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\test22\AppData\Local\Temp\RNkCTBhH & timeout 4 & del /f /q ""
  2396
  - timeout.exe timeout 4
    2456

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 2, 2021, 11:01 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 2, 2021, 11:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 11:01 a.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 2, 2021, 11:01 a.m.	buffer: Waiting for 4 console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 11:01 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2316 region_size: 315392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2316 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2316 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\test22\AppData\Local\Temp\RNkCTBhH & timeout 4 & del /f /q ""
cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\Users\test22\AppData\Local\Temp\RNkCTBhH & timeout 4 & del /f /q ""

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 2, 2021, 11:01 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c rd /s /q C:\Users\test22\AppData\Local\Temp\RNkCTBhH & timeout 4 & del /f /q "" filepath: C:\Windows\System32\cmd.exe	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\test22\AppData\Local\Temp\RNkCTBhH & timeout 4 & del /f /q ""
cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\Users\test22\AppData\Local\Temp\RNkCTBhH & timeout 4 & del /f /q ""

Attempts to identify installed AV products by installation directory (3 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\file.exe

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 103 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\ArmUI.ini
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20210707200853994).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\AdobeARM.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000028.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Temp\jawshtml.html
file	C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000025.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file	C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log
file	C:\Users\test22\AppData\Local\Temp\chrome_installer.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log
file	C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\java_install.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\bchC68D.tmp
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html
file	C:\Users\test22\AppData\Local\Temp\PrinterSetup.log
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log
file	C:\Users\test22\AppData\Local\Temp\dd_TMPA86C.tmp_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\CVR8B49.tmp.cvr
file	C:\Users\test22\AppData\Local\Temp\file.exe
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Users\test22\AppData\Local\Temp\SetupExe(202107071812439D0).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844-MSI_netfx_Full_x64.msi.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000014.log
file	C:\Users\test22\AppData\Local\Temp\CVRE545.tmp.cvr
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000005.log
file	C:\Users\test22\AppData\Local\Temp\dd_wcf_CA_smci_20200715_051341_086.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000010.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(2018040515215734C).log

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.3139e939a60a6938
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.5c2002
BitDefenderTheta	Gen:NN.ZexaF.34236.br0@aGQQfYmi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FMXS
APEX	Malicious
Kaspersky	VHO:Trojan-Downloader.Win32.Cridex.okw
Avast	Win32:TrojanX-gen [Trj]
Sophos	ML/PE-A
eGambit	Unsafe.AI_Score_69%
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Ser.Razy.15243
Cynet	Malicious (score: 100)
VBA32	BScope.Trojan.Skipe.3013
Rising	Malware.Heuristic!ET#87% (RDMK:cmRtazqU+DFo5yPe25DO+pND2vsz)
AVG	Win32:TrojanX-gen [Trj]

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All