Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 2, 2021, 10:14 p.m.	Nov. 2, 2021, 10:17 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`689b7bfb1424aa69046653e635ecb9ac`
SHA256	`33b321374349db0323465f27465cabc62472c405e2a45638467e32c174d18082`
CRC32	`82C25D63`
ssdeep	`49152:AuUZOlRW++2IqL321m6IxSwdN0ZsCbSq4ijHsBm:AHZOjW+Vt3SiODu/ijM0`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Mainsetupv1.0.exe "C:\Users\test22\AppData\Local\Temp\Mainsetupv1.0.exe"
2800
- cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Profonda.vstx
  2928
  - cmd.exe C:\Windows\system32\cmd
    2996
    - findstr.exe findstr /V /R "^BzLWsqaNCEZgiyEyRAWbzRykAXPtraovZkeVpuoOjqhCVDqSKvSTNMNJgmczlgJpvCfWeIVKsokaDDdXXXzGAfIjn$" Attitudine.vstx
      3040
    - Chiamando.exe.com Chiamando.exe.com y
      2076
      - Chiamando.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com y
        2144
    - PING.EXE ping 127.0.0.1 -n 30
      1304

Name	Response	Post-Analysis Lookup
iBFBxuLonchVeJiTrbJe.iBFBxuLonchVeJiTrbJe

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2021, 10:14 p.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:14 p.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:14 p.m.			0	0

Command line console output was observed (50 out of 143 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: Set ZHFZ=%userdomain% console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: if %ZHFZ%==DESKTOP-QO5QU33 exit console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: <nul set /p = "MZ" > Chiamando.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: findstr /V /R "^BzLWsqaNCEZgiyEyRAWbzRykAXPtraovZkeVpuoOjqhCVDqSKvSTNMNJgmczlgJpvCfWeIVKsokaDDdXXXzGAfIjn$" Attitudine.vstx >> Chiamando.exe.com" console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: copy Lucenti.vstx y console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: start Chiamando.exe.com y console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:14 p.m.	buffer: ping 127.0.0.1 -n 30 console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 2, 2021, 10:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:14 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 2, 2021, 10:15 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2021, 10:14 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 2, 2021, 10:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:14 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:15 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:15 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 786432 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x039e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:15 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03aa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:15 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03aba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:15 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03abe000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:15 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03abf000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 2, 2021, 10:14 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13718249472 root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Profonda.vstx

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 2, 2021, 10:14 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c C:\Windows\system32\cmd < Profonda.vstx filepath: C:\Windows\System32\cmd	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Hijack network configuration	rule	Hijack_Network
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping 127.0.0.1 -n 30

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2996 resumed a thread in remote process 2076
NtResumeThread Nov. 2, 2021, 10:14 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2076	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Agent.m!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36959446
FireEye	Generic.mg.689b7bfb1424aa69
McAfee	Artemis!689B7BFB1424
Cylance	Unsafe
Zillya	Backdoor.Agent.Win32.79794
Sangfor	Backdoor.Win32.Agent.myuaxu
K7AntiVirus	Trojan ( 0057c6fb1 )
Alibaba	Backdoor:Win32/7Drop.dc8e3475
K7GW	Trojan ( 0057c6fb1 )
Cyren	W32/Trojan.YJRA-5574
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.7zip.AL suspicious
APEX	Malicious
Avast	Script:SNH-gen [Trj]
ClamAV	Win.Malware.Crypzip-9880310-0
Kaspersky	Backdoor.Win32.Agent.myuaxu
BitDefender	Trojan.GenericKD.36959446
Ad-Aware	Trojan.GenericKD.36959446
Sophos	Troj/Agent-BGQN
Comodo	ApplicUnwnt@#2dbe8bvu70bzl
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06BC0WEI21
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Trojan.GenericKD.36959446 (B)
Paloalto	generic.ml
Jiangmin	Trojan.Fsysna.joy
Webroot	W32.Malware.Gen
Avira	BDS/Agent.yfpto
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Generic.ASMalwS.32AC78A
Kingsoft	Win32.Hack.Agent.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
Gridinsoft	Trojan.Win32.Packed.oa
GData	Win32.Trojan.BSE.S11PG3
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Generic.R425135
ALYac	Trojan.GenericKD.36959446
VBA32	Backdoor.Agent
Malwarebytes	Trojan.Dropper.Generic
TrendMicro-HouseCall	TROJ_GEN.R06BC0WEI21
Tencent	Malware.Win32.Gencirc.10ce58d0
Yandex	Backdoor.Agent!q1VL37ik7x4
Fortinet	Riskware/Agent
MaxSecure	Trojan.Malware.117977742.susgen
AVG	Script:SNH-gen [Trj]
Panda	Trj/Agent.ALS
CrowdStrike	win/malicious_confidence_100% (W)

Mainsetupv1.0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All