Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 7, 2022, 1:57 p.m.	June 7, 2022, 2:01 p.m.

Size	40.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`b238708a6c194f7cb92c8c50400a3a98`
SHA256	`78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11`
CRC32	`8383A59F`
ssdeep	`768:C7I0+FNSW3YO5z+b+hCFfH/YZIvb5c4QGPL4vzZq2o9W7GsxBbPr:C7I0ekW3Ft+eeYZK5cTGCq2iW7z`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file ASPack_Zero - ASPack packed file PE_Header_Zero - PE File Signature

win.exe "C:\Users\test22\AppData\Local\Temp\win.exe"
2320
- aBYIeT.exe C:\Users\test22\AppData\Local\Temp\aBYIeT.exe
  2396
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\03841b01.bat" "
    2672

Name	Response	Post-Analysis Lookup
v8.ter.tf
ddos.dnsnb8.net	A 63.251.106.25	63.251.106.25
2969761768.vip	CNAME uq9nwxh3.hyhuxa.top A 20.205.32.207 A 154.12.38.162 A 20.24.225.74 A 20.27.51.23 A 154.12.43.132 A 50.93.205.47 A 41.77.244.85 A 20.239.181.108 A 51.81.216.6 A 193.221.95.118 CNAME c9v864gr.n.hyhuxa.top A 193.221.95.83 A 193.221.95.126	193.221.95.83

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.27.51.23	Active	Moloch
63.251.106.25	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp\aBYIeT.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\aBYIeT.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: goto console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: :DELFILE console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp\03841b01.bat" console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2022, 1:57 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

\xd5S\xff\xd7\xa3ux

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011134

size

0x000002e8

name

RT_RCDATA

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b130

size

0x00003000

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011420

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00011438

size

0x00000448

Creates executable files on the filesystem (20 events)

file	C:\tmp6o6lvv\bin\execsc.exe
file	C:\Users\test22\AppData\Local\Temp\38BA1B54.exe
file	C:\util\pafish.exe
file	C:\Users\test22\AppData\Local\Temp\131A0973.exe
file	C:\Users\test22\AppData\Local\Temp\4C243FD6.exe
file	C:\tmp6o6lvv\bin\inject-x86.exe
file	C:\Program Files (x86)\7-Zip\7zG.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Users\test22\AppData\Local\Temp\46BB686B.exe
file	C:\Program Files\7-Zip\Uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\03841b01.bat
file	C:\Users\test22\AppData\Local\Temp\63057192.exe
file	C:\Program Files (x86)\7-Zip\7zFM.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe
file	C:\Users\test22\AppData\Local\Temp\aBYIeT.exe
file	C:\Users\test22\AppData\Local\Temp\566810BA.exe
file	C:\Users\test22\AppData\Local\Temp\31763395.exe
file	C:\tmp6o6lvv\bin\is32bit.exe
file	C:\Users\test22\AppData\Local\Temp\2E764A70.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 7, 2022, 1:57 p.m.	service_start_name: start_type: 2 password: display_name: Klmnop Rstuabc Efghijk Mnop filepath: C:\Windows\iyammc.exe service_name: Klmnopq Stuabc filepath_r: C:\Windows\iyammc.exe desired_access: 983551 service_handle: 0x008a8300 error_control: 1 service_type: 272 service_manager_handle: 0x008a83a0	1	9077504	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\03841b01.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\aBYIeT.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 7, 2022, 1:57 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\03841b01.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\03841b01.bat	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00004e00', u'virtual_address': u'0x0000c000', u'entropy': 7.85161823887119, u'name': u'UPX1', u'virtual_size': u'0x00005000'}

entropy

7.85161823887

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00004200', u'virtual_address': u'0x00012000', u'entropy': 6.934358700790351, u'name': u'\\xd5S\\xff\\xd7\\xa3ux', u'virtual_size': u'0x00005000'}

entropy

6.93435870079

description

A section with a high entropy has been found

entropy

0.923076923077

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Installs itself for autorun at Windows startup (1 event)

service_name

Klmnopq Stuabc

service_path

C:\Windows\iyammc.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\aBYIeT.exe

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
DrWeb	Trojan.DownLoader18.16955
MicroWorld-eScan	Win32.VJadtre.3
FireEye	Generic.mg.b238708a6c194f7c
CAT-QuickHeal	Trojan.GenericRI.S17164152
McAfee	W32/Kudj
Malwarebytes	Trojan.FakeMS
Sangfor	[ASPACK V2.12]
K7AntiVirus	Trojan ( 004bcce41 )
BitDefender	Win32.VJadtre.3
K7GW	Trojan ( 004bcce41 )
Cybereason	malicious.a6c194
BitDefenderTheta	AI:FileInfector.991137D00F
Cyren	W32/PatchLoad.E
Elastic	malicious (moderate confidence)
ESET-NOD32	Win32/Wapomi.BA
APEX	Malicious
ClamAV	Win.Trojan.Downloader-64720
Kaspersky	Virus.Win32.Nimnul.f
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
ViRobot	Win32.Ramnit.F
Rising	Virus.Roue!1.9E10 (CLASSIC)
Ad-Aware	Win32.VJadtre.3
Sophos	ML/PE-A + W32/Nimnul-A
Comodo	Packed.Win32.MUPX.Gen@24tbus
Baidu	Win32.Virus.Otwycal.d
Zillya	Virus.Nimnul.Win32.5
TrendMicro	PE_WAPOMI.BM
McAfee-GW-Edition	BehavesLike.Win32.Virut.pc
Trapmine	malicious.high.ml.score
Emsisoft	Win32.VJadtre.3 (B)
SentinelOne	Static AI - Malicious PE
GData	Win32.Virus.Wapomi.A
Jiangmin	Win32/Nimnul.f
Avira	W32/Jadtre.B
MAX	malware (ai score=89)
Gridinsoft	Trojan.Heur!.03212289
SUPERAntiSpyware	Trojan.Agent/Gen-FakeMS
ZoneAlarm	Virus.Win32.Nimnul.f
Microsoft	Virus:Win32/Mikcer.B
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/VJadtre.Gen
Acronis	suspicious
VBA32	Virus.Nimnul.19209
ALYac	Win32.VJadtre.3
TACHYON	Virus/W32.Ramnit.C
Cylance	Unsafe
Panda	W32/Pcarrier.A
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	PE_WAPOMI.BM

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (30 events)

dead_host	192.168.56.103:49252
dead_host	192.168.56.103:49266
dead_host	192.168.56.103:49247
dead_host	192.168.56.103:49236
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49225
dead_host	192.168.56.103:49244
dead_host	192.168.56.103:49280
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49209
dead_host	192.168.56.103:49261
dead_host	192.168.56.103:49206
dead_host	192.168.56.103:49275
dead_host	20.27.51.23:6681
dead_host	192.168.56.103:49233
dead_host	192.168.56.103:49264
dead_host	192.168.56.103:49269
dead_host	192.168.56.103:49241
dead_host	192.168.56.103:49250
dead_host	192.168.56.103:49272
dead_host	192.168.56.103:49255
dead_host	192.168.56.103:49277
dead_host	192.168.56.103:49227
dead_host	192.168.56.103:49258
dead_host	192.168.56.103:49216
dead_host	192.168.56.103:49204
dead_host	192.168.56.103:49239
dead_host	192.168.56.103:49221

win.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All