Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 22, 2023, 3:25 p.m.	Jan. 22, 2023, 3:45 p.m.

Size	5.7MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`4ea2c030393e9e918bae4c1989c1e05f`
SHA256	`671e6d007aed4164ac23fbd2cfa309a0664a989f995b6c906bca9631cfd3767a`
CRC32	`297FE124`
ssdeep	`98304:5OoORURe3FhiW1J3qo1FOKSBbiWz1umNk7P82hBzw:5O3RUY3WWP7jO1BtYmNk7v`
PDB Path	J:\Crypts\Kover (vouch)\Project04.fix\NameProc.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) UPX_Zero - UPX packed file

NoNameProc.exe "C:\Users\test22\AppData\Local\Temp\NoNameProc.exe"
2552
- cmd.exe cmd /c log.bat
  2604
- cmd.exe cmd /c logs.bat
  2688

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 22, 2023, 3:25 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 22, 2023, 3:25 p.m.	buffer: netutils.dll console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 22, 2023, 3:25 p.m.	buffer: 1 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 22, 2023, 3:25 p.m.	buffer: '"C:\Windows \System32\SystemSettingsAdminFlows.exe"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1
WriteConsoleW Jan. 22, 2023, 3:26 p.m.	buffer: 'logs.bat' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1

This executable has a PDB path (1 event)

pdb_path

J:\Crypts\Kover (vouch)\Project04.fix\NameProc.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

RES

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\netutils.dll
file	C:\Users\test22\AppData\Local\Temp\log.bat
file	C:\Users\test22\AppData\Local\Temp\logs.bat

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

FireEye	Generic.mg.4ea2c030393e9e91
Cynet	Malicious (score: 100)
APEX	Malicious
Trapmine	suspicious.low.ml.score
Acronis	suspicious

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00451800', u'virtual_address': u'0x0015e000', u'entropy': 7.972557294995117, u'name': u'.rsrc', u'virtual_size': u'0x00451690'}

entropy

7.972557295

description

A section with a high entropy has been found

entropy

0.761757105943

description

Overall entropy of this PE file is high

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Jan. 22, 2023, 3:25 p.m.	key_handle: 0x000000000000004c regkey_r: reg_type: 3 (REG_BINARY) value: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd°´5êð. 0Ä @ `@@ H.text@Ã Ä `.rsrcÆ@@HèÈB°Âú0Õ+(e+A~ ( <jX( ( ( jXjX( ( &( jXjX( ( j @`jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( ( 8( ( jX ZjX( ( jX( ( o 9U( jX ZjX( ( X( jXYZjX( ( ( jX( 8 X ?bÿÿÿÝ&ÝA ÀÍ0A+(ÈG/( ( o (+~%:&~þ s %(+(+o ( @O(%,o i8( Xi?ßÿÿÿ8J(%,o i 8 ( X i?ßÿÿÿ(( i( @(& i( (&0a+( vg( ( @K(%,o i8 ( X i?áÿÿÿ8J(%,o i8( Xi?ßÿÿÿ( o (+~%:&~þ s %(+(+o Ý&~ Ý~ ( 9G((i( @ (&i( (&·FýJ+(x('I((0t+(36j PiYjnjXZ8APPij]iPPij]iij]iaPjXPij]iY X ]ÒjX >¸ÿÿÿPiY(+P07+(ÅÖXL( (+( ( o (! ((" ^+(³rTV(sN+(gK[((# z+(tÀ8(o$ (% ( ¶+(I[I`(& ((' o( o$ (% o 0Û+(ó+d~ ( <jX( ( ( jXjX( ( &( jXjX( ( j @`jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( ( 8( ( jX ZjX( ( jX( ( o 9U( jX ZjX( ( X( jXYZjX( ( ( jX( 8 X ?bÿÿÿÝ&(s) zA ÀÍ0»+((ZCT%¢%M¢%M¢%¢%K¢ ( o (+~%:&~þs %(+(+o ((Ð(* (+ o, ¥9¥TN+(Xí~^((# ^+(mRR(sN+(h¿Rj((# z+(Ý=Jc(o$ (% ( 0#+(ÆÆfZ( ~o- ~¢~+(ûkL~%: &(+(CíX~%:&(+(L¦2n~%:& (+(ó>V~%:&&(+(£J#?~%:&=(+(¦@"0~%:&N(+(Ú2P~%:&\(+(5F[m~%:&{(+(:L~%:& (+(A==Z~ %:& (0d+(&m( ¦%Ð(. 8~~a ªaÒX ~iþ:Öÿÿÿ0j +(ÀLb~ Xo/ o0 89 ~ o1 Xo2 t. (3 to4 Xi?¾ÿÿÿN+(ÓZ^Z((# +(ú5-4(Ð ( o5 o6 0w#Ð( o5 @%Ð:(. /.!2s# "s# ~ ~ $%s7 +j0(j1),~ s8 '&~ (9 %Ð;(. o( -(: Ý&Ýep*0 W regkey: HKEY_CURRENT_USER\Software\NameProc\(Default)	1	0	0

Stores an executable in the registry (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Jan. 22, 2023, 3:25 p.m.	key_handle: 0x000000000000004c regkey_r: reg_type: 3 (REG_BINARY) value: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd°´5êð. 0Ä @ `@@ H.text@Ã Ä `.rsrcÆ@@HèÈB°Âú0Õ+(e+A~ ( <jX( ( ( jXjX( ( &( jXjX( ( j @`jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( ( 8( ( jX ZjX( ( jX( ( o 9U( jX ZjX( ( X( jXYZjX( ( ( jX( 8 X ?bÿÿÿÝ&ÝA ÀÍ0A+(ÈG/( ( o (+~%:&~þ s %(+(+o ( @O(%,o i8( Xi?ßÿÿÿ8J(%,o i 8 ( X i?ßÿÿÿ(( i( @(& i( (&0a+( vg( ( @K(%,o i8 ( X i?áÿÿÿ8J(%,o i8( Xi?ßÿÿÿ( o (+~%:&~þ s %(+(+o Ý&~ Ý~ ( 9G((i( @ (&i( (&·FýJ+(x('I((0t+(36j PiYjnjXZ8APPij]iPPij]iij]iaPjXPij]iY X ]ÒjX >¸ÿÿÿPiY(+P07+(ÅÖXL( (+( ( o (! ((" ^+(³rTV(sN+(gK[((# z+(tÀ8(o$ (% ( ¶+(I[I`(& ((' o( o$ (% o 0Û+(ó+d~ ( <jX( ( ( jXjX( ( &( jXjX( ( j @`jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( ( 8( ( jX ZjX( ( jX( ( o 9U( jX ZjX( ( X( jXYZjX( ( ( jX( 8 X ?bÿÿÿÝ&(s) zA ÀÍ0»+((ZCT%¢%M¢%M¢%¢%K¢ ( o (+~%:&~þs %(+(+o ((Ð(* (+ o, ¥9¥TN+(Xí~^((# ^+(mRR(sN+(h¿Rj((# z+(Ý=Jc(o$ (% ( 0#+(ÆÆfZ( ~o- ~¢~+(ûkL~%: &(+(CíX~%:&(+(L¦2n~%:& (+(ó>V~%:&&(+(£J#?~%:&=(+(¦@"0~%:&N(+(Ú2P~%:&\(+(5F[m~%:&{(+(:L~%:& (+(A==Z~ %:& (0d+(&m( ¦%Ð(. 8~~a ªaÒX ~iþ:Öÿÿÿ0j +(ÀLb~ Xo/ o0 89 ~ o1 Xo2 t. (3 to4 Xi?¾ÿÿÿN+(ÓZ^Z((# +(ú5-4(Ð ( o5 o6 0w#Ð( o5 @%Ð:(. /.!2s# "s# ~ ~ $%s7 +j0(j1),~ s8 '&~ (9 %Ð;(. o( -(: Ý&Ýep*0 W regkey: HKEY_CURRENT_USER\Software\NameProc\(Default)	1	0	0

NoNameProc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All