Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 19, 2023, 2:07 p.m.	Feb. 19, 2023, 2:15 p.m.

Size	6.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`34e8a1e9b59e98a53c0021c0d5042b69`
SHA256	`725914e9d2640f4841b454bd652df29d25a17524eb2ea1868a1f8445af22a500`
CRC32	`0EC35A07`
ssdeep	`98304:BE3bhhOPV1ciYh1W/p/Rup38nMFfdlTD38/050VX7Mei/2bS:2Qd1ciWI/p/Rup38MrZDH50x7M//QS`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

57120045430889059520.bin "C:\Users\test22\AppData\Local\Temp\57120045430889059520.bin"
2636
- schtasks.exe /C /create /F /sc minute /mo 5 /tn "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Microsoft Sync Center\mobsync.exe"
  2736
- schtasks.exe /C /Query /XML /TN "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}"
  2796

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 19, 2023, 2:07 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Feb. 19, 2023, 2:07 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Feb. 19, 2023, 2:07 p.m.	buffer: SUCCESS: The scheduled task "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}" has successfully been created. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.gog0
section	.gog1
section	.gog2

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Feb. 19, 2023, 2:07 p.m.	stacktrace: exception.instruction_r: 90 55 bd 25 1c b0 42 9c 81 f5 4d 77 6e 2d f7 d5 exception.instruction: nop exception.module: 57120045430889059520.bin exception.exception_code: 0x80000004 exception.offset: 8476068 exception.address: 0xc155a4 registers.esp: 1636216 registers.edi: 0 registers.eax: 1893328562 registers.ebp: 1638240 registers.edx: 43 registers.ebx: 4194304 registers.esi: 0 registers.ecx: 1968898048	1
__exception__ Feb. 19, 2023, 2:07 p.m.	stacktrace: RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2 SdbGetTagFromTagID+0x333 SdbReadDWORDTag-0x1ad apphelp+0x3993 @ 0x73143993 SdbReadWORDTag+0x9b SdbCloseLocalDatabase-0x550 apphelp+0x64f9 @ 0x731464f9 SdbGetNthUserSdb+0x3ef SdbFindFirstStringIndexedTag-0x1fd apphelp+0x77e7 @ 0x731477e7 SdbCloseLocalDatabase+0x380 SdbGetNthUserSdb-0x62f apphelp+0x6dc9 @ 0x73146dc9 SdbCloseLocalDatabase+0x857 SdbGetNthUserSdb-0x158 apphelp+0x72a0 @ 0x731472a0 SdbCloseLocalDatabase+0x7ed SdbGetNthUserSdb-0x1c2 apphelp+0x7236 @ 0x73147236 SdbInitDatabaseEx+0xa28 SdbGetFileInfo-0x57b apphelp+0x5064 @ 0x73145064 SdbGetFileInfo+0x1c1 SdbGetIndex-0x3d9 apphelp+0x57a0 @ 0x731457a0 SdbInitDatabaseEx+0x68c SdbGetFileInfo-0x917 apphelp+0x4cc8 @ 0x73144cc8 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89 exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4 exception.instruction: movzx eax, word ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189172 exception.address: 0x76f3e2f4 registers.esp: 1630796 registers.edi: 49 registers.eax: 15375080 registers.ebp: 1630928 registers.edx: 15039680 registers.ebx: 73 registers.esi: 15375088 registers.ecx: 15106992	1
__exception__ Feb. 19, 2023, 2:07 p.m.	stacktrace: RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2 SdbGetTagFromTagID+0x333 SdbReadDWORDTag-0x1ad apphelp+0x3993 @ 0x73143993 SdbReadWORDTag+0x9b SdbCloseLocalDatabase-0x550 apphelp+0x64f9 @ 0x731464f9 SdbGetNthUserSdb+0x3ef SdbFindFirstStringIndexedTag-0x1fd apphelp+0x77e7 @ 0x731477e7 SdbCloseLocalDatabase+0x380 SdbGetNthUserSdb-0x62f apphelp+0x6dc9 @ 0x73146dc9 SdbCloseLocalDatabase+0x857 SdbGetNthUserSdb-0x158 apphelp+0x72a0 @ 0x731472a0 SdbCloseLocalDatabase+0x7ed SdbGetNthUserSdb-0x1c2 apphelp+0x7236 @ 0x73147236 SdbInitDatabaseEx+0xa28 SdbGetFileInfo-0x57b apphelp+0x5064 @ 0x73145064 SdbGetFileInfo+0x1c1 SdbGetIndex-0x3d9 apphelp+0x57a0 @ 0x731457a0 SdbInitDatabaseEx+0x68c SdbGetFileInfo-0x917 apphelp+0x4cc8 @ 0x73144cc8 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89 exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08 exception.instruction: movzx eax, word ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 225032 exception.address: 0x76f46f08 registers.esp: 1630796 registers.edi: 73 registers.eax: 15375080 registers.ebp: 1630928 registers.edx: 1968308274 registers.ebx: 49 registers.esi: 15375088 registers.ecx: 15106992	1
__exception__ Feb. 19, 2023, 2:07 p.m.	stacktrace: RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2 SdbGetTagFromTagID+0x333 SdbReadDWORDTag-0x1ad apphelp+0x3993 @ 0x73143993 SdbReadWORDTag+0x9b SdbCloseLocalDatabase-0x550 apphelp+0x64f9 @ 0x731464f9 SdbGetNthUserSdb+0x3ef SdbFindFirstStringIndexedTag-0x1fd apphelp+0x77e7 @ 0x731477e7 SdbCloseLocalDatabase+0x380 SdbGetNthUserSdb-0x62f apphelp+0x6dc9 @ 0x73146dc9 SdbCloseLocalDatabase+0x857 SdbGetNthUserSdb-0x158 apphelp+0x72a0 @ 0x731472a0 SdbCloseLocalDatabase+0x7ed SdbGetNthUserSdb-0x1c2 apphelp+0x7236 @ 0x73147236 SdbInitDatabaseEx+0xa28 SdbGetFileInfo-0x57b apphelp+0x5064 @ 0x73145064 SdbGetFileInfo+0x1c1 SdbGetIndex-0x3d9 apphelp+0x57a0 @ 0x731457a0 SdbInitDatabaseEx+0x68c SdbGetFileInfo-0x917 apphelp+0x4cc8 @ 0x73144cc8 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89 exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08 exception.instruction: movzx eax, word ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 225032 exception.address: 0x76f46f08 registers.esp: 1630796 registers.edi: 73 registers.eax: 15375080 registers.ebp: 1630928 registers.edx: 1968308274 registers.ebx: 49 registers.esi: 15375088 registers.ecx: 15106992	1
__exception__ Feb. 19, 2023, 2:07 p.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003 ApphelpCheckRunAppEx+0xd4 SdbGetStringTagPtr-0xb2 apphelp+0x31f7 @ 0x731431f7 SdbFindFirstStringIndexedTag+0x23b SdbMakeIndexKeyFromString-0x1e9 apphelp+0x7c1f @ 0x73147c1f SdbFindFirstStringIndexedTag+0x176 SdbMakeIndexKeyFromString-0x2ae apphelp+0x7b5a @ 0x73147b5a SdbInitDatabaseEx+0x70b SdbGetFileInfo-0x898 apphelp+0x4d47 @ 0x73144d47 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x76f3e39e registers.esp: 1631992 registers.edi: 15136768 registers.eax: 537529613 registers.ebp: 1632044 registers.edx: 15136776 registers.ebx: 15136776 registers.esi: 660376144 registers.ecx: 15007744	1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 19, 2023, 2:07 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Feb. 19, 2023, 2:07 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Feb. 19, 2023, 2:07 p.m.	thread_identifier: 2740 thread_handle: 0x000000b0 process_identifier: 2736 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 5 /tn "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Microsoft Sync Center\mobsync.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b4	1	1	0
CreateProcessInternalW Feb. 19, 2023, 2:07 p.m.	thread_identifier: 2800 thread_handle: 0x000000b4 process_identifier: 2796 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /Query /XML /TN "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000bc	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00606000', u'virtual_address': u'0x00360000', u'entropy': 7.9614769042546465, u'name': u'.gog2', u'virtual_size': u'0x00605e40'}

entropy

7.96147690425

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00011000', u'virtual_address': u'0x00966000', u'entropy': 7.351164191954836, u'name': u'.rsrc', u'virtual_size': u'0x00010f51'}

entropy

7.35116419195

description

A section with a high entropy has been found

entropy

0.999839666506

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 5 /tn "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Microsoft Sync Center\mobsync.exe"

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	/C /create /F /sc minute /mo 5 /tn "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Microsoft Sync Center\mobsync.exe"
cmdline	/C /Query /XML /TN "Microsoft Sync Center{G5H6S3D2V6C7-N4M5X6V3-M3X5S6G7D3}"

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Tasker.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Lazy.266138
FireEye	Generic.mg.34e8a1e9b59e98a5
ALYac	Gen:Variant.Lazy.266138
Malwarebytes	Trojan.ClipBanker
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005965831 )
Alibaba	Trojan:Win32/Tasker.18ce9e8f
K7GW	Trojan ( 005965831 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Lazy.D40F9A
BitDefenderTheta	Gen:NN.ZexaF.36276.@F0@aSPFLRgi
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HRTC
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Tasker.ayxi
BitDefender	Gen:Variant.Lazy.266138
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan.Tasker.Kqil
Emsisoft	Gen:Variant.Lazy.266138 (B)
VIPRE	Gen:Variant.Lazy.266138
McAfee-GW-Edition	BehavesLike.Win32.Injector.vc
Trapmine	malicious.high.ml.score
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1253288
Antiy-AVL	Trojan/Win32.Kryptik
Gridinsoft	Trojan.Heur!.02290021
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Lazy.266138
AhnLab-V3	Trojan/Win.ClipBanker.R528972
Acronis	suspicious
McAfee	Artemis!34E8A1E9B59E
MAX	malware (ai score=84)
VBA32	BScope.TrojanPSW.Coins
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CBI23
Rising	Trojan.Kryptik!8.8 (TFE:5:o8wrBs1QCtE)
Fortinet	W32/Kryptik.FXIU!tr
AVG	Win32:Evo-gen [Trj]
Cybereason	malicious.c5d11f

57120045430889059520.bin

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All