Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 13, 2023, 9:48 a.m.	March 13, 2023, 9:51 a.m.

Size	185.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`ef57f8d8a632b8cf2b89021e2a7be68e`
SHA256	`504eeed5061605b464f6dd44aa72d78efaed7d8ec0704d6db6595c977b7dd68a`
CRC32	`89CFE514`
ssdeep	`3072:Lm1ReRExqa3HodDUMTW3FCh3tnigcQnbMbAvmppijpV:kReREl34DhqoJigcpbUpV`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsPE64 - (no description) PE_Header_Zero - PE File Signature

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
1172

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.114.163.134	Active	Moloch
101.43.108.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 13, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 13, 2023, 9:41 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 13, 2023, 9:41 a.m.		1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 events)

Time & API	Arguments	Status	Return
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: mobsync.exe process_identifier: 1044	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: wsqmcons.exe process_identifier: 792	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: sdclt.exe process_identifier: 2040	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: cmd.exe process_identifier: 1608	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: SearchProtocolHost.exe process_identifier: 300	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: conhost.exe process_identifier: 1532	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: 1.exe process_identifier: 1172	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: pw.exe process_identifier: 2060	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: schtasks.exe process_identifier: 2096	1	1
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e0 process_name: conhost.exe process_identifier: 2104	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 13, 2023, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 13, 2023, 9:41 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (14 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001e8 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001ec process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001f0 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001f4 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001f8 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x00000000000001fc process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x0000000000000200 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x0000000000000204 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x0000000000000208 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x000000000000020c process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x0000000000000210 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x0000000000000214 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x0000000000000218 process_name: conhost.exe process_identifier: 2104		0	0
Process32NextW March 13, 2023, 9:41 a.m.	snapshot_handle: 0x000000000000021c process_name: conhost.exe process_identifier: 2104		0	0

Communicates with host for which no DNS query was performed (2 events)

host	103.114.163.134
host	101.43.108.14

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.65888220
FireEye	Generic.mg.ef57f8d8a632b8cf
Malwarebytes	Generic.Malware/Suspicious
Sangfor	Trojan.Win32.Agent.Vhcy
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.ECRJPKD
APEX	Malicious
Cynet	Malicious (score: 100)
BitDefender	Trojan.GenericKD.65888220
Avast	Win64:DropperX-gen [Drp]
Rising	Trojan.Undefined!8.1327C (CLOUD)
Emsisoft	Trojan.GenericKD.65888220 (B)
DrWeb	Trojan.ClipSpy.83
McAfee-GW-Edition	BehavesLike.Win64.NetLoader.ch
MAX	malware (ai score=82)
Microsoft	Trojan:Script/Wacatac.H!ml
Arcabit	Trojan.Generic.D3ED5FDC
GData	Trojan.GenericKD.65888220
McAfee	Artemis!EF57F8D8A632
Cylance	unsafe
Fortinet	W32/PossibleThreat
AVG	Win64:DropperX-gen [Drp]

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All