Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 4, 2023, 7:08 a.m.	April 4, 2023, 7:12 a.m.

Size	11.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`07c9d25aeb2b712910258043749c7023`
SHA256	`0857cb13e21a082547ebd0f161b5c36be1766a6f16f7d83be06f8bc57dcb760d`
CRC32	`C688FAA7`
ssdeep	`196608:A4CsnpCM7vHSfnc2DRnaLDKfblFg1hPbch25RFEjKE3yTKQqiPb3kFWSF8H:ASnpz7vIc2DqWlYht5RFEjoKQqq3kjFg`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

main.exe "C:\Users\test22\AppData\Local\Temp\main.exe"
300
- install.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\install.exe"
  2124

Name	Response	Post-Analysis Lookup
ipchanger-fjny.oss-cn-hongkong.aliyuncs.com	A 47.56.33.47	47.56.33.47

IP Address	Status	Action
164.124.101.2	Active	Moloch
47.56.33.47	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49164 47.56.33.47:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G3	C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.oss-cn-hongkong.aliyuncs.com	97:ae:c0:1a:b6:ae:20:61:d3:5f:de:6c:6f:b3:9e:3e:15:5d:08:f3

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Creates executable files on the filesystem (18 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\msvcp100.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\ssleay32.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\run\piaproxy.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\local_check.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libwinpthread-1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\socks5\PiaS5ProxyDivert.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\msvcr100.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\unins000.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libeay32.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libgcc_s_dw2-1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libcurl.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\WebHttp.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\socks5\hxxd.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\PIA_S5_Proxy.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\update000.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\XCGUI.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\install.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\install.exe

Drops an executable to the user AppData folder (18 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\update000.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\run\piaproxy.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libgcc_s_dw2-1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\install.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\unins000.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libcurl.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libeay32.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\ssleay32.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\msvcp100.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\local_check.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\socks5\hxxd.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\XCGUI.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\WebHttp.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\libwinpthread-1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\PIA_S5_Proxy.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\msvcr100.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\Proxy_cata\socks5\PiaS5ProxyDivert.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (37 events)

Time & API	Arguments	Status	Return
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: smss.exe process_identifier: 232	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: csrss.exe process_identifier: 308	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: wininit.exe process_identifier: 344	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: csrss.exe process_identifier: 356	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: services.exe process_identifier: 436	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: lsass.exe process_identifier: 452	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 560	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 636	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 716	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 780	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 824	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 984	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 340	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1888	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 1712	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1688	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 1872	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: wsqmcons.exe process_identifier: 912	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: sdclt.exe process_identifier: 880	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: cmd.exe process_identifier: 1648	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 204	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: SearchFilterHost.exe process_identifier: 316	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 1000	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: main.exe process_identifier: 300	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: schtasks.exe process_identifier: 2080	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 2088	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x0000012c process_name: install.exe process_identifier: 2124	1	1
Process32NextW April 4, 2023, 7:08 a.m.	snapshot_handle: 0x00000254 process_name: process_identifier: 2005743774		0

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Kaspersky	UDS:DangerousObject.Multi.Generic
ZoneAlarm	UDS:DangerousObject.Multi.Generic

Expresses interest in specific running processes (2 events)

process	main.exe
process	install.exe

Queries for potentially installed applications (4 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW April 4, 2023, 7:08 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x02000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy		2
RegOpenKeyExW April 4, 2023, 7:08 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x02000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy		2
RegOpenKeyExW April 4, 2023, 7:08 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy base_handle: 0x80000002 key_handle: 0x00000254 options: 0 access: 0x02000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy	1	0
RegOpenKeyExW April 4, 2023, 7:08 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy base_handle: 0x80000002 key_handle: 0x0000024c options: 0 access: 0x02000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pia S5 Proxy	1	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

main.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All