Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 14, 2023, 6:02 p.m.	April 14, 2023, 6:07 p.m.

Size	6.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8c8f6bd95d195dc90693368e807e4044`
SHA256	`26155f8203ad0721338279ddb0bc84c25996a2a52e911a9fee9b3966831a14e7`
CRC32	`85EEEE9A`
ssdeep	`196608:WFFpZbzq0QL7/qYaUln6h3JmyZLxtWEmpe:eF/LQ/qYa0A3J/ZVt`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature IsPE32 - (no description)

74134271465999811757.bin "C:\Users\test22\AppData\Local\Temp\74134271465999811757.bin"
2568
- schtasks.exe /C /create /F /sc minute /mo 5 /tn "Microsoft Windows Performance Recorder{Y8R0B7R3D5-A7Q6R7W6-E0J6H5K4P9}" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Microsoft Windows Performance Recorder\wpr.exe"
  2664
- schtasks.exe /C /Query /XML /TN "Microsoft Windows Performance Recorder{Y8R0B7R3D5-A7Q6R7W6-E0J6H5K4P9}"
  2724

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 14, 2023, 6:02 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 14, 2023, 6:02 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 14, 2023, 6:02 p.m.	buffer: SUCCESS: The scheduled task "Microsoft Windows Performance Recorder{Y8R0B7R3D5-A7Q6R7W6-E0J6H5K4P9}" has successfully been created. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.lol0
section	.lol1
section	.lol2

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ April 14, 2023, 6:02 p.m.	stacktrace: exception.instruction_r: 90 9c 56 68 31 37 93 54 8b 74 24 00 e8 dc e2 b8 exception.instruction: nop exception.module: 74134271465999811757.bin exception.exception_code: 0x80000004 exception.offset: 8320758 exception.address: 0xbef6f6 registers.esp: 1636216 registers.edi: 0 registers.eax: 2947484310 registers.ebp: 1638240 registers.edx: 42 registers.ebx: 4194304 registers.esi: 0 registers.ecx: 1968898048	1
__exception__ April 14, 2023, 6:02 p.m.	stacktrace: RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2 SdbGetTagFromTagID+0x333 SdbReadDWORDTag-0x1ad apphelp+0x3993 @ 0x73143993 SdbReadWORDTag+0x9b SdbCloseLocalDatabase-0x550 apphelp+0x64f9 @ 0x731464f9 SdbGetNthUserSdb+0x3ef SdbFindFirstStringIndexedTag-0x1fd apphelp+0x77e7 @ 0x731477e7 SdbCloseLocalDatabase+0x380 SdbGetNthUserSdb-0x62f apphelp+0x6dc9 @ 0x73146dc9 SdbCloseLocalDatabase+0x857 SdbGetNthUserSdb-0x158 apphelp+0x72a0 @ 0x731472a0 SdbCloseLocalDatabase+0x7ed SdbGetNthUserSdb-0x1c2 apphelp+0x7236 @ 0x73147236 SdbInitDatabaseEx+0xa28 SdbGetFileInfo-0x57b apphelp+0x5064 @ 0x73145064 SdbGetFileInfo+0x1c1 SdbGetIndex-0x3d9 apphelp+0x57a0 @ 0x731457a0 SdbInitDatabaseEx+0x68c SdbGetFileInfo-0x917 apphelp+0x4cc8 @ 0x73144cc8 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89 exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4 exception.instruction: movzx eax, word ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189172 exception.address: 0x76f3e2f4 registers.esp: 1630796 registers.edi: 49 registers.eax: 15309016 registers.ebp: 1630928 registers.edx: 14974144 registers.ebx: 72 registers.esi: 15309024 registers.ecx: 15041456	1
__exception__ April 14, 2023, 6:02 p.m.	stacktrace: RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2 SdbGetTagFromTagID+0x333 SdbReadDWORDTag-0x1ad apphelp+0x3993 @ 0x73143993 SdbReadWORDTag+0x9b SdbCloseLocalDatabase-0x550 apphelp+0x64f9 @ 0x731464f9 SdbGetNthUserSdb+0x3ef SdbFindFirstStringIndexedTag-0x1fd apphelp+0x77e7 @ 0x731477e7 SdbCloseLocalDatabase+0x380 SdbGetNthUserSdb-0x62f apphelp+0x6dc9 @ 0x73146dc9 SdbCloseLocalDatabase+0x857 SdbGetNthUserSdb-0x158 apphelp+0x72a0 @ 0x731472a0 SdbCloseLocalDatabase+0x7ed SdbGetNthUserSdb-0x1c2 apphelp+0x7236 @ 0x73147236 SdbInitDatabaseEx+0xa28 SdbGetFileInfo-0x57b apphelp+0x5064 @ 0x73145064 SdbGetFileInfo+0x1c1 SdbGetIndex-0x3d9 apphelp+0x57a0 @ 0x731457a0 SdbInitDatabaseEx+0x68c SdbGetFileInfo-0x917 apphelp+0x4cc8 @ 0x73144cc8 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89 exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08 exception.instruction: movzx eax, word ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 225032 exception.address: 0x76f46f08 registers.esp: 1630796 registers.edi: 72 registers.eax: 15309016 registers.ebp: 1630928 registers.edx: 1968308274 registers.ebx: 49 registers.esi: 15309024 registers.ecx: 15041456	1
__exception__ April 14, 2023, 6:02 p.m.	stacktrace: RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2 SdbGetTagFromTagID+0x333 SdbReadDWORDTag-0x1ad apphelp+0x3993 @ 0x73143993 SdbReadWORDTag+0x9b SdbCloseLocalDatabase-0x550 apphelp+0x64f9 @ 0x731464f9 SdbGetNthUserSdb+0x3ef SdbFindFirstStringIndexedTag-0x1fd apphelp+0x77e7 @ 0x731477e7 SdbCloseLocalDatabase+0x380 SdbGetNthUserSdb-0x62f apphelp+0x6dc9 @ 0x73146dc9 SdbCloseLocalDatabase+0x857 SdbGetNthUserSdb-0x158 apphelp+0x72a0 @ 0x731472a0 SdbCloseLocalDatabase+0x7ed SdbGetNthUserSdb-0x1c2 apphelp+0x7236 @ 0x73147236 SdbInitDatabaseEx+0xa28 SdbGetFileInfo-0x57b apphelp+0x5064 @ 0x73145064 SdbGetFileInfo+0x1c1 SdbGetIndex-0x3d9 apphelp+0x57a0 @ 0x731457a0 SdbInitDatabaseEx+0x68c SdbGetFileInfo-0x917 apphelp+0x4cc8 @ 0x73144cc8 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89 exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08 exception.instruction: movzx eax, word ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 225032 exception.address: 0x76f46f08 registers.esp: 1630796 registers.edi: 72 registers.eax: 15309016 registers.ebp: 1630928 registers.edx: 1968308274 registers.ebx: 49 registers.esi: 15309024 registers.ecx: 15041456	1
__exception__ April 14, 2023, 6:02 p.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003 ApphelpCheckRunAppEx+0xd4 SdbGetStringTagPtr-0xb2 apphelp+0x31f7 @ 0x731431f7 SdbFindFirstStringIndexedTag+0x23b SdbMakeIndexKeyFromString-0x1e9 apphelp+0x7c1f @ 0x73147c1f SdbFindFirstStringIndexedTag+0x176 SdbMakeIndexKeyFromString-0x2ae apphelp+0x7b5a @ 0x73147b5a SdbInitDatabaseEx+0x70b SdbGetFileInfo-0x898 apphelp+0x4d47 @ 0x73144d47 ApphelpCreateAppcompatData+0x46b ApphelpCheckRunAppEx-0x1f6 apphelp+0x2f2d @ 0x73142f2d ApphelpCheckRunAppEx+0xa7 SdbGetStringTagPtr-0xdf apphelp+0x31ca @ 0x731431ca BaseCheckRunApp+0x1e4 SearchPathA-0x1bd kernel32+0x29f9f @ 0x755d9f9f BaseCheckRunApp+0x46 SearchPathA-0x35b kernel32+0x29e01 @ 0x755d9e01 BasepCheckBadapp+0x1a1 CheckElevationEnabled-0x64 kernel32+0x230fa @ 0x755d30fa BaseCheckAppcompatCacheEx+0xcdd BasepCheckBadapp-0x16 kernel32+0x22f43 @ 0x755d2f43 CreateProcessInternalW+0x961 BasepFreeAppCompatData-0x7dd kernel32+0x24554 @ 0x755d4554 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x755c1069 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x76f3e39e registers.esp: 1631992 registers.edi: 15070704 registers.eax: 537529613 registers.ebp: 1632044 registers.edx: 15070712 registers.ebx: 15070712 registers.esi: 723607234 registers.ecx: 14942208	1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 14, 2023, 6:02 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 14, 2023, 6:02 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 14, 2023, 6:02 p.m.	thread_identifier: 2668 thread_handle: 0x000000b0 process_identifier: 2664 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 5 /tn "Microsoft Windows Performance Recorder{Y8R0B7R3D5-A7Q6R7W6-E0J6H5K4P9}" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Microsoft Windows Performance Recorder\wpr.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b4	1	1	0
CreateProcessInternalW April 14, 2023, 6:02 p.m.	thread_identifier: 2728 thread_handle: 0x000000b4 process_identifier: 2724 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /Query /XML /TN "Microsoft Windows Performance Recorder{Y8R0B7R3D5-A7Q6R7W6-E0J6H5K4P9}" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000bc	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0060b600', u'virtual_address': u'0x00361000', u'entropy': 7.965406997294971, u'name': u'.lol2', u'virtual_size': u'0x0060b470'}

entropy

7.96540699729

description

A section with a high entropy has been found

entropy

0.998709156918

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 5 /tn "Microsoft Windows Performance Recorder{Y8R0B7R3D5-A7Q6R7W6-E0J6H5K4P9}" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Microsoft Windows Performance Recorder\wpr.exe"

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Lazy.266138
FireEye	Generic.mg.8c8f6bd95d195dc9
McAfee	Artemis!8C8F6BD95D19
Malwarebytes	Trojan.MalPack
VIPRE	Gen:Variant.Lazy.266138
Sangfor	Trojan.Win32.Kryptik.V6gv
K7AntiVirus	Trojan ( 005965831 )
Alibaba	Trojan:Win32/Tasker.be9048d4
K7GW	Trojan ( 005965831 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.HRTC
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Tasker.azee
BitDefender	Gen:Variant.Lazy.266138
NANO-Antivirus	Trojan.Win32.Tasker.jvlzmn
Avast	Win32:Evo-gen [Trj]
Emsisoft	Gen:Variant.Lazy.266138 (B)
F-Secure	Heuristic.HEUR/AGEN.1313486
DrWeb	Trojan.MulDrop21.56696
TrendMicro	TROJ_GEN.R002C0DDB23
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1313486
Antiy-AVL	Trojan/Win32.Kryptik
Gridinsoft	Trojan.Heur!.02290021
Arcabit	Trojan.Lazy.D40F9A
ZoneAlarm	Trojan.Win32.Tasker.azee
GData	Gen:Variant.Lazy.266138
Google	Detected
AhnLab-V3	Trojan/Win.ClipBanker.R528972
BitDefenderTheta	Gen:NN.ZexaF.36132.@F0@aSahwPni
ALYac	Gen:Variant.Lazy.266138
MAX	malware (ai score=83)
VBA32	BScope.TrojanPSW.Coins
Cylance	unsafe
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TROJ_GEN.R002C0DDB23
Tencent	Win32.Trojan.Tasker.Itgl
Ikarus	Trojan.Win32.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.FXIU!tr

74134271465999811757.bin

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All