Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 8, 2023, 9:17 a.m.	May 8, 2023, 9:27 a.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dc159d07b8cdde55acebc57c1ca08e45`
SHA256	`70f051b880fe4c1ba666269ebc42be586904c8147d42355dc33fd0ad82b0a03f`
CRC32	`9C85DF6C`
ssdeep	`24576:TKgCA7Bl3nbpmdT2neHo4Y/fqfbePDDxYqJBUSbz9DuPyQjkbsGMV9Tq:O5A7BJbH7JTxXJeSbz9xQjXLVl`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check mzp_file_format - MZP(Delphi) file format IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 8, 2023, 9:17 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 8, 2023, 9:17 a.m.	buffer: ERROR: The process "cliconfg.exe" not found. console_handle: 0x0000000b	1	1	0

section	.itext
section	.didata

packer

BobSoft Mini Delphi -> BoB / BobSoft

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 8, 2023, 9:17 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 8, 2023, 9:17 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

cmdline	cmd.exe /c taskkill /IM cliconfg.exe /F
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /IM cliconfg.exe /F

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cliconfg.exe")

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 8, 2023, 9:17 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c taskkill /IM cliconfg.exe /F filepath: cmd.exe	1	1	0

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 8, 2023, 9:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 8, 2023, 9:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

cmdline	cmd.exe /c taskkill /IM cliconfg.exe /F
cmdline	taskkill /IM cliconfg.exe /F
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /IM cliconfg.exe /F

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Trojan.GenericKD.66896459
ClamAV	Win.Trojan.RMS-9870689-1
McAfee	Artemis!DC159D07B8CD
Sangfor	Trojan.Win32.Agent.Vwjn
Cybereason	malicious.7b8cdd
APEX	Malicious
Paloalto	generic.ml
BitDefender	Trojan.GenericKD.66896459
Emsisoft	Trojan.GenericKD.66896459 (B)
VIPRE	Trojan.GenericKD.66896459
McAfee-GW-Edition	BehavesLike.Win32.BadFile.vh
FireEye	Trojan.GenericKD.66896459
GData	Trojan.GenericKD.66896459
Arcabit	Trojan.Generic.D3FCC24B
Google	Detected
BitDefenderTheta	Gen:NN.ZelphiF.36196.zU0@amCYCibi
MAX	malware (ai score=88)
Malwarebytes	Generic.Trojan.Malicious.DDS
Rising	Trojan.Generic@AI.92 (RDML:13w1+JJZKC18sLNW93tFsw)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
DeepInstinct	MALICIOUS
CrowdStrike	win/grayware_confidence_60% (D)

rmns.exe