Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 13, 2023, 10:40 p.m.	June 13, 2023, 10:44 p.m.

Size	528.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`da0302e0803f64dcdb60454a87f9bf78`
SHA256	`d5872aec821628ddcdf5276cc043041713dbbf44aeeb34e70158f176613887ec`
CRC32	`0F8DF701`
ssdeep	`12288:M6kit4htKxmmnYZ3oHp5EAUVb8k7BsSJMSA5O71:M6kJtE75XzWQk7BsTN`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

WD.exe "C:\Users\test22\AppData\Local\Temp\WD.exe"
2552
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\jq48URx0CjdH.bat" "
3036
- chcp.com chcp 65001
  1152
- PING.EXE ping -n 10 localhost
  800
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2364

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 13, 2023, 10:41 p.m.			0	0
IsDebuggerPresent June 13, 2023, 10:41 p.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 13, 2023, 10:41 p.m.	buffer: DONT CLOSE THIS WINDOW! console_handle: 0x00000007	1	1
WriteConsoleW June 13, 2023, 10:41 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW June 13, 2023, 10:41 p.m.	buffer: Active code page: 65001 console_handle: 0x00000013	1	1
WriteConsoleA June 13, 2023, 10:41 p.m.	buffer: Microsoft (R) .NET Framework Services Installation Utility Version 4.0.30319.17929 Copyright (C) Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 10:41 p.m.	buffer: USAGE: regsvcs.exe [options] AssemblyName Options: /? or /help Display this usage message. /fc Find or create target application (default). /c Create target application, error if it already exists. /exapp console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 10:41 p.m.	buffer: Expect an existing application. /tlb:<tlbfile> Filename for the exported type library. /appname:<name> Use the specified name for the target application. /parname:<name> Use the specified name or id for the target partition. /e console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 10:41 p.m.	buffer: xtlb Use an existing type library. /reconfig Reconfigure existing target application (default). /noreconfig Don't reconfigure existing target application. /u Uninstall target application. /nologo console_handle: 0x00000007	1	1
WriteConsoleA June 13, 2023, 10:41 p.m.	buffer: Suppress logo output. /quiet Suppress logo output and success output. /componly Configure components only, no methods or interfaces. /appdir:<path> Set application root directory to specified path. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 13, 2023, 10:41 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

CUSTOM

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 13, 2023, 10:40 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:40 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:41 p.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 13, 2023, 10:40 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004d0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007f000', u'virtual_address': u'0x00005000', u'entropy': 7.9887992481080845, u'name': u'.rsrc', u'virtual_size': u'0x0007e0ec'}

entropy

7.98879924811

description

A section with a high entropy has been found

entropy

0.969465648855

description

Overall entropy of this PE file is high

Yara rule detected in process memory (23 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications use DNS	rule	Network_DNS
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 10 localhost
cmdline	chcp 65001

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 13, 2023, 10:40 p.m.	process_identifier: 2604 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000e8	1	0	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 manipulating memory of non-child process 2604
NtUnmapViewOfSection June 13, 2023, 10:40 p.m.	base_address: 0x00400000 region_size: 11534336 process_identifier: 2604 process_handle: 0x000000e8		3221225497	0
NtAllocateVirtualMemory June 13, 2023, 10:40 p.m.	process_identifier: 2604 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000e8	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 called NtSetContextThread to modify thread in remote process 2604
NtSetContextThread June 13, 2023, 10:40 p.m.	registers.eip: 1995571652 registers.esp: 3078504 registers.edi: 0 registers.eax: 4712350 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e0 process_identifier: 2604	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2604
Process injection	Process 3036 resumed a thread in remote process 2364
NtResumeThread June 13, 2023, 10:40 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2604	1	0	0
NtResumeThread June 13, 2023, 10:41 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2364	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
McAfee	Artemis!DA0302E0803F
Sangfor	Suspicious.Win32.Save.vb
K7AntiVirus	EmailWorm ( 003c363a1 )
K7GW	EmailWorm ( 003c363a1 )
Symantec	Packed.Generic.596
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.MSIL.Quasar
Avast	FileRepMalware [Rat]
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Dropper.Gen
McAfee-GW-Edition	BehavesLike.Win32.VBObfus.hc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.da0302e0803f64dc
Avira	TR/Dropper.Gen
Microsoft	Backdoor:MSIL/Quasar.GG!MTB
ZoneAlarm	HEUR:Trojan.Win32.Generic
VBA32	BScope.Trojan.Wacatac
Cylance	unsafe
Rising	Backdoor.Quasar!8.EF2E (CLOUD)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	AI:Packer.7EDDCAF420
AVG	FileRepMalware [Rat]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 13, 2023, 10:40 p.m.	thread_identifier: 2608 thread_handle: 0x000000e0 process_identifier: 2604 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000e8	1	1
NtUnmapViewOfSection June 13, 2023, 10:40 p.m.	base_address: 0x00400000 region_size: 11534336 process_identifier: 2604 process_handle: 0x000000e8		3221225497
NtAllocateVirtualMemory June 13, 2023, 10:40 p.m.	process_identifier: 2604 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000e8	1	0
NtGetContextThread June 13, 2023, 10:40 p.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread June 13, 2023, 10:40 p.m.	registers.eip: 1995571652 registers.esp: 3078504 registers.edi: 0 registers.eax: 4712350 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e0 process_identifier: 2604	1	0
NtResumeThread June 13, 2023, 10:40 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2604	1	0
CreateProcessInternalW June 13, 2023, 10:41 p.m.	thread_identifier: 940 thread_handle: 0x00000088 process_identifier: 1152 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\chcp.com track: 1 command_line: chcp 65001 filepath_r: C:\Windows\system32\chcp.com stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW June 13, 2023, 10:41 p.m.	thread_identifier: 1728 thread_handle: 0x00000088 process_identifier: 800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 10 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW June 13, 2023, 10:41 p.m.	thread_identifier: 2360 thread_handle: 0x00000084 process_identifier: 2364 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread June 13, 2023, 10:41 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2364	1	0
NtResumeThread June 13, 2023, 10:41 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread June 13, 2023, 10:41 p.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread June 13, 2023, 10:41 p.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 2364	1	0

WD.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All