Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 8, 2023, 1:59 p.m.	July 8, 2023, 2:05 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c3baac987bee5800b92b7e2d6d42db1a`
SHA256	`c6d4d7017e73509ff2023cbe9420d933868afa169eb47aa89711fc758bd9fd18`
CRC32	`F1F3ECF6`
ssdeep	`24576:NBNlNZ6OLlgJA60l+dgrRUiZY1dpjYjHZBzAUajpRBr46oIiVhX:zNlNZ6cgJA5ag46j5BzgZ5CX`
PDB Path	wextract.pdb
Yara	CAB_file_format - CAB archive file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet IsPE32 - (no description)

Aas.EXE "C:\Users\test22\AppData\Local\Temp\Aas.EXE"
1648
- AMD.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\AMD.exe
  2116
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c reg.exe import add.txt
    2188
    - cmd.exe cmd /c timeout 1
      2248
      - timeout.exe timeout 1
        2292
    - cmd.exe cmd /c reg.exe import add.txt
      2384
      - reg.exe reg.exe import add.txt
        2428
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c C:\Windows\SysWOW64\rundll32.exe /sta {39980D1E-8C57-42CA-BFBA-2B1DBEDF00F0} 오후 6:19:23
    2476
    - cmd.exe cmd /c timeout 1
      2572
      - timeout.exe timeout 1
        2616
    - cmd.exe cmd /c C:\Windows\SysWOW64\rundll32.exe /sta {39980D1E-8C57-42CA-BFBA-2B1DBEDF00F0} 오후 6:19:23
      2660
      - rundll32.exe C:\Windows\SysWOW64\rundll32.exe /sta {39980D1E-8C57-42CA-BFBA-2B1DBEDF00F0} 오후 6:19:23
        2712

Name	Response	Post-Analysis Lookup
fkswxfc.com	A 45.74.19.119	45.74.19.119

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.74.19.119	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2023, 1:59 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 8, 2023, 1:59 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636768 registers.edi: 1636956 registers.eax: 1636768 registers.ebp: 1636848 registers.edx: 0 registers.ebx: 8602080 registers.esi: 1636956 registers.ecx: 2	1	0	0
__exception__ July 8, 2023, 1:59 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1634816 registers.edi: 8602080 registers.eax: 1634816 registers.ebp: 1634896 registers.edx: 0 registers.ebx: 8602080 registers.esi: 8602080 registers.ecx: 2	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74571000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74431000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW July 8, 2023, 1:59 p.m.	number_of_free_clusters: 2425629 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW July 8, 2023, 1:59 p.m.	number_of_free_clusters: 2425629 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n1.ocx
file	C:\Users\test22\AppData\Roaming\Nvidia\Core.ocx
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n2.ocx
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\AMD.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c reg.exe import add.txt
cmdline	"C:\Windows\System32\cmd.exe" /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c C:\Windows\SysWOW64\rundll32.exe /sta {39980D1E-8C57-42CA-BFBA-2B1DBEDF00F0} 오후 6:19:23

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Roaming\Nvidia\Core.ocx
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\AMD.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n2.ocx
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\n1.ocx

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 8, 2023, 1:59 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c reg.exe import add.txt filepath: cmd	1	1	0
ShellExecuteExW July 8, 2023, 1:59 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c C:\Windows\SysWOW64\rundll32.exe /sta {39980D1E-8C57-42CA-BFBA-2B1DBEDF00F0} 오후 6:19:23 filepath: cmd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x006f0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00146000', u'virtual_address': u'0x0000d000', u'entropy': 7.7806335914796625, u'name': u'.rsrc', u'virtual_size': u'0x00145e8c'}

entropy

7.78063359148

description

A section with a high entropy has been found

entropy

0.970599181243

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c reg.exe import add.txt
cmdline	cmd /c reg.exe import add.txt
cmdline	cmd /c cd C:\Users\test22\AppData\Roaming\Nvidia&&cmd /c timeout 1&&cmd /c reg.exe import add.txt
cmdline	reg.exe import add.txt

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0				reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Logintech_000001				reg_value	C:\Windows\SysWOW64\rundll32.exe /sta {39980D1E-8C57-42CA-BFBA-2B1DBEDF00F0} "Keyboard"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\AMD.exe

Executes one or more WMI queries (1 event)

wmi	Select * from AntiVirusProduct

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetectMalware
FireEye	Generic.mg.c3baac987bee5800
McAfee	Artemis!C3BAAC987BEE
Malwarebytes	Malware.AI.1989220308
Sangfor	Trojan.Win32.Agent.Vxo4
Cybereason	malicious.a453cb
Cyren	W32/Kryptik.AUI.gen!Eldorado
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Malware-gen
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Trapmine	malicious.high.ml.score
Antiy-AVL	Trojan/Win32.SGeneric
Google	Detected
VBA32	BScope.Trojan.Wacatac
Cylance	unsafe
Rising	Trojan.Injector!8.C4 (CLOUD)
Fortinet	Malicious_Behavior.SB
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_60% (W)

Aas.EXE

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All