Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 6, 2023, 4:05 p.m.	Sept. 6, 2023, 4:05 p.m.

Size	3.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a51fb67b5c13bb54aeb6126c2cadc61b`
SHA256	`2cfa8e8aaadb6372a5cad4814785bb581fe0cf0487a5ec67aa0b39f99a575623`
CRC32	`B58B5454`
ssdeep	`24576:wbLgdeQhfdmMSirYbcMNgef0QeQ4kRiwDnz9cEA5yYSZxN0P:wnjQqMSPbcBVQeRkRiwt/Zx+P`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

2cfa8e8aaadb6372a5cad4814785bb581fe0cf0487a5ec67aa0b39f99a575623.exe "C:\Users\test22\AppData\Local\Temp\2cfa8e8aaadb6372a5cad4814785bb581fe0cf0487a5ec67aa0b39f99a575623.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
122.117.253.66	Active	Moloch
147.222.227.93	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

Creates executable files on the filesystem (1 event)

file	C:\Windows\tasksche.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 6, 2023, 4:05 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d4 filepath: C:\Windows\tasksche.exe desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\WINDOWS\tasksche.exe create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Sept. 6, 2023, 4:05 p.m.	service_start_name: start_type: 2 password: display_name: Microsoft Security Center (2.0) Service filepath: C:\Users\test22\AppData\Local\Temp\2cfa8e8aaadb6372a5cad4814785bb581fe0cf0487a5ec67aa0b39f99a575623.exe -m security service_name: mssecsvc2.0 filepath_r: C:\Users\test22\AppData\Local\Temp\2cfa8e8aaadb6372a5cad4814785bb581fe0cf0487a5ec67aa0b39f99a575623.exe -m security desired_access: 983551 service_handle: 0x00b50dd0 error_control: 1 service_type: 16 service_manager_handle: 0x00b50df8	1	11865552	0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 6, 2023, 4:05 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\WINDOWS\tasksche.exe /i filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000		0	0

Communicates with host for which no DNS query was performed (2 events)

host	122.117.253.66
host	147.222.227.93

Installs itself for autorun at Windows startup (1 event)

service_name

mssecsvc2.0

service_path

C:\Users\test22\AppData\Local\Temp\2cfa8e8aaadb6372a5cad4814785bb581fe0cf0487a5ec67aa0b39f99a575623.exe -m security

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.VBKryjetorTAAE.Trojan
Lionic	Trojan.Win32.Wanna.toNz
DrWeb	Trojan.Encoder.11432
MicroWorld-eScan	Trojan.Ransom.WannaCryptor.H
FireEye	Generic.mg.a51fb67b5c13bb54
CAT-QuickHeal	Ransomware.WannaCry.IRG1
McAfee	Ransom-WannaCry!A51FB67B5C13
Cylance	unsafe
Zillya	Trojan.WannaCry.Win32.1
Sangfor	Ransom.Win32.Wannacrypt_0.se2
K7AntiVirus	Exploit ( 0050d7a31 )
Alibaba	Ransom:Win32/WannaCry.1
K7GW	Exploit ( 0050d7a31 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Ransom.WannaCryptor.H
BitDefenderTheta	AI:Packer.880F56B21F
VirIT	Trojan.Win32.WannaCry.K
Cyren	W32/WannaCrypt.E.gen!Eldorado
Symantec	Ransom.Wannacry
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Exploit.CVE-2017-0147.A
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Ransomware.Wanna-9769986-0
Kaspersky	Trojan-Ransom.Win32.Wanna.m
BitDefender	Trojan.Ransom.WannaCryptor.H
NANO-Antivirus	Trojan.Win32.Wanna.eovgam
SUPERAntiSpyware	Ransom.WannaCrypt/Variant
Avast	Sf:WNCryLdr-A [Trj]
Tencent	Malware.Win32.Gencirc.10b09f71
TACHYON	Ransom/W32.WannaCry.Zen
Emsisoft	Trojan.Ransom.WannaCryptor.H (B)
F-Secure	Trojan:W32/WannaCry.D
Baidu	Win32.Worm.Rbot.a
VIPRE	Trojan.Ransom.WannaCryptor.H
TrendMicro	Ransom_WCRY.SM2
McAfee-GW-Edition	BehavesLike.Win32.RansomWannaCry.wm
Trapmine	malicious.high.ml.score
Sophos	Mal/Wanna-A
Ikarus	Trojan-Ransom.WannaCry
Jiangmin	Trojan.WanaCry.i
Webroot	W32.Ransom.Wannacry
Avira	TR/Ransom.Gen
Antiy-AVL	Trojan[Ransom]/Win32.Scatter
Gridinsoft	Malware.Win32.Gen.bot!se30058
Xcitium	TrojWare.Win32.WannaCry.jet@714um4
Microsoft	Ransom:Win32/WannaCrypt.H
ViRobot	Trojan.Win32.WannaCry.3723264.A
ZoneAlarm	Trojan-Ransom.Win32.Wanna.m
GData	Win32.Trojan-Ransom.WannaCry.D

2cfa8e8aaadb6372a5cad4814785bb581fe0cf0487a5ec67aa0b39f99a575623

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All