Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 23, 2023, 4:44 p.m.	Oct. 23, 2023, 4:47 p.m.

Size	243.6KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`d88a06a393582a79ab6da48982ec87ae`
SHA256	`b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537`
CRC32	`704613DB`
ssdeep	`3072:KHkVhd52JYWsfVrhbjAY1GSEuywqamd/4bWSHqYubGtHshmRgSPG9oMNLxb:KHkVhd52JdYhbt1GCE2bUwZe+PElNh`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\test22\AppData\Roaming\calc.exe"' & exit
940
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\test22\AppData\Roaming\calc.exe"'
  2180
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmpD675.tmp.bat""
2124
- timeout.exe timeout 3
  2252

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 23, 2023, 4:45 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 23, 2023, 4:46 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW Oct. 23, 2023, 4:45 p.m.	buffer: SUCCESS: The scheduled task "calc" has successfully been created. console_handle: 0x00000007	1	1	0

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\test22\AppData\Roaming\calc.exe"'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\calc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\calc.exe

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\test22\AppData\Roaming\calc.exe"'

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\test22\AppData\Roaming\calc.exe"'

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaE.36738.pu2@aWcQ0kki
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	VHO:Backdoor.Win32.Agent.gen
Avast	PWSX-gen [Trj]
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.d88a06a393582a79
Ikarus	Trojan.Agent
Google	Detected
Kingsoft	malware.kb.a.843
Microsoft	Trojan:Win32/Redline.GNC!MTB
ZoneAlarm	VHO:Backdoor.Win32.Agent.gen
Rising	Trojan.Kryptik!8.8 (TFE:1:0gn1FRnJmKT)
SentinelOne	Static AI - Malicious PE
AVG	PWSX-gen [Trj]
DeepInstinct	MALICIOUS

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2124 resumed a thread in remote process 2316
NtResumeThread Oct. 23, 2023, 4:46 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2316	1	0	0

cbchr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All