Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:20 p.m.	Dec. 11, 2023, 7:49 p.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3c3a0dc705cffd3f56b4315750c18e37`
SHA256	`0b816572bf56f9824634c826396fc70d1359060665c074ddb8a0f11304837c84`
CRC32	`C4C638B5`
ssdeep	`98304:ptESXVYzCg8+CEUCtEeTnYLOWw3pc4LWc5t:IUVsC4tETpwG4LWcj`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

setup294.exe "C:\Users\test22\AppData\Local\Temp\setup294.exe"
1492
- cmd.exe cmd /c .\Hc.BAT
  2128
  - control.exe "C:\Windows\System32\control.exe" "C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL",
    2244
    - rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL",
      2320
      - rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL",
        2428
        
        rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL",
        2480

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2023, 7:20 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:13 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:20 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:20 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sxdata

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10189000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2320 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10189000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:20 p.m.	process_identifier: 2480 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL
file	C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\Hc.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zS4D5C7FDF\2YItYJ.cpL

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 resumed a thread in remote process 2244
NtResumeThread Dec. 11, 2023, 7:20 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2244	1	0	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Zenpak.a!c
MicroWorld-eScan	Trojan.Generic.34435803
FireEye	Trojan.Generic.34435803
CAT-QuickHeal	Trojandownloader.Fero
Skyhigh	BehavesLike.Win32.Generic.wc
Malwarebytes	Trojan.Dropper.SFX
VIPRE	Trojan.Generic.34435803
Sangfor	Downloader.Win32.Kryptik.V8vv
Alibaba	TrojanDownloader:Win32/Zenpak.17e75bd9
BitDefenderTheta	Gen:NN.ZedlaF.36608.@J8@aCZjzrei
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HVND
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Downloader.Win32.Fero.cpp
BitDefender	Trojan.Generic.34435803
Avast	Win32:BotX-gen [Trj]
Rising	Trojan.Generic@AI.92 (RDML:9IIStJfXOyI51eA9fE8Z/A)
Emsisoft	Trojan.Generic.34435803 (B)
F-Secure	Trojan.TR/AD.Fauppod.bcotg
Zillya	Trojan.DuckTail.Win32.1
TrendMicro	TROJ_GEN.R014C0DL723
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious SFX
Jiangmin	Trojan.MuddyRope.c
Webroot	W32.Trojan.Zenpak
Google	Detected
Avira	HEUR/AGEN.1368653
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Zenpak
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Win32/Zenpak!pz
Gridinsoft	Ransom.Win32.Sabsik.oa!s1
Xcitium	Malware@#2edey65kn8og7
Arcabit	Trojan.Generic.D20D72DB
ZoneAlarm	Trojan-Downloader.Win32.Fero.cpp
GData	Win32.Trojan.Agent.D3P86K
Varist	W32/Kryptik.LCO.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R608689
ALYac	Trojan.Generic.34435803
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014C0DL723
Tencent	Win32.Trojan-Downloader.Fero.Adhl
Ikarus	Trojan.Win32.Zenpak
MaxSecure	Trojan.Malware.221262571.susgen
Fortinet	W32/Kryptik.HUEI!tr
AVG	Win32:BotX-gen [Trj]

setup294.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All