Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 10, 2024, 2:15 p.m.	Feb. 10, 2024, 2:21 p.m.

Size	9.9MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`68a70167645fa690aa89281024abacd1`
SHA256	`4835fecbbc2b930aae3834d4610bfde5a8375e7212ec8e68e4ae0b96de4656ce`
CRC32	`ADD4AC3F`
ssdeep	`196608:X7FL0sKYu/PaQL2rB+veqH2AbUEOgvDDJf6Wv/VrxiWmo33gWH2VoCsIAV:HQLKB+GqH2AoEOgv3Jx/VMWrgC2VGI`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

install.exe "C:\Users\test22\AppData\Local\Temp\install.exe"
2552
- install.exe "C:\Users\test22\AppData\Local\Temp\install.exe"
  2720

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 10, 2024, 2:15 p.m.	buffer: Traceback (most recent call last): console_handle: 0x000000000000000b	1	1
WriteConsoleW Feb. 10, 2024, 2:15 p.m.	buffer: File "PyInstaller\loader\pyiboot01_bootstrap.py", line 83, in <module> console_handle: 0x000000000000000b	1	1
WriteConsoleW Feb. 10, 2024, 2:15 p.m.	buffer: File "PyInstaller\loader\pyimod04_pywin32.py", line 47, in install console_handle: 0x000000000000000b	1	1
WriteConsoleW Feb. 10, 2024, 2:15 p.m.	buffer: File "os.py", line 1109, in add_dll_directory console_handle: 0x000000000000000b	1	1
WriteConsoleW Feb. 10, 2024, 2:15 p.m.	buffer: OSError: [WinError 127] 지정된 프로시저를 찾을 수 없습니다: 'C:\\Users\\test22\\AppData\\Local\\Temp\\_MEI25522\\pywin32_system32' console_handle: 0x000000000000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 10, 2024, 2:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Creates executable files on the filesystem (50 out of 54 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\VCRUNTIME140_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\Pythonwin\mfc140u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\exe\upx.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\MSVCP140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\exe\registers.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\pywin32_system32\pywintypes38.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\exe\netconn_properties.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\python38.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\pywin32_system32\pythoncom38.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\ucrtbase.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25522\exe\netconn_properties.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI25522\exe\registers.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000f000', u'virtual_address': u'0x00052000', u'entropy': 7.350146321781755, u'name': u'.rsrc', u'virtual_size': u'0x0000ef8c'}

entropy

7.35014632178

description

A section with a high entropy has been found

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Dropper.tc
Cylance	unsafe
VIPRE	Trojan.GenericKD.71576276
BitDefender	Trojan.GenericKD.71576276
Arcabit	Trojan.Generic.D4442AD4
Symantec	Infostealer
APEX	Malicious
McAfee	Artemis!68A70167645F
Avast	FileRepMalware
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Trojan.GenericKD.71576276
Rising	Trojan.Generic@AI.96 (RDML:TmKUkgNlCzJh52zeDfgjjg)
Emsisoft	Trojan.GenericKD.71576276 (B)
FireEye	Trojan.GenericKD.71576276
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Casdet
MAX	malware (ai score=83)
Gridinsoft	Trojan.Win64.Generic.cl
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.71576276
AhnLab-V3	Trojan/Win.Casdet.C5586583
BitDefenderTheta	Gen:NN.ZexaF.36744.dmGfa45MYzpi
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
Fortinet	W32/PossibleThreat
AVG	FileRepMalware

install.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All