Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2024, 9:59 a.m.	March 17, 2024, 10:01 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5	`0ec7425d2a0ff149d89db3e0347debe3`
SHA256	`dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78`
CRC32	`70F6BF92`
ssdeep	`24576:3NBIc0OQms+rYW6eRrRBKkuKgt10f+3ggrTmCmclq14:AViYW6+1ck/gte+QMmCmclqO`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

1002.exe "C:\Users\test22\AppData\Local\Temp\1002.exe"
2548
- Autopatch.exe "C:\Users\test22\AppData\Local\Temp\Autopatch.exe"
  2908
  - xJX.exe C:\Users\test22\AppData\Local\Temp\xJX.exe
    2992
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\57344034.bat" "
      2088

Name	Response	Post-Analysis Lookup
ddos.dnsnb8.net	A 34.174.61.199	34.174.61.199

IP Address	Status	Action
104.21.84.71	Active	Moloch
104.21.92.190	Active	Moloch
172.67.75.166	Active	Moloch
164.124.101.2	Active	Moloch
34.174.61.199	Active	Moloch
51.222.173.101	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\xJX.exe" console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\xJX.exe" console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: goto console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: :DELFILE console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\57344034.bat" console_handle: 0x00000007	1	1
WriteConsoleW March 14, 2024, 7:39 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 14, 2024, 7:39 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73394000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73394000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2024, 7:39 a.m.	process_identifier: 2992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72771000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (32 events)

file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\Users\test22\AppData\Local\Temp\2D191F12.exe
file	C:\tmptqb9ww\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file	C:\Users\test22\AppData\Local\Temp\70672659.exe
file	C:\tmpuvzci8\bin\execsc.exe
file	C:\Users\test22\AppData\Local\Temp\xJX.exe
file	C:\Users\test22\AppData\Local\Temp\57344034.bat
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\Users\test22\AppData\Local\Temp\5DBA14E5.exe
file	C:\util\pafish.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Python27\Lib\site-packages\setuptools\cli.exe
file	C:\Program Files\7-Zip\Uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\AutoPatch.exe
file	C:\Users\test22\AppData\Local\Temp\16386D56.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-32.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Users\test22\AppData\Local\Temp\7C8E631C.exe
file	C:\Users\test22\AppData\Local\Temp\69E151A8.exe
file	C:\tmpuvzci8\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\tmptqb9ww\bin\execsc.exe
file	C:\tmpuvzci8\bin\is32bit.exe
file	C:\tmptqb9ww\bin\is32bit.exe
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\Users\test22\AppData\Local\Temp\0CE1649C.exe
file	C:\Users\test22\AppData\Local\Temp\1F8E7610.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe
file	C:\Users\test22\AppData\Local\Temp\44B863DC.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\57344034.bat

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\AutoPatch.exe
file	C:\Users\test22\AppData\Local\Temp\xJX.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 14, 2024, 7:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\57344034.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\57344034.bat	1	1	0

Yara rule detected in process memory (12 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (4 events)

host	104.21.84.71
host	104.21.92.190
host	172.67.75.166
host	51.222.173.101

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\57344034.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2908
NtResumeThread March 14, 2024, 7:39 a.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2908	1	0	0

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.Common.B146B5A5
Lionic	Virus.Win32.Nimnul.n!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKD.71950533
Cylance	unsafe
VIPRE	Trojan.GenericKD.71950533
Sangfor	Virus.Win32.Wapomi.V6g6
K7AntiVirus	Virus ( 0040f7441 )
BitDefender	Trojan.GenericKD.71950533
K7GW	Virus ( 0040f7441 )
Cybereason	malicious.d2a0ff
Arcabit	Trojan.Generic.D449E0C5
Baidu	Win32.Virus.Otwycal.d
VirIT	Trojan.Win32.Generic.BDFY
Symantec	Trojan.Gen.6
ESET-NOD32	Win32/Wapomi.BA
APEX	Malicious
McAfee	Artemis!0EC7425D2A0F
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Malware.Wapomi-10020301-0
Kaspersky	Virus.Win32.Nimnul.f
Alibaba	Trojan:Win32/Mikcer.35a
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
MicroWorld-eScan	Trojan.GenericKD.71950533
Rising	Virus.Roue!1.9E10 (CLASSIC)
Emsisoft	Trojan.GenericKD.71950533 (B)
F-Secure	Malware.W32/Jadtre.B
DrWeb	BackDoor.Darkshell.246
Zillya	Virus.Nimnul.Win32.5
TrendMicro	PE_WAPOMI.BM
Trapmine	malicious.moderate.ml.score
FireEye	Trojan.GenericKD.71950533
Sophos	Mal/Generic-S
Ikarus	Virus.Win32.Wapomi
Jiangmin	Win32/Nimnul.f
Webroot	W32.Malware.Gen
Google	Detected
Avira	W32/Jadtre.D
MAX	malware (ai score=83)
Antiy-AVL	Virus/Win32.Nimnul.f
Kingsoft	Win32.Infected.AutoInfector.a
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Xcitium	Malware@#3xt3jdo1ojsb
Microsoft	Virus:Win32/Mikcer.B
ZoneAlarm	Virus.Win32.Nimnul.f
GData	Win32.Virus.Wapomi.A
Varist	W32/PatchLoad.E
BitDefenderTheta	AI:FileInfector.991137D00F
DeepInstinct	MALICIOUS

1002.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All