Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 2, 2024, 9:24 p.m.	April 2, 2024, 9:26 p.m.

Size	8.1KB
Type	UTF-8 Unicode text
MD5	`320ba8a05c90a86ea0d048e736768fab`
SHA256	`16f59db4ce1a40d20bfbce268fc2b18441740ab9029740c8f881a80939604994`
CRC32	`46C5BA14`
ssdeep	`192:NUUt819SjijlpLxfD5kfGc/j3qVCNw/2xb9N94k:eUOKjijlpLxfD5kfGcjpEs`
Yara	wget_command - wget command

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "BevMn" "C:\Users\test22\AppData\Local\Temp\16f59db4ce1a40d20bfbce268fc2b18441740ab9029740c8f881a80939604994 (1)"
2564
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\16f59db4ce1a40d20bfbce268fc2b18441740ab9029740c8f881a80939604994 (1)
  2696
  - editplus.exe "editplus.exe"
    2816

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 2, 2024, 9:24 p.m.			0	0
IsDebuggerPresent April 2, 2024, 9:24 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2024, 9:24 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74141000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 2, 2024, 9:24 p.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c2000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 2696
NtResumeThread April 2, 2024, 9:24 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2696	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Script.Miner.a!c
ClamAV	Unix.Downloader.XMRig-10006642-0
ALYac	Trojan.Linux.Downloader.AK
VIPRE	Trojan.Linux.Downloader.AK
Arcabit	Trojan.Linux.Downloader.AK
Symantec	Trojan.Gen.NPE
ESET-NOD32	Linux/TrojanDownloader.SH.BBB
Avast	BV:Downloader-AOX [Drp]
Kaspersky	HEUR:Trojan-Downloader.Shell.Miner.f
BitDefender	Trojan.Linux.Downloader.AK
MicroWorld-eScan	Trojan.Linux.Downloader.AK
Rising	Downloader.Agent/BASH!8.13146 (TOPIS:E0:LkueJGjdNzH)
Emsisoft	Trojan.Linux.Downloader.AK (B)
TrendMicro	Coinminer.SH.MALXMR.SM
FireEye	Trojan.Linux.Downloader.AK
Ikarus	Trojan-Downloader.Linux.Sh
Google	Detected
Microsoft	Trojan:Script/Wacatac.B!ml
ViRobot	HTML.Z.Agent.8305
ZoneAlarm	HEUR:Trojan-Downloader.Shell.Miner.f
GData	Trojan.Linux.Downloader.AK
Varist	Unix/Downldr.J
Tencent	Win32.Trojan-Downloader.Miner.Mjgl
MAX	malware (ai score=83)
AVG	BV:Downloader-AOX [Drp]
alibabacloud	Backdoor:Linux/DestroyService

16f59db4ce1a40d20bfbce268fc2b18441740ab9029740c8f881a80939604994 (1)

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All