Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 18, 2024, 4:32 p.m.	April 18, 2024, 4:35 p.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ba7445dd6438c2097c1c5b2ce173c064`
SHA256	`4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768`
CRC32	`DD5BB667`
ssdeep	`49152:zgwRBNhWLwbYdMsr37tl5oaSeaduub9vdcOMigvOQowQEJHQJPT5NuEj3uWNtiT:zgwRBNhmwbirt02q1r4PFJwJ1fjeWNk`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

install_new.exe "C:\Users\test22\AppData\Local\Temp\install_new.exe"
2568
- cmd.exe cmd /c ""C:\Program Files (x86)\GameServerClient\install.bat" "
  2680
  - sc.exe Sc delete GameServerClient
    2752
  - GameService.exe GameService remove GameServerClient confirm
    2800
  - GameService.exe GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameClient.exe"
    2848
  - GameService.exe GameService start GameServerClient
    2896
- cmd.exe cmd /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
  3056
  - sc.exe Sc delete GameServerClientC
    2080
  - GameService.exe GameService remove GameServerClientC confirm
    2100
  - GameService.exe GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameClientC.exe"
    2164
  - GameService.exe GameService start GameServerClientC
    2216
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd" "
  2504

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
194.116.172.72	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 18, 2024, 4:32 p.m.			0	0

Command line console output was observed (50 out of 256 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: C console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: a console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: n console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: t console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: o console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: p console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: e console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: n console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: s console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: e console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: r console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: v console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: i console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: c console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: e console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: O console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: p console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: e console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: n console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: S console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: e console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: r console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: v console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: i console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: c console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: e console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 지 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 정 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 된 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 서 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 비 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 스 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 가 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 설 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 치 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 된 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 서 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 비 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 스 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 로 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 는 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 없 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 습 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 니 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: 다 console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: S console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: e console_handle: 0x0000000f	1	1
WriteConsoleW April 18, 2024, 4:32 p.m.	buffer: r console_handle: 0x0000000f	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 18, 2024, 4:32 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 18, 2024, 4:32 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 18, 2024, 4:32 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13319548928 root_path: C:\Program Files (x86)\GameServerClient total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (6 events)

file	C:\Program Files (x86)\GameServerClient\install.bat
file	C:\Program Files (x86)\GameServerClient\installc.bat
file	C:\Program Files (x86)\GameServerClient\GameClient.exe
file	C:\Program Files (x86)\GameServerClient\GameClientC.exe
file	C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd
file	C:\Program Files (x86)\GameServerClient\GameService.exe

Creates a service (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW April 18, 2024, 4:32 p.m.	service_start_name: start_type: 2 password: display_name: GameServerClient filepath: C:\Program Files (x86)\GameServerClient\GameService.exe service_name: GameServerClient filepath_r: C:\Program Files (x86)\GameServerClient\GameService.exe desired_access: 983551 service_handle: 0x00857438 error_control: 1 service_type: 16 service_manager_handle: 0x008574d8	1	8746040	0
CreateServiceW April 18, 2024, 4:32 p.m.	service_start_name: start_type: 2 password: display_name: GameServerClientC filepath: C:\Program Files (x86)\GameServerClient\GameService.exe service_name: GameServerClientC filepath_r: C:\Program Files (x86)\GameServerClient\GameService.exe desired_access: 983551 service_handle: 0x002f7450 error_control: 1 service_type: 16 service_manager_handle: 0x002f74f0	1	3109968	0

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd
file	C:\Program Files (x86)\GameServerClient\GameService.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\install_new.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 18, 2024, 4:32 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd parameters: filepath: C:\Users\test22\AppData\Local\Temp\7ZSfx000.cmd	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	Sc delete GameServerClient
cmdline	Sc delete GameServerClientC

Communicates with host for which no DNS query was performed (1 event)

host

194.116.172.72

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusW April 18, 2024, 4:32 p.m.	service_handle: 0x003173c0 service_type: 59 service_status: 3		0	0

Installs itself for autorun at Windows startup (2 events)

service_name	GameServerClient				service_path	C:\Program Files (x86)\GameServerClient\GameService.exe
service_name	GameServerClientC				service_path	C:\Program Files (x86)\GameServerClient\GameService.exe

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
ALYac	Trojan.GenericKD.72398061
Cylance	unsafe
VIPRE	Trojan.GenericKD.72398061
Sangfor	Trojan.Win32.Agent.V3e4
CrowdStrike	win/grayware_confidence_70% (W)
BitDefender	Trojan.GenericKD.72398061
Arcabit	Trojan.Generic.D450B4ED
Symantec	Trojan.Gen.MBT
MicroWorld-eScan	Trojan.GenericKD.72398061
Rising	HackTool.NSSM!1.CABB (CLASSIC)
Emsisoft	Trojan.GenericKD.72398061 (B)
DrWeb	Tool.Nssm.5
TrendMicro	Trojan.Win32.AMADEY.YXEDPZ
Trapmine	suspicious.low.ml.score
FireEye	Trojan.GenericKD.72398061
Sophos	Mal/Generic-S
Webroot	W32.Trojan.GenKD
Antiy-AVL	Trojan/Win32.Znyonm
Gridinsoft	Virtool.Win32.Znyonm.ca
Microsoft	Trojan:Win32/Znyonm
GData	Trojan.GenericKD.72398061
AhnLab-V3	Malware/Win.Generic.C5613362
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Dropper.SFX
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEDPZ
Tencent	Win32.Trojan.Malware.Szfl
MAX	malware (ai score=89)
Fortinet	W32/Malicious_Behavior.SBX

install_new.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All