Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 3, 2024, 7:45 a.m.	May 3, 2024, 7:55 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6b31dd4a6560603dfe9f833ca5dd4d7d`
SHA256	`80a7488b97d50d5aad3a7ce2714703705f4a2c3af042478c461e8db37d2a4b0a`
CRC32	`99CF405C`
ssdeep	`24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8auW2+b+HdiJUX:WTvC/MTQYxsWR7auW2+b+HoJU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
416
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
  2144
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
    2232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:38 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:38 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:38 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:38 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:38 a.m.			0	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 3, 2024, 7:46 a.m.		1	1	0

Steals private information from local Internet browsers (8 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00046200', u'virtual_address': u'0x000d4000', u'entropy': 7.844093186587957, u'name': u'.rsrc', u'virtual_size': u'0x0004617c'}

entropy

7.84409318659

description

A section with a high entropy has been found

entropy

0.246485061511

description

Overall entropy of this PE file is high

One or more non-whitelisted processes were created (1 event)

parent_process

chrome.exe

martian_process

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 416 resumed a thread in remote process 2144
NtResumeThread May 3, 2024, 7:46 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2144	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Injector.tc
Cylance	unsafe
Sangfor	Virus.Win32.Save.a
K7GW	Trojan ( 005b26d31 )
K7AntiVirus	Trojan ( 005b26d31 )
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Autoit.OQF
F-Secure	Trojan.TR/AutoIt.zstul
FireEye	Generic.mg.6b31dd4a6560603d
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Autoit
Jiangmin	Trojan.Script.awbz
Google	Detected
Avira	TR/AutoIt.zstul
Varist	W32/AutoIt.XQ.gen!Eldorado
BitDefenderTheta	Gen:NN.ZexaCO.36804.hvW@aaqTHpki
TACHYON	Trojan/W32.Agent.1166336.C
DeepInstinct	MALICIOUS
Malwarebytes	Backdoor.NetWiredRC.AutoIt.Generic
Fortinet	AutoIt/Agent.OQF!tr

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All