Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 5, 2024, 7:27 a.m.	June 5, 2024, 7:29 a.m.

Size	898.8KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`1b1ecd323162c054864b63ada693cd71`
SHA256	`902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff`
CRC32	`2BE95255`
ssdeep	`24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

lrthijawd.exe "C:\Users\test22\AppData\Local\Temp\lrthijawd.exe"
516
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" "
  2196
  - work.exe work.exe -priverdD
    2268
    - jergs.exe "C:\Users\test22\AppData\Local\Temp\RarSFX1\jergs.exe"
      2420
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 5, 2024, 7:27 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\jergs.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 5, 2024, 7:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000190 filepath: C:\Windows\Tasks\svts.job desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Windows\Tasks\svts.job create_options: 100 (FILE_NON_DIRECTORY_FILE\|FILE_SEQUENTIAL_ONLY\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 5 (FILE_SHARE_READ\|FILE_SHARE_DELETE)	1	0	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\jergs.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: pw.exe process_identifier: 288	1	1
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: taskhost.exe process_identifier: 1872	1	1
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: SearchProtocolHost.exe process_identifier: 1928	1	1
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: SearchFilterHost.exe process_identifier: 1020	1	1
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: work.exe process_identifier: 2268	1	1
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: mscorsvw.exe process_identifier: 2484	1	1
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: svchost.exe process_identifier: 2504	1	1
Process32NextW June 5, 2024, 7:27 a.m.	snapshot_handle: 0x00000174 process_name: sppsvc.exe process_identifier: 2604	1	1

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\svts.job

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\jergs.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2196 resumed a thread in remote process 2268
NtResumeThread June 5, 2024, 7:27 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2268	1	0	0

lrthijawd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All