Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2024, 9:56 a.m.	June 16, 2024, 10:24 a.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6c63f5db1f5beff0a1cb3af035ca3d4c`
SHA256	`565e3379fa532b07aac8fb1b9dbdd6673fdac87c399a7800235c88e7dabe7f28`
CRC32	`ED0A6594`
ssdeep	`24576:JBbdrmZoGk/52SCUAO55ksXy4gE47he4wtL/xExlzXyD:Jr3/5PkO553eEQwtqx`
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

jiali.exe "C:\Users\test22\AppData\Local\Temp\jiali.exe"
2632
- LYMDYKd.exe C:\Users\test22\AppData\Local\Temp\LYMDYKd.exe
  2696
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\3a691239.bat" "
    2896
- csrss2.exe C:\Users\test22\AppData\Local\Temp\csrss2.exe
  2784

Name	Response	Post-Analysis Lookup
ddos.dnsnb8.net	A 44.221.84.105	44.221.84.105

IP Address	Status	Action
142.250.66.129	Active	Moloch
142.251.222.206	Active	Moloch
164.124.101.2	Active	Moloch
44.221.84.105	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\LYMDYKd.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\LYMDYKd.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: goto console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: :DELFILE console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\3a691239.bat" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:56 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

@\xb5\xdbf\xa3u\x9e

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 16, 2024, 9:56 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 16, 2024, 9:56 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00196bc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00196bc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00196bc0

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001970b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001970b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001970b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001970b0

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001987b8

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019cf40

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019cf40

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e188

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ebd0

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ec1c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ec1c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ec1c

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ec68

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ec68

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019ec68

size

0x00000014

Creates executable files on the filesystem (30 events)

file	C:\Users\test22\AppData\Local\Temp\60395936.exe
file	C:\tmptqb9ww\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file	C:\tmpuvzci8\bin\execsc.exe
file	C:\Users\test22\AppData\Local\Temp\0EB94FBC.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Users\test22\AppData\Local\Temp\060A2033.exe
file	C:\Users\test22\AppData\Local\Temp\029312F9.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\util\pafish.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Python27\Lib\site-packages\setuptools\cli.exe
file	C:\Program Files\7-Zip\Uninstall.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-32.exe
file	C:\Users\test22\AppData\Local\Temp\699061F0.exe
file	C:\Users\test22\AppData\Local\Temp\3a691239.bat
file	C:\tmpuvzci8\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\tmptqb9ww\bin\execsc.exe
file	C:\tmpuvzci8\bin\is32bit.exe
file	C:\tmptqb9ww\bin\is32bit.exe
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\Users\test22\AppData\Local\Temp\59B30485.exe
file	C:\Users\test22\AppData\Local\Temp\348A16B9.exe
file	C:\Users\test22\AppData\Local\Temp\csrss2.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe
file	C:\Users\test22\AppData\Local\Temp\LYMDYKd.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\3a691239.bat

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\LYMDYKd.exe
file	C:\Users\test22\AppData\Local\Temp\16862359\TemporaryFile\TemporaryFile

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:56 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\3a691239.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\3a691239.bat	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW June 16, 2024, 9:56 a.m.	snapshot_handle: 0x000000fc process_name: mobsync.exe process_identifier: 2272	1	1
Process32NextW June 16, 2024, 9:56 a.m.	snapshot_handle: 0x000000fc process_name: LYMDYKd.exe process_identifier: 2696	1	1
Process32NextW June 16, 2024, 9:56 a.m.	snapshot_handle: 0x000000fc process_name: csrss2.exe process_identifier: 2784	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 9:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	142.250.66.129
host	142.251.222.206

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\3a691239.bat

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
Lionic	Virus.Win32.Nimnul.n!c
tehtris	Generic.Malware
ClamAV	Win.Malware.Wapomi-10020301-0
Cylance	Unsafe
VIPRE	Win32.VJadtre.3
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Virus ( 0040f7441 )
K7GW	Virus ( 0040f7441 )
Cybereason	malicious.b1f5be
VirIT	Win32.Nimnul.F
Symantec	W32.Wapomi.C!inf
Elastic	Windows.Generic.Threat
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Alibaba	Trojan:Win32/Mikcer.35a
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
MicroWorld-eScan	Win32.VJadtre.3
Emsisoft	Application.Generic (A)
McAfeeD	Real Protect-LS!6C63F5DB1F5B
Trapmine	malicious.high.ml.score
Sophos	W32/Nimnul-A
Ikarus	Trojan.SuspectCRC
Jiangmin	Win32/Nimnul.f
Avira	W32/Jadtre.B
Antiy-AVL	Virus/Win32.Nimnul.f
Kingsoft	Win32.Nimnul.f.168959
Gridinsoft	Trojan.Heur!.03002201
Xcitium	Virus.Win32.Wali.KA@558nxg
Arcabit	Win32.VJadtre.3
ViRobot	Win32.Ramnit.F
Google	Detected
AhnLab-V3	Win32/VJadtre.Gen
Acronis	suspicious
VBA32	Virus.Nimnul.19209
TACHYON	Virus/W32.Ramnit.C
Malwarebytes	Generic.Malware.AI.DDS
Zoner	Probably Heur.ExeHeaderL
Tencent	Virus.Win32.Nimnul.ka
Yandex	Trojan.GenAsa!iFI0cidiERI
MAX	malware (ai score=80)
Fortinet	W32/CoinMiner.EC2B!tr
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Virus:Win/Jadtre.A(dyn)

jiali.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All