Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 9:59 a.m.	June 16, 2024, 10:02 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8f7aaf6053a152035540f30992647b10`
SHA256	`1c3f9cf3ef4fbc76ff68f996fb1677ff57c172caf44a0b5dccb5d6f3aab69608`
CRC32	`C06A866D`
ssdeep	`24576:pqDEvCTbMWu7rQYlBQcBiT6rprG8aux2+b+HdiJUX:pTvC/MTQYxsWR7aux2+b+HoJU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1684
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
  2092
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
    2180

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (21 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0
IsDebuggerPresent June 16, 2024, 9:59 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2024, 9:59 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 240971336 registers.r15: 85396528 registers.rcx: 1264 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 240970592 registers.rsp: 240970296 registers.r11: 240974208 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1312 registers.r12: 240970952 registers.rbp: 240970448 registers.rdi: 87569072 registers.rax: 10027008 registers.r13: 85428064	1	0	0

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2092 crashed
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 240971336 registers.r15: 85396528 registers.rcx: 1264 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 240970592 registers.rsp: 240970296 registers.r11: 240974208 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1312 registers.r12: 240970952 registers.rbp: 240970448 registers.rdi: 87569072 registers.rax: 10027008 registers.r13: 85428064	1	0	0

Steals private information from local Internet browsers (20 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-666E9B75-82C.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\20e7de99-ef04-4c87-a647-eb32597a15be.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00046200', u'virtual_address': u'0x000d4000', u'entropy': 7.844106627602887, u'name': u'.rsrc', u'virtual_size': u'0x0004617c'}

entropy

7.8441066276

description

A section with a high entropy has been found

entropy

0.246485061511

description

Overall entropy of this PE file is high

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 16, 2024, 10 a.m.	status_code: 0xc0000005 process_identifier: 2092 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess June 16, 2024, 10 a.m.	status_code: 0xc0000005 process_identifier: 2092 process_handle: 0x00000000000000bc	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,405328435193604317,3726656886444491162,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1052 /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (24 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1684 resumed a thread in remote process 2092
Process injection	Process 2180 resumed a thread in remote process 2092
NtResumeThread June 16, 2024, 9:59 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0
NtResumeThread June 16, 2024, 10 a.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2092	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.Win32.AutoIt.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.RealProtect.tc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005b26d31 )
K7GW	Trojan ( 005b26d31 )
VirIT	Trojan.Win32.AutoIT.DYWA
ESET-NOD32	a variant of Win32/Autoit.OQF
Kaspersky	Trojan-Spy.Script.AutoIt.b
F-Secure	Trojan.TR/AutoIt.zstul
DrWeb	Trojan.Inject5.5665
McAfeeD	Real Protect-LS!8F7AAF6053A1
FireEye	Generic.mg.8f7aaf6053a15203
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Autoit
Jiangmin	Trojan.Script.awbz
Google	Detected
Avira	TR/AutoIt.zstul
Microsoft	Trojan:Win32/Phonzy.C!ml
ZoneAlarm	Trojan-Spy.Script.AutoIt.b
Varist	W32/AutoIt.XQ.gen!Eldorado
BitDefenderTheta	Gen:NN.ZexaCO.36806.hvW@ayCrJ!pi
TACHYON	Trojan/W32.Agent.1166336.C
DeepInstinct	MALICIOUS
Malwarebytes	Backdoor.NetWiredRC.AutoIt.Generic
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	AutoIt/Agent.OQF!tr

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All