Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 19, 2024, 2:17 p.m.	June 19, 2024, 2:19 p.m.

Size	212.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dfc21ed56aafad102fd6b985a15f8423`
SHA256	`81ff684b35cd19013c8a0ff8a4b01ea2932e11debba1be2cd058539742d0491a`
CRC32	`AAB0D081`
ssdeep	`3072:lkAn8TlyyzWmbQoOzKyLR6n4BCHwjqWRwZnqsCwYLA:l18hyCCKyLRZZRw5qtLA`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

invoice.exe "C:\Users\test22\AppData\Local\Temp\invoice.exe"
2556
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\i6.bat" "
  2660

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 19, 2024, 2:17 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 19, 2024, 2:17 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 invoice+0x8c95 @ 0x408c95 invoice+0x37bb @ 0x4037bb invoice+0x1011 @ 0x401011 invoice+0x91f4 @ 0x4091f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 1377424 registers.edi: 0 registers.eax: 69831312 registers.ebp: 1377452 registers.edx: 1 registers.ebx: 0 registers.esi: 17472688 registers.ecx: 1925592540	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 19, 2024, 2:17 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
invoice+0x8c95 @ 0x408c95
invoice+0x37bb @ 0x4037bb
invoice+0x1011 @ 0x401011
invoice+0x91f4 @ 0x4091f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 1377424
registers.edi: 0
registers.eax: 69831312
registers.ebp: 1377452
registers.edx: 1
registers.ebx: 0
registers.esi: 17472688
registers.ecx: 1925592540

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\i6.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\i6.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 19, 2024, 2:17 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\i6.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\i6.bat	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Users\test22\AppData\Local\Temp\echo:1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2660
NtResumeThread June 19, 2024, 2:17 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2660	1	0	0

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\invoice.exe

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Dropper.dh
Cylance	Unsafe
APEX	Malicious
NANO-Antivirus	Trojan.Win32.Mlw.kcakpf
Rising	Trojan.Generic@AI.100 (RDML:rHXKkKuGL6dt4T681JXXLA)
F-Secure	Trojan.TR/Dropper.Gen
Zillya	Trojan.Generic.Win32.1806322
McAfeeD	Real Protect-LS!DFC21ED56AAF
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.dfc21ed56aafad10
Ikarus	Trojan.Dropper
Google	Detected
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	malware.kb.a.985
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
BitDefenderTheta	Gen:NN.ZexaF.36806.nq3@aerCP3e
Tencent	Malware.Win32.Gencirc.10befa4d
SentinelOne	Static AI - Suspicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
CrowdStrike	win/malicious_confidence_90% (D)

invoice.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All