Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 20, 2024, 4:42 p.m.	June 20, 2024, 4:45 p.m.

Size	66.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c431df16a0810e27345aa37df100a114`
SHA256	`54c1db6324d1881eafa57378082f0754705c92dadfecfa16cee8164b55001d34`
CRC32	`391F0A2C`
ssdeep	`1572864:trziNx5qXrDG0d5fLbPyfQPnHr06KTvReI8KKy0viUh7:Ix5qXrb5fLfwrTEDHph7`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

DamnedSetup.exe "C:\Users\test22\AppData\Local\Temp\DamnedSetup.exe"
2652
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 20, 2024, 4:42 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 20, 2024, 4:42 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73955000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 20, 2024, 4:44 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\vulkan-1.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\vk_swiftshader.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\StdUtils.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\libGLESv2.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\d3dcompiler_47.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\resources\elevate.exe
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\ffmpeg.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\Damned-x64.exe
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\libEGL.dll

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\StdUtils.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\resources\elevate.exe
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\System.dll

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Bkav	W32.AIDetectMalware

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 20, 2024, 4:42 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\Damned-x64.exe

Drops 62 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 62 events)

file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\sk.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\it.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\en-GB.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\nb.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\resources.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\da.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\am.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\hu.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\en-US.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ru.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\id.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\chrome_100_percent.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\pt-PT.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\cs.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\bg.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\bn.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\he.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\fa.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\th.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ar.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ko.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\es-419.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\nl.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\vi.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\zh-TW.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\el.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\resources\app.asar
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ta.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\pl.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\te.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\af.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\mr.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\zh-CN.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ur.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\sw.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\hr.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\tr.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\hi.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\es.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\sl.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\pt-BR.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\fil.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\uk.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ca.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ml.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\sr.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\lv.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\kn.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\de.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ja.pak

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 152 events)

file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\es-419.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\fa.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\v8_context_snapshot.bin
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\lv.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\en-US.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\af.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\it.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\Damned-x64.exe
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\sl.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ru.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\am.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ml.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\he.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\sr.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\zh-CN.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\snapshot_blob.bin
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\ffmpeg.dll
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\d3dcompiler_47.dll
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\it.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\sw.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\ro.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\ml.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\zh-TW.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\resources\elevate.exe
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\cs.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\hr.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\zh-TW.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\es.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\sv.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\LICENSE.electron.txt
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\te.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\pt-BR.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\cs.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\lt.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\fa.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\chrome_100_percent.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\el.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\mr.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\libGLESv2.dll
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\fi.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\vk_swiftshader_icd.json
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\te.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB96.tmp
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\pt-PT.pak
file	C:\Users\test22\AppData\Local\Temp\nswFB97.tmp\7z-out\locales\pt-PT.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\sr.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\resources.pak
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\vulkan-1.dll
file	C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\locales\de.pak

Writes a potential ransom message to disk (1 event)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile June 20, 2024, 4:42 p.m.	buffer: w (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. </pre> </div> </div> <div class="product"> <span class="title">Simple Homomorphic Encryption Library with Lattices</span> <span class="homepage"><a href="https://github.com/google/shell-encryption">homepage</a></span> <input type="checkbox" hidden id="289"> <label class="show" for="289" tabindex="0"></label> <div class="licence"> <pre> Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by offset: 6225920 file_handle: 0x00000228 filepath: C:\Users\test22\AppData\Local\Temp\2ekW28DriA2QSQ423cuVpx1UOPH\LICENSES.chromium.html	1	0	0

DamnedSetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All