Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 21, 2024, 9:45 a.m.	June 21, 2024, 9:47 a.m.

Size	332.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`46748aff6fcab034d0affddc99c6d876`
SHA256	`82a9537d99a9ccc5c534dd87f642a7e77b594f7554c2ed7a32a1a9518634a42c`
CRC32	`C038FA17`
ssdeep	`6144:m68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1IH:WfnnK9zABs+TbFx9SXOPCf8DkqAR8zHB`
Yara	AutoIt - autoit PE_Header_Zero - PE File Signature CoinMiner_IN - CoinMiner IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

WezoAutoUP.exe "C:\Users\test22\AppData\Local\Temp\WezoAutoUP.exe"
1836
- arpwriteIni.exe C:\Users\test22\AppData\Local\Temp\arpwriteIni.exe
  2220
  - cmd.exe C:\Windows\system32\cmd.exe /c ipconfig
    2264
    - ipconfig.exe ipconfig
      2328
- WezoEventUP.exe C:\Users\test22\AppData\Local\Temp\WezoEventUP.exe
  2412
- DownVerySync.exe C:\Users\test22\AppData\Local\Temp\DownVerySync.exe
  2500
  - 7z.exe C:\Users\test22\AppData\Local\Temp\7z.exe x -y D:\verysync-windows-amd64-v2.15.0.zip -od:\
    2628
- DelHosts.exe C:\Users\test22\AppData\Local\Temp\DelHosts.exe
  2764
- wzoptup.exe C:\Users\test22\AppData\Local\Temp\wzoptup.exe
  2856
- storyhosts.exe C:\Users\test22\AppData\Local\Temp\storyhosts.exe
  2944
- sysup.exe C:\Users\test22\AppData\Local\Temp\sysup.exe
  3028
- dbzclientUpdate.exe C:\Users\test22\AppData\Local\Temp\dbzclientUpdate.exe
  2148
- wzoptBmp.exe C:\Users\test22\AppData\Local\Temp\wzoptBmp.exe
  2332
- changezuhaolnk.exe C:\Users\test22\AppData\Local\Temp\changezuhaolnk.exe
  2852

Name	Response	Post-Analysis Lookup
dl-cn.verysync.com	A 172.67.201.86 A 104.21.52.166 CNAME dl-cn.verysync.com.cdn.cloudflare.net	104.21.52.166
wieie.cn	A 58.23.215.23	58.23.215.23

IP Address	Status	Action
104.21.52.166	Active	Moloch
164.124.101.2	Active	Moloch
58.23.215.23	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 58.23.215.23:8765 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 192.168.56.103:49172 -> 104.21.52.166:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 104.21.52.166:80	2027360	ET INFO AutoIt User-Agent Downloading ZIP	Misc activity
TCP 192.168.56.103:49172 -> 104.21.52.166:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 58.23.215.23:8765 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 58.23.215.23:8765	2019935	ET INFO AutoIt User Agent Executable Request	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (13 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0
IsDebuggerPresent June 21, 2024, 9:45 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: 7-Zip 20.00 alpha (x86) : Copyright (c) 1999-2020 Igor Pavlov : 2020-02-06 console_handle: 0x00000007	1	1
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: Scanning the drive for archives: console_handle: 0x00000007	1	1
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: 0M Scan D:\ console_handle: 0x00000007	1	1
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: The parameter is incorrect. console_handle: 0x0000000b	1	1
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: D:\verysync-windows-amd64-v2.15.0.zip console_handle: 0x0000000b	1	1
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: System ERROR: console_handle: 0x0000000b	1	1
WriteConsoleA June 21, 2024, 9:45 a.m.	buffer: The parameter is incorrect. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2024, 9:45 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 21, 2024, 9:45 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895 stacktrace+0x84 memdup-0x1af @ 0x749a0470 hook_in_monitor+0x45 lde-0x133 @ 0x749942ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb changezuhaolnk+0xa7bec @ 0x1400a7bec GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff 0xfafff exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77710895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 4388408 registers.rsi: 5369741312 registers.r10: 0 registers.rbx: 1996238576 registers.rsp: 4390664 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 4389752 registers.r12: 0 registers.rbp: 0 registers.rdi: 5368709487 registers.rax: 4388088 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 21, 2024, 9:45 a.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895
stacktrace+0x84 memdup-0x1af @ 0x749a0470
hook_in_monitor+0x45 lde-0x133 @ 0x749942ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb
changezuhaolnk+0xa7bec @ 0x1400a7bec
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff
0xfafff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77710895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 4388408
registers.rsi: 5369741312
registers.r10: 0
registers.rbx: 1996238576
registers.rsp: 4390664
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 4389752
registers.r12: 0
registers.rbp: 0
registers.rdi: 5368709487
registers.rax: 4388088
registers.r13: 0

Performs some HTTP requests (2 events)

request	GET http://dl-cn.verysync.com/releases/v2.15.0/verysync-windows-amd64-v2.15.0.zip
request	GET http://dl-cn.verysync.com/releases/

Creates executable files on the filesystem (12 events)

file	C:\Users\test22\AppData\Local\Temp\storyhosts.exe
file	C:\Users\test22\AppData\Local\Temp\7z.exe
file	C:\Users\test22\AppData\Local\Temp\DownVerySync.exe
file	C:\Users\test22\AppData\Local\Temp\changezuhaolnk.exe
file	C:\Users\test22\AppData\Local\Temp\dbzclientUpdate.exe
file	C:\Users\test22\AppData\Local\Temp\WezoEventUP.exe
file	C:\Users\test22\AppData\Local\Temp\7z.dll
file	C:\Users\test22\AppData\Local\Temp\wzoptup.exe
file	C:\Users\test22\AppData\Local\Temp\DelHosts.exe
file	C:\Users\test22\AppData\Local\Temp\sysup.exe
file	C:\Users\test22\AppData\Local\Temp\wzoptBmp.exe
file	C:\Users\test22\AppData\Local\Temp\arpwriteIni.exe

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ipconfig

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\Local\Temp\wzoptup.exe
file	C:\Users\test22\AppData\Local\Temp\arpwriteIni.exe
file	C:\Users\test22\AppData\Local\Temp\7z.dll
file	C:\Users\test22\AppData\Local\Temp\storyhosts.exe
file	C:\Users\test22\AppData\Local\Temp\sysup.exe
file	C:\Users\test22\AppData\Local\Temp\7z.exe
file	C:\Users\test22\AppData\Local\Temp\WezoEventUP.exe
file	C:\Users\test22\AppData\Local\Temp\dbzclientUpdate.exe
file	C:\Users\test22\AppData\Local\Temp\wzoptBmp.exe
file	C:\Users\test22\AppData\Local\Temp\DelHosts.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000188 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000188 process_name: wsqmcons.exe process_identifier: 932	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000188 process_name: sdclt.exe process_identifier: 2004	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000188 process_name: cmd.exe process_identifier: 1476	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000188 process_name: conhost.exe process_identifier: 1608	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000188 process_name: SearchFilterHost.exe process_identifier: 912	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000188 process_name: pw.exe process_identifier: 1872	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000120 process_name: rundll32.exe process_identifier: 2096	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000120 process_name: rundll32.exe process_identifier: 2160	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000120 process_name: arpwriteIni.exe process_identifier: 2220	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000120 process_name: cmd.exe process_identifier: 2264	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x0000000000000100 process_name: DownVerySync.exe process_identifier: 2500	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000164 process_name: rundll32.exe process_identifier: 2568	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000164 process_name: rundll32.exe process_identifier: 2728	1	1
Process32NextW June 21, 2024, 9:45 a.m.	snapshot_handle: 0x00000164 process_name: storyhosts.exe process_identifier: 2944	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 21, 2024, 9:45 a.m.	flags: 198 family: 0		111	0

An executable file was downloaded by the process wezoautoup.exe (9 events)

Time & API	Arguments	Status	Return
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELs£ícà"Ð °f p@@@@$p<¤hÄh UPX0 àUPX1Ð Ê@à.rsrc pÎ@À3.91UPX! 0ªÿqÂµµÒN¥Æ &æ request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¹µníýÔ¾ýÔ¾ýÔ¾n¾ÿÔ¾æIª¾JÔ¾æI«¾ÈÔ¾ô¬¾ôÔ¾ô¬¾ÜÔ¾ýÔ¾íÖ¾æI´¾´Ô¾æI¾ÊÔ¾æI¾üÔ¾ýÔ¾üÔ¾æI¾üÔ¾RichýÔ¾PEL´-Oà# °À@wÐ@ @@8ð°8pUPX0ÀàUPX1°Ðª@à.rsrct®@À3.08UPX! Ý½ÞüwXÐ3[Q9§à &X request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $o1)ë+PG¸+PG¸+PG¸Ì¶¸>PG¸Ì´¸·PG¸Ìµ¸ PG¸µð¸PG¸y8B¹PG¸y8C¹:PG¸y8D¹#PG¸"(Ä¸#PG¸"(À¸PG¸"(Ô¸PG¸+PF¸RG¸9I¹{PG¸9D¹PG¸9¸¸PG¸+PÐ¸PG¸9E¹PG¸Rich+PG¸PEd4ìcð"4.U@à§`@@0\\|°¬ @<oÐt Pp (ppP8.textP34 `.rdata$BPD8@@.data( P\|@À.pdata<o@pÌ@@.rsrc¬ ° <@@.reloct ÐZ@B request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¹µníýÔ¾ýÔ¾ýÔ¾n¾ÿÔ¾æIª¾JÔ¾æI«¾ÈÔ¾ô¬¾ôÔ¾ô¬¾ÜÔ¾ýÔ¾íÖ¾æI´¾´Ô¾æI¾ÊÔ¾æI¾üÔ¾ýÔ¾üÔ¾æI¾üÔ¾RichýÔ¾PEL´-Oà# °À@wÐ@ @@8ð°8pUPX0ÀàUPX1°Ðª@à.rsrct®@À3.08UPX! Ý½ÞüwXÐ3[Q9§³Û & request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¹µníýÔ¾ýÔ¾ýÔ¾n¾ÿÔ¾æIª¾JÔ¾æI«¾ÈÔ¾ô¬¾ôÔ¾ô¬¾ÜÔ¾ýÔ¾íÖ¾æI´¾´Ô¾æI¾ÊÔ¾æI¾üÔ¾ýÔ¾üÔ¾æI¾üÔ¾RichýÔ¾PEL´-Oà# °À@wÐ@ @@8ð°8pUPX0ÀàUPX1°Ðª@à.rsrct®@À3.08UPX! Ý½ÞüwXÐ3[Q9§â &\ request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $&`bóÁbóÁbóÁ$¢ïÁ`óÁüSÉÁcóÁo¡ÑÁQóÁo¡îÁÓóÁo¡ïÁWóÁkÁkóÁkÁGóÁbóÁ\|ñÁGäÁ,óÁGÑÁcóÁo¡ÕÁcóÁbóÁcóÁGÐÁcóÁRichbóÁPELch;fà" pàð@@@@ö$f¸údHUPX0ààUPX1 ð @à.rsrcpl¤ @À3.91UPX! þßæÊmM hk Ä&R request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $&`bóÁbóÁbóÁ$¢ïÁ`óÁüSÉÁcóÁo¡ÑÁQóÁo¡îÁÓóÁo¡ïÁWóÁkÁkóÁkÁGóÁbóÁ\|ñÁGäÁ,óÁGÑÁcóÁo¡ÕÁcóÁbóÁcóÁGÐÁcóÁRichbóÁPEL]bà" p°×"Àà"@P#@@@F#$à"f¸J#tÙ"HUPX0°àUPX1 À@à.rsrcpà"l@À3.91UPX! (,oi¶¹7h;! & request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $&`bóÁbóÁbóÁ$¢ïÁ`óÁüSÉÁcóÁo¡ÑÁQóÁo¡îÁÓóÁo¡ïÁWóÁkÁkóÁkÁGóÁbóÁ\|ñÁGäÁ,óÁGÑÁcóÁo¡ÕÁcóÁbóÁcóÁGÐÁcóÁRichbóÁPELåcà" p°`VÀ`@Ð@@@ÈÄ$`ÈdìÈDXHUPX0°àUPX1 À@à.rsrcp`j@À3.91UPX! `3/wtah{`Î&' request_handle: 0x00cc000c	1	1
InternetReadFile June 21, 2024, 9:45 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $b`÷ã&°&°&°h°+°j°«°k°>°¸¡^°$°_±0°_±5°_± °/y°,°/y °#°&°*°±_±°±_±'°´_f°'°±_±'°Rich&°PEL×Æ_à²@ì0@@@Á È4TÈ<0°Òh"ÀªTU@0`Ä½ .textê `.rdata¦0¨@@.data(7à¾@À.didat Î@À.rsrc°Ò0ÔÐ@@.reloch"$¤@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004aa00', u'virtual_address': u'0x0007d000', u'entropy': 7.940965856094214, u'name': u'UPX1', u'virtual_size': u'0x0004b000'}

entropy

7.94096585609

description

A section with a high entropy has been found

entropy

0.911450381679

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 21, 2024, 9:45 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW June 21, 2024, 9:45 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW June 21, 2024, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

cmd.exe

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ipconfig
cmdline	C:\Windows\system32\cmd.exe /c ipconfig

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WezoAotoUp

reg_value

"C:\Users\test22\AppData\Local\Temp\WezoAutoUP.exe"

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\changezuhaolnk.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\storyhosts.exe

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Users\test22\AppData\Local\Temp\DownVerySync.exe

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Multi.Generic.lrP4
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.AutoitDropper.fc
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.V6xa
K7AntiVirus	Trojan ( 0056e5201 )
K7GW	Trojan ( 0056e5201 )
VirIT	Trojan.Win32.Generic.XTX
Symantec	Trojan.Gen.MBT
ESET-NOD32	multiple detections
APEX	Malicious
McAfee	RDN/YahLover.worm
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Malware.Generic-6651791-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Packed:Win32/Generic.4fad0b70
F-Secure	Dropper.DR/AutoIt.Gen
DrWeb	Trojan.Siggen5.59949
TrendMicro	TROJ_GEN.R002C0PET24
McAfeeD	ti!82A9537D99A9
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.46748aff6fcab034
Sophos	Mal/Generic-S
Ikarus	PUA.Autoit
Webroot	W32.Trojan.Gen
Google	Detected
Avira	DR/AutoIt.Gen
Antiy-AVL	Trojan[Packed]/Win32.Autoit
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.CoinMiner.dd!s2
Xcitium	TrojWare.Win32.Hider.REXR@5364l6
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	Trojan.Win32.A.Agent.690283[UPX]
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.PSE.R2WKDE
Varist	W32/Trojan.IJBN-1595
DeepInstinct	MALICIOUS
VBA32	IMWorm.Sohanad
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0PET24
Tencent	Autoit.Trojan.Autoit.Gajl
Yandex	Trojan.GenAsa!i9rai7w7/WE
MaxSecure	Trojan.Malware.204083740.susgen
Fortinet	Riskware/YahLover
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)

WezoAutoUP.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All