Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 2, 2024, 7:42 a.m.	July 2, 2024, 7:46 a.m.

Size	148.0KB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`afb27825d8a45bea2992eca0e060a968`
SHA256	`e00dd7eb22f4c0edd534efd84e64dd0129826b4175697e925ebb551b5a33421f`
CRC32	`1E0BA7CC`
ssdeep	`3072:wr85Cl7A5G390uDmJTQSaMm5/6lWOax9ggPppjdz7eqQfZ86:w9ZqWlQWx3PppjdPsZ86`
Yara	Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

kdmapper.exe "C:\Users\test22\AppData\Local\Temp\kdmapper.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 2, 2024, 7:42 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Creates executable files on the filesystem (50 out of 124 events)

file	C:\util\curl\curl.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\DSSM.EXE
file	C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateCore.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\REGFORM.EXE
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ODSERV.EXE
file	C:\Python27\Scripts\easy_install.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
file	C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\tmptqb9ww\bin\Procmon.exe
file	C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\SELFCERT.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\PPTVIEW.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
file	C:\Users\test22\AppData\Local\Temp\3582-490\kdmapper.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE
file	C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\DW20.EXE
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateComRegisterShell64.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateBroker.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
file	C:\util\TCPView\Tcpvcon.exe
file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Installer\chrmstp.exe
file	C:\Program Files (x86)\Hnc\Common80\HncReporter.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\1042\ONELEV.EXE
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HncPUAConverter.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORE.EXE
file	C:\Program Files (x86)\Hnc\HncDic80\HncDic.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORDB.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACECNFLT.EXE
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdate.exe
file	C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe
file	C:\Program Files (x86)\Hnc\HncUtils\KeyLayout\KeyLayout.exe
file	C:\util\dotnet4.5.exe
file	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\INFOPATH.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\GrooveMigrator.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Program Files (x86)\Hnc\Common80\him\HJIMESV.EXE
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateOnDemand.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\OINFOP12.EXE

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

reg_value

C:\Windows\svchost.com "%1" %*

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\3582-490\kdmapper.exe

File has been identified by 69 AntiVirus engines on VirusTotal as malicious (50 out of 69 events)

Bkav	W32.NeshtaB.PE
Lionic	Virus.Win32.Neshta.n!c
Elastic	Windows.Virus.Neshta
Cynet	Malicious (score: 100)
CAT-QuickHeal	W32.Neshta.C8
Skyhigh	BehavesLike.Win32.HLLP.ch
ALYac	Win32.Neshta.A
Cylance	Unsafe
VIPRE	Win32.Neshta.A
Sangfor	Virus.Win32.Neshta.a
K7AntiVirus	Virus ( 00556e571 )
BitDefender	Win32.Neshta.A
K7GW	Virus ( 00556e571 )
Cybereason	malicious.5d8a45
Arcabit	Win32.Neshta.A
Baidu	Win32.Virus.Neshta.a
VirIT	Win32.Delf.FE
Symantec	W32.Neshuta
ESET-NOD32	Win32/Neshta.A
APEX	Malicious
McAfee	W32/Neshta
Avast	Win32:Crypt-SKC [Trj]
ClamAV	Win.Trojan.Neshuta-1
Kaspersky	Virus.Win32.Neshta.a
Alibaba	Virus:Win32/Neshta.3bb
NANO-Antivirus	Trojan.Win32.Winlock.fmobyw
MicroWorld-eScan	Win32.Neshta.A
Rising	Virus.Neshta!1.EFA5 (CLASSIC)
Emsisoft	Win32.Neshta.A (B)
F-Secure	Malware.W32/Neshta.A
DrWeb	Win32.HLLP.Neshta
Zillya	Virus.Neshta.Win32.1
TrendMicro	PE_NESHTA.A
McAfeeD	Real Protect-LS!AFB27825D8A4
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.afb27825d8a45bea
Sophos	W32/Neshta-D
Ikarus	Virus.Win32.Neshta
Jiangmin	Virus.Neshta.a
Google	Detected
Avira	W32/Neshta.A
MAX	malware (ai score=88)
Antiy-AVL	Virus/Win32.Neshta.a
Kingsoft	Win32.Neshta.nl.30720
Gridinsoft	Virus.Win32.Neshta.ka!s8
Xcitium	Win32.Neshta.A@3ypg
Microsoft	Virus:Win32/Neshta.A
ViRobot	Win32.Neshta.Gen.A
ZoneAlarm	Virus.Win32.Neshta.a
GData	Win32.Virus.Neshta.D

kdmapper.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All