Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 30, 2024, 7:45 a.m.	July 30, 2024, 7:47 a.m.

Size	321.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`6ddd28445b8fc2485cb72f22d1adc936`
SHA256	`d73a9c06d72b25fc9cc1d3883ba52ba949c91297d20f8cff37481d9b442a7ef7`
CRC32	`FCE07496`
ssdeep	`6144:QtAiKL0PXm/Kn0xv40x+do+iDtLEX/s7fwOCkUECtSZZZZ56:9nYPIOM1+y+6QX/Af0ke`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
1372
- schtasks.exe "C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\test22\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f
  2112

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 30, 2024, 7:45 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 30, 2024, 7:45 a.m.	buffer: SUCCESS: The scheduled task "WPDR\Config_Error\Version" has successfully been created. console_handle: 0x00000007	1	1	0

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 30, 2024, 7:45 a.m.	process_identifier: 1372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

cmdline	C:\Windows\System32\schtasks.exe /create /xml "C:\Users\test22\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f
cmdline	"C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\test22\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 30, 2024, 7:45 a.m.	show_type: 0 filepath_r: C:\Windows\System32\schtasks.exe parameters: /create /xml "C:\Users\test22\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f filepath: C:\Windows\System32\schtasks.exe	1	1	0

section

{u'size_of_data': u'0x00026600', u'virtual_address': u'0x0006b000', u'entropy': 7.920918591649662, u'name': u'UPX1', u'virtual_size': u'0x00027000'}

entropy

7.92091859165

description

A section with a high entropy has been found

entropy

0.478939157566

description

Overall entropy of this PE file is high

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

cmdline	C:\Windows\System32\schtasks.exe /create /xml "C:\Users\test22\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f
cmdline	"C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\test22\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f

svchost.exe