Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 5, 2024, 9:25 a.m.	Aug. 5, 2024, 9:33 a.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bdbf44c6de9ea5f7231b0106d672f69b`
SHA256	`d4697d01a63f804dd042d4c57611caeb53f9cfa0c5e14c5e5d03a373cde8fe9b`
CRC32	`4148C102`
ssdeep	`49152:2qeNV1hu+NsenAyxgDEH598aGJ0YF1I8P7Jop40jpv6gWz:nELh0enAyOwH51Yo8C4Esgo`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
840
- setup.tmp "C:\Users\test22\AppData\Local\Temp\is-JRGUD.tmp\setup.tmp" /SL5="$30028,1882994,780800,C:\Users\test22\AppData\Local\Temp\setup.exe"
  2120
  - CWGService.exe "C:\Program Files (x86)\WebGuard\CWGService.exe" install
    2588
  - CWGService.exe "C:\Program Files (x86)\WebGuard\CWGService.exe" start
    2652
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 5, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2024, 9:25 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 5, 2024, 9:25 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 9:25 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 9:25 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 9:25 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2024, 9:25 a.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2024, 9:18 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Aug. 5, 2024, 9:32 a.m.	service_start_name: start_type: 2 password: display_name: Chrome WebGuard Service filepath: C:\Program Files (x86)\WebGuard\CWGService.exe service_name: cwgservice filepath_r: C:\Program Files (x86)\WebGuard\CWGService.exe desired_access: 983551 service_handle: 0x006b5860 error_control: 1 service_type: 272 service_manager_handle: 0x006b5900	1	7034976	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-JRGUD.tmp\setup.tmp

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

APEX	Malicious
BitDefenderTheta	Gen:NN.ZexaE.36810.Dx3@aG6N6tdO

Queries for potentially installed applications (8 events)

Time & API	Arguments	Return
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2
RegOpenKeyExW Aug. 5, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{17EDBD0B-7E07-4E12-83DE-756A849AEEC4}_is1	2

Installs itself for autorun at Windows startup (1 event)

service_name

cwgservice

service_path

C:\Program Files (x86)\WebGuard\CWGService.exe

Attempts to modify browser security settings (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\idrWebDialog.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-JRGUD.tmp\setup.tmp

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All