Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 5, 2024, 10:33 a.m.	Aug. 5, 2024, 11:01 a.m.

Size	37.5KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`b61f420fbf37cc18ac5668bf183d57c6`
SHA256	`da7e3ec3246fde5e42f11dd557cf23af84460b5e6048f84e5db35a15c899fb2c`
CRC32	`360069AD`
ssdeep	`768:DgiLPoEVUn+ajptzLxKCea4o5GmbCuDhtxeculFsYR:/LPoEVU+a1tMCerofhtQBDsy`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

cvekil.exe "C:\Users\test22\AppData\Local\Temp\cvekil.exe"
1836
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\BE59.tmp\2.bat" "C:\Users\test22\AppData\Local\Temp\cvekil.exe""
  2088
  - lodctr.exe lodctr /s:"C:\Users\test22\AppData\Local\Temp\perf.tmp"
    2172
  - cmd.exe C:\Windows\system32\cmd.exe /c find "230=" "C:\Users\test22\AppData\Local\Temp\perf.tmp" | findstr /brc:"230="
    2548
    - find.exe find "230=" "C:\Users\test22\AppData\Local\Temp\perf.tmp"
      2592
    - findstr.exe findstr /brc:"230="
      2632
  - cmd.exe C:\Windows\system32\cmd.exe /c find "684=" "C:\Users\test22\AppData\Local\Temp\perf.tmp" | findstr /brc:"684="
    2680
    - find.exe find "684=" "C:\Users\test22\AppData\Local\Temp\perf.tmp"
      2724
    - findstr.exe findstr /brc:"684="
      2764
  - cmd.exe C:\Windows\system32\cmd.exe /c typeperf "\Process(cve)\Elapsed Time" -sc 1 | findstr /rc:":"
    2812
    - typeperf.exe typeperf "\Process(cve)\Elapsed Time" -sc 1
      2856
    - findstr.exe findstr /rc:":"
      2896
  - timeout.exe TIMEOUT /T 30 /NOBREAK
    3004
  - lodctr.exe lodctr /s:"C:\Users\test22\AppData\Local\Temp\perf.tmp"
    2132
  - cmd.exe C:\Windows\system32\cmd.exe /c find "230=" "C:\Users\test22\AppData\Local\Temp\perf.tmp" | findstr /brc:"230="
    2340
    - find.exe find "230=" "C:\Users\test22\AppData\Local\Temp\perf.tmp"
      536
    - findstr.exe findstr /brc:"230="
      296
  - cmd.exe C:\Windows\system32\cmd.exe /c find "684=" "C:\Users\test22\AppData\Local\Temp\perf.tmp" | findstr /brc:"684="
    2568
    - find.exe find "684=" "C:\Users\test22\AppData\Local\Temp\perf.tmp"
      2644
    - findstr.exe findstr /brc:"684="
      2700
  - cmd.exe C:\Windows\system32\cmd.exe /c typeperf "\Process(process has not been found)\Elapsed Time" -sc 1 | findstr /rc:":"
    2796
    - typeperf.exe typeperf "\Process(process has not been found)\Elapsed Time" -sc 1
      2844
    - findstr.exe findstr /rc:":"
      2908
  - timeout.exe TIMEOUT /T 30 /NOBREAK
    3016
  - lodctr.exe lodctr /s:"C:\Users\test22\AppData\Local\Temp\perf.tmp"
    3044

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 5, 2024, 10:33 a.m.	computer_name:		0
GetComputerNameW Aug. 5, 2024, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2024, 10:27 a.m.	computer_name:		0
GetComputerNameW Aug. 5, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2024, 10:28 a.m.	computer_name:		0
GetComputerNameW Aug. 5, 2024, 10:28 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2024, 10:33 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 5, 2024, 10:33 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\BE59.tmp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:33 a.m.	buffer: 99.cmd console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:33 a.m.	buffer: cve console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:34 a.m.	buffer: =>err : process has not been found console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:34 a.m.	buffer: =>err : process has not been found console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:26 a.m.	buffer: Waiting for 30 console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:26 a.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:27 a.m.	buffer: Waiting for 30 console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 5, 2024, 10:27 a.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x0000000000000007	1	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\BE59.tmp\2.bat
file	C:\Users\test22\AppData\Local\Temp\BE59.tmp\99.cmd

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /c find "684=" "C:\Users\test22\AppData\Local\Temp\perf.tmp" \| findstr /brc:"684="
cmdline	C:\Windows\system32\cmd.exe /c typeperf "\Process(process has not been found)\Elapsed Time" -sc 1 \| findstr /rc:":"
cmdline	C:\Windows\system32\cmd.exe /c typeperf "\Process(cve)\Elapsed Time" -sc 1 \| findstr /rc:":"
cmdline	C:\Windows\system32\cmd.exe /c find "230=" "C:\Users\test22\AppData\Local\Temp\perf.tmp" \| findstr /brc:"230="

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00008c00', u'virtual_address': u'0x00011000', u'entropy': 7.954622287365347, u'name': u'UPX1', u'virtual_size': u'0x00009000'}

entropy

7.95462228737

description

A section with a high entropy has been found

entropy

0.945945945946

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	typeperf "\Process(cve)\Elapsed Time" -sc 1
cmdline	C:\Windows\system32\cmd.exe /c typeperf "\Process(process has not been found)\Elapsed Time" -sc 1 \| findstr /rc:":"
cmdline	C:\Windows\system32\cmd.exe /c typeperf "\Process(cve)\Elapsed Time" -sc 1 \| findstr /rc:":"
cmdline	typeperf "\Process(process has not been found)\Elapsed Time" -sc 1

Creates an Alternate Data Stream (ADS) (2 events)

file	C:\Users\test22\AppData\Local\Temp\BE59.tmp\call:findlocalestr
file	C:\Users\test22\AppData\Local\Temp\BE59.tmp\call:err

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\perf.tmp

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Convagent.4!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Generic.nc
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Vpl1
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
APEX	Malicious
McAfee	Artemis!B61F420FBF37
Avast	Win64:Malware-gen
Alibaba	Trojan:Win64/Genric.bb431c3d
Rising	Trojan.Convagent!8.12323 (CLOUD)
Emsisoft	Trojan.Agent (A)
DrWeb	BAT.Siggen.70
Zillya	Trojan.Convagent.Win32.12513
TrendMicro	TROJ_FRS.VSNTJQ23
McAfeeD	Real Protect-LS!B61F420FBF37
FireEye	Generic.mg.b61f420fbf37cc18
Ikarus	BAT.Siggen
Jiangmin	Trojan.Scar.ej
Google	Detected
Antiy-AVL	Trojan/Win32.Agent
Microsoft	Trojan:Win32/Casdet!rfn
Varist	W64/ABRisk.TJAQ-1141
TACHYON	Trojan/W32.SchoolGirl.76288
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.2189428007
Panda	PUP/Hacktool
TrendMicro-HouseCall	TROJ_FRS.VSNTJQ23
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win64:Malware-gen
CrowdStrike	win/malicious_confidence_70% (W)
alibabacloud	Suspicious

cvekil.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All