Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2024, 10:34 a.m.	Aug. 5, 2024, 10:36 a.m.

Size	5.8MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`47e001253af2003985f15282cdc90a1c`
SHA256	`14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8`
CRC32	`A65320E8`
ssdeep	`98304:gP9cxRyyVyGHAeBSut+aFNnLlPLeqNZ8hY/1KbxabdDkEduupR9QgWsezIfbkeRU:C9wlX+aFFLlPKQ8hY/DkwWsW4ge+`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

wmiexec.exe "C:\Users\test22\AppData\Local\Temp\wmiexec.exe"
2540
- wmiexec.exe "C:\Users\test22\AppData\Local\Temp\wmiexec.exe"
  2612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleA Aug. 5, 2024, 10:34 a.m.	buffer: I console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:34 a.m.	buffer: mpacket v0.9.17 - Copyright 2002-2018 Core Security Technologies console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:34 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:34 a.m.	buffer: sage: wmiexec.exe [-h] [-share SHARE] [-nooutput] [-debug] [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] target [command [command ...]] Executes a semi-interactive shell using Windows Management Instrumentation. positional arguments: target [[domain/]username[:password]@]<targetName or address> command command to execute at the target. If empty it will launch a semi-interactive shell optional arguments: -h, --help show this help message and exit -share SHARE share where the output will be grabbed from (default ADMIN$) -nooutput whether or not to print the output (no SMB connection created) -debug Turn DEBUG output ON -codec CODEC Sets encoding used (codec) from the target's output (default "cp437"). If errors are detected, run chcp.com at the target, map the result with https://docs.python.org/2.4/lib/standard- encodings.html and then execute wmiexec.py again with -codec and the corresponding codec authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits) -dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter -A authfile smbclient/mount.cifs-style authentication file. See smbclient man page's -A option. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 5, 2024, 10:34 a.m.	process_identifier: 2612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25402\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\msvcp90.dll

Drops an executable to the user AppData folder (25 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Cipher._DES3.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Util.strxor.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Cipher._ARC4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\win32pipe.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Util._counter.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\pyexpat.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\win32api.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Random.OSRNG.winrandom.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\win32evtlog.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Hash._SHA256.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Cipher._DES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Cipher._AES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25402\Crypto.Hash._MD4.pyd

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Hacktool.Win32.Impacket.3!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	HTool-WMIExec
ALYac	Misc.Riskware.Python
Cylance	Unsafe
VIPRE	Trojan.GenericKD.41342704
Sangfor	Riskware.Win32.Wmiexec.Vh3h
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.GenericKD.41342704
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.53af20
Arcabit	Trojan.Generic.D276D6F0
Symantec	Trojan.Seaduke
ESET-NOD32	Python/Riskware.WMIExec.B
McAfee	Artemis!47E001253AF2
Avast	FileRepMalware [Misc]
Kaspersky	HackTool.Win32.Alien.ch
Alibaba	HackTool:Win32/Alien.88903882
NANO-Antivirus	Riskware.Win32.Python.hirynk
MicroWorld-eScan	Trojan.GenericKD.41342704
Emsisoft	Trojan.GenericKD.41342704 (B)
F-Secure	HackTool:W32/Impacket.A!dcomexec
DrWeb	Tool.Impacket.3
TrendMicro	HackTool.Win32.Impacket.AA
McAfeeD	ti!14F0C4CE3282
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.47e001253af20039
Sophos	Impacket (PUA)
Webroot	W32.HackTool.Gen
Google	Detected
Avira	SPR/WMIExec.AK
Antiy-AVL	Trojan[APT]/Python.Lazarus
Kingsoft	Win32.Riskware.Generic.f
Microsoft	Trojan:Win32/Skeeyah.B!rfn
ZoneAlarm	HackTool.Win32.Alien.ch
GData	Trojan.GenericKD.41342704
Varist	W32/Trojan.BIGB-5391
AhnLab-V3	HackTool/Win.impacket.C4656454
DeepInstinct	MALICIOUS
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	Trj/CI.A
TrendMicro-HouseCall	HackTool.Win32.Impacket.AA
Tencent	Win32.Hacktool.Alien.Kjgl
MAX	malware (ai score=100)
MaxSecure	Trojan.Malware.74437101.susgen
Fortinet	Riskware/Impacket
AVG	FileRepMalware [Misc]
Paloalto	generic.ml

wmiexec.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All