Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 5, 2024, 10:35 a.m.	Aug. 5, 2024, 10:59 a.m.

Size	5.8MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`233d80fbd1fc0ad6562df06f55f01d0f`
SHA256	`3f524964ebb3e675a7e877db2f432a5e58b8510bce9c2e7f0c383f6e08a6e91f`
CRC32	`3EDBC46E`
ssdeep	`98304:gP9caRyyVyGHAeBSut+aFNnAlPLeqNZ8hY/1KbxabdDkEduupRyQgWse/IfbkeRU:C99lX+aFFAlPKQ8hY/DktWs+4ge+`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

atexec.exe "C:\Users\test22\AppData\Local\Temp\atexec.exe"
1072
- atexec.exe "C:\Users\test22\AppData\Local\Temp\atexec.exe"
  872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleA Aug. 5, 2024, 10:35 a.m.	buffer: I console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:35 a.m.	buffer: mpacket v0.9.17 - Copyright 2002-2018 Core Security Technologies console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:35 a.m.	buffer: !] This will work ONLY on Windows >= Vista console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:35 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:35 a.m.	buffer: sage: atexec.exe [-h] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target [command [command ...]] positional arguments: target [[domain/]username[:password]@]<targetName or address> command command to execute at the target optional arguments: -h, --help show this help message and exit -debug Turn DEBUG output ON authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits) -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 5, 2024, 10:35 a.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI10722\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\python27.dll

Drops an executable to the user AppData folder (25 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Cipher._DES3.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Util.strxor.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Cipher._ARC4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\win32pipe.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Util._counter.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\pyexpat.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\win32api.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Random.OSRNG.winrandom.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\win32evtlog.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Hash._SHA256.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Cipher._DES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Cipher._AES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI10722\Crypto.Hash._MD4.pyd

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Hacktool.Win32.Python.3!c
MicroWorld-eScan	Gen:Application.Impacket.1
Skyhigh	BehavesLike.Win32.Dropper.tc
ALYac	Gen:Application.Impacket.1
Cylance	Unsafe
VIPRE	Gen:Application.Impacket.1
Sangfor	Riskware.Python.Impacket.V33w
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Gen:Application.Impacket.1
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.bd1fc0
Arcabit	Application.Impacket.1 [many]
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Python/Riskware.Atexec.A
McAfee	Artemis!233D80FBD1FC
Avast	FileRepMalware [Misc]
Kaspersky	UDS:HackTool.Python.Impacket.a
Alibaba	HackTool:Win32/Impacket.7a0e27de
Emsisoft	Gen:Application.Impacket.1 (B)
F-Secure	HackTool:W32/Impacket.A!atexec
DrWeb	Tool.Impacket.7
TrendMicro	HackTool.Win32.Mpacket.SM
McAfeeD	ti!3F524964EBB3
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.233d80fbd1fc0ad6
Sophos	ATK/Impacket-E
Webroot	W32.HackTool.Gen
Google	Detected
Gridinsoft	Malware.Win32.GenericMC.cc
Xcitium	ApplicUnwnt@#37jz23xivta3l
Microsoft	HackTool:Win32/Impacket
ZoneAlarm	HEUR:HackTool.Python.Impacket.gen
GData	Gen:Application.Impacket.1 (11x)
Varist	W32/ABApplication.KZDW-0331
DeepInstinct	MALICIOUS
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	PUP/Hacktool
TrendMicro-HouseCall	HackTool.Win32.Mpacket.SM
Tencent	Win32.Hacktool.Impacket.Sgil
AVG	FileRepMalware [Misc]
Paloalto	generic.ml
CrowdStrike	win/grayware_confidence_100% (W)
alibabacloud	Exploit:Win/MS17-010.E

atexec.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All