Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2024, 10:36 a.m.	Aug. 5, 2024, 10:50 a.m.

Size	5.8MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`1dd30422a1cb52d87337debb4983d342`
SHA256	`7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7`
CRC32	`49B75745`
ssdeep	`98304:gP9cgRyyVyGHAeBSut+aFNnLlPLeqNZ8hY/LKbxabdDkEduupRlQgWse0XIfbke+:C9zlX+aFFLlPKQ8hY/RkQWslX4ge+`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

psexec.exe "C:\Users\test22\AppData\Local\Temp\psexec.exe"
2544
- psexec.exe "C:\Users\test22\AppData\Local\Temp\psexec.exe"
  2624

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleA Aug. 5, 2024, 10:36 a.m.	buffer: I console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:36 a.m.	buffer: mpacket v0.9.17 - Copyright 2002-2018 Core Security Technologies console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:36 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 5, 2024, 10:36 a.m.	buffer: sage: psexec.exe [-h] [-c pathname] [-path PATH] [-file FILE] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-target-ip ip address] [-port [destination port]] [-service-name service name] target [command [command ...]] PSEXEC like functionality example using RemComSvc. positional arguments: target [[domain/]username[:password]@]<targetName or address> command command (or arguments if -c is used) to execute at the target (w/o path) - (default:cmd.exe) optional arguments: -h, --help show this help message and exit -c pathname copy the filename for later execution, arguments are passed in the command option -path PATH path of the command to execute -file FILE alternative RemCom binary (be sure it doesn't require CRT) -debug Turn DEBUG output ON authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits) connection: -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it -port [destination port] Destination port to connect to SMB Server -service-name service name This will be the name of the service console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25442\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\msvcm90.dll

Drops an executable to the user AppData folder (25 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Cipher._DES3.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Util.strxor.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Cipher._ARC4.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\win32pipe.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Util._counter.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\pyexpat.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\win32api.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Random.OSRNG.winrandom.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\win32evtlog.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Hash._SHA256.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Cipher._DES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Cipher._AES.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25442\Crypto.Hash._MD4.pyd

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Users\test22\AppData\Local\Temp\psexec.exe"

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Hacktool.Win32.Agent.3!c
Skyhigh	BehavesLike.Win32.Dropper.tc
ALYac	Trojan.Agent.Casdet
Cylance	Unsafe
VIPRE	Application.Hacktool.AJB
Sangfor	Hacktool.Win32.APT27.IOC
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Application.Hacktool.AJB
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.2a1cb5
Symantec	Trojan.Seaduke
ESET-NOD32	Python/SdbMine.B
Avast	FileRepMalware [Misc]
Kaspersky	HackTool.Win32.Agent.aigy
Alibaba	Trojan:Win32/SdbMine.d775e118
MicroWorld-eScan	Application.Hacktool.AJB
Emsisoft	Application.Hacktool.AJB (B)
DrWeb	Tool.Mimikatz.1220
TrendMicro	HackTool.Win32.Impacket.AA
McAfeeD	ti!7EEA6E15BB13
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.1dd30422a1cb52d8
Sophos	ATK/LaZagne-A
Webroot	W32.HackTool.Gen
Google	Detected
MAX	malware (ai score=100)
Antiy-AVL	Trojan[APT]/Python.APT27
Arcabit	Application.Hacktool.AJB
ZoneAlarm	HackTool.Win32.Agent.aigy
GData	Application.Hacktool.AJB
Varist	W32/Tool.OBQG-1960
AhnLab-V3	HackTool/Win32.Agent.C3292969
DeepInstinct	MALICIOUS
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	Trj/CI.A
TrendMicro-HouseCall	HackTool.Win32.Impacket.AA
Tencent	Win32.Hacktool.Agent.Bujl
MaxSecure	Trojan.Malware.74500822.susgen
Fortinet	W32/Impack.A!tr
AVG	FileRepMalware [Misc]
Paloalto	generic.ml
CrowdStrike	win/grayware_confidence_100% (W)
alibabacloud	Exploit:Win/MS17-010.E

psexec.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All