Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2024, 10:36 a.m.	Aug. 5, 2024, 11:11 a.m.

Size	475.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`1f0754128f1fd32781886c3d9e7dc138`
SHA256	`e5bcef72212f77a5390675d5fc24433af0e682db535969894f967a409eefb8aa`
CRC32	`B73A230B`
ssdeep	`12288:EfqiJSvtZDd4YQp7T8BPZ0T9XG1rVBbtpIwaDoS8:GqiWfvQpX8T0h2r/b/IDK`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

SS.exe "C:\Users\test22\AppData\Local\Temp\SS.exe"
2556
- cmd.exe cmd /c sc config "UxSms" start= demand
  2632
  - sc.exe sc config "UxSms" start= demand
    2692
- cmd.exe cmd /c net stop "Desktop Window Manager Session Manager"
  2768
  - net.exe net stop "Desktop Window Manager Session Manager"
    2828
    - net1.exe C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      2872
- cmd.exe cmd /c net start "Desktop Window Manager Session Manager"
  2932
  - net.exe net start "Desktop Window Manager Session Manager"
    2992
    - net1.exe C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      3036
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2076
- cmd.exe cmd /c net stop "Desktop Window Manager Session Manager"
  2552
  - net.exe net stop "Desktop Window Manager Session Manager"
    2644
    - net1.exe C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      2696
- cmd.exe cmd /c net start "Desktop Window Manager Session Manager"
  2364
  - net.exe net start "Desktop Window Manager Session Manager"
    2840
    - net1.exe C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      1144
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  3068
- cmd.exe cmd /c net stop "Desktop Window Manager Session Manager"
  2996
  - net.exe net stop "Desktop Window Manager Session Manager"
    2224
    - net1.exe C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      284
- cmd.exe cmd /c net start "Desktop Window Manager Session Manager"
  2576
  - net.exe net start "Desktop Window Manager Session Manager"
    2688
    - net1.exe C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2024, 10:36 a.m.			0	0
IsDebuggerPresent Aug. 5, 2024, 10:36 a.m.			0	0

Command line console output was observed (13 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service could not be stopped. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is starting console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service was started successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service could not be stopped. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is starting console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service was started successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service could not be stopped. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is starting console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service was started successfully. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2024, 10:36 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 5, 2024, 10:37 a.m.	stacktrace: ss+0xbf80 @ 0x40bf80 ss+0xbaf1 @ 0x40baf1 ss+0x19c88 @ 0x419c88 ss+0x3385c @ 0x43385c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 43 3c 0f b7 c9 8b 44 18 78 2b 4c 18 10 8b 44 exception.symbol: ss+0xcff1 exception.instruction: mov eax, dword ptr [ebx + 0x3c] exception.module: SS.exe exception.exception_code: 0xc0000005 exception.offset: 53233 exception.address: 0x40cff1 registers.esp: 1637984 registers.edi: 45470296 registers.eax: 0 registers.ebp: 1638028 registers.edx: 45088768 registers.ebx: 0 registers.esi: 45676312 registers.ecx: 2147483650	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 2556 region_size: 634880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d24000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71914000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71952000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71881000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73501000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c3058

size

0x00000248

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 5, 2024, 10:36 a.m.	show_type: 0 filepath_r: C:\Windows\Resources\Themes\aero.theme parameters: filepath: C:\Windows\Resources\Themes\aero.theme	1	1	0
ShellExecuteExW Aug. 5, 2024, 10:36 a.m.	show_type: 0 filepath_r: C:\Windows\Resources\Themes\aero.theme parameters: filepath: C:\Windows\Resources\Themes\aero.theme	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00076200', u'virtual_address': u'0x0004b000', u'entropy': 7.999083070325363, u'name': u'UPX1', u'virtual_size': u'0x00077000'}

entropy

7.99908307033

description

A section with a high entropy has been found

entropy

0.995785036881

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	sc config "UxSms" start= demand
cmdline	cmd /c sc config "UxSms" start= demand
cmdline	cmd /c net start "Desktop Window Manager Session Manager"
cmdline	net stop "Desktop Window Manager Session Manager"
cmdline	net start "Desktop Window Manager Session Manager"
cmdline	cmd /c net stop "Desktop Window Manager Session Manager"

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService Aug. 5, 2024, 10:36 a.m.	service_handle: 0x0055d5a0 service_name: UxSms control_code: 1	1	1	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.BlackMoon.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Gen:Variant.Zusy.554925
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.554925
Sangfor	Trojan.Win32.Blackmoon.V90u
BitDefender	Gen:Variant.Zusy.554925
Cybereason	malicious.28f1fd
Arcabit	Trojan.Zusy.D877AD
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A suspicious
APEX	Malicious
McAfee	Artemis!1F0754128F1F
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Gen:Variant.Zusy.554925
Rising	Worm.Convagent!8.12386 (CLOUD)
Emsisoft	Gen:Variant.Zusy.554925 (B)
F-Secure	Trojan.TR/ATRAPS.Gen
TrendMicro	TrojanSpy.Win32.BLACKMOON.YXEHDZ
McAfeeD	Real Protect-LS!1F0754128F1F
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1f0754128f1fd327
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.FakeAV
Google	Detected
Avira	TR/ATRAPS.Gen
Antiy-AVL	Trojan[Packed]/Win32.Blackmoon
Kingsoft	malware.kb.b.992
Gridinsoft	Ransom.Win32.Wacatac.sa
Xcitium	TrojWare.Win32.TrojanSpy.Banker.OV@6e1pyh
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win.Z.Zusy.486912
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Zusy.554925
Varist	W32/ABTrojan.UYES-3843
AhnLab-V3	Trojan/Win.Generic.R658019
BitDefenderTheta	Gen:NN.ZexaF.36810.DqKfaiVvFLpb
DeepInstinct	MALICIOUS
Malwarebytes	MachineLearning/Anomalous.100%
TrendMicro-HouseCall	TrojanSpy.Win32.BLACKMOON.YXEHDZ
MAX	malware (ai score=84)
Fortinet	Riskware/Application
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (W)
alibabacloud	VirTool:Win/Packed.BlackMoon.A

SS.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All