Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2024, 10:36 a.m.	Aug. 5, 2024, 11:03 a.m.

Size	503.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`e91d7d92b5c5ab6d2c6ee2da175bb119`
SHA256	`b79598539cbd6f285069c82af03bf418adbd5c168802b987c5c690cb71122580`
CRC32	`5202F779`
ssdeep	`12288:vZVS2bdkdrJ49Fd7yKDbfkPIO1YJF1rX3J2pghjYpAg9ghhvoSi:vtd+4x7LHcweUF1rX3J2pFWDhG`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Na.exe "C:\Users\test22\AppData\Local\Temp\Na.exe"
2544
- cmd.exe cmd /c sc config "UxSms" start= demand
  2596
  - sc.exe sc config "UxSms" start= demand
    2656
- cmd.exe cmd /c net stop "Desktop Window Manager Session Manager"
  2756
  - net.exe net stop "Desktop Window Manager Session Manager"
    2816
    - net1.exe C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      2860
- cmd.exe cmd /c net start "Desktop Window Manager Session Manager"
  2916
  - net.exe net start "Desktop Window Manager Session Manager"
    2976
    - net1.exe C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      3020
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  1964
- cmd.exe cmd /c net stop "Desktop Window Manager Session Manager"
  2492
  - net.exe net stop "Desktop Window Manager Session Manager"
    2572
    - net1.exe C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      2684
- cmd.exe cmd /c net start "Desktop Window Manager Session Manager"
  2704
  - net.exe net start "Desktop Window Manager Session Manager"
    2796
    - net1.exe C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      1408
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  3032
- cmd.exe cmd /c net stop "Desktop Window Manager Session Manager"
  2964
  - net.exe net stop "Desktop Window Manager Session Manager"
    2104
    - net1.exe C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      2404
- cmd.exe cmd /c net start "Desktop Window Manager Session Manager"
  2484
  - net.exe net start "Desktop Window Manager Session Manager"
    2640
    - net1.exe C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2024, 10:36 a.m.			0	0
IsDebuggerPresent Aug. 5, 2024, 10:37 a.m.			0	0

Command line console output was observed (13 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: [SC] ChangeServiceConfig SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service could not be stopped. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service is starting console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:36 a.m.	buffer: The Desktop Window Manager Session Manager service was started successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service could not be stopped. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service is starting console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service was started successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service could not be stopped. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service is starting console_handle: 0x00000007	1	1
WriteConsoleW Aug. 5, 2024, 10:37 a.m.	buffer: The Desktop Window Manager Session Manager service was started successfully. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2024, 10:36 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 5, 2024, 10:37 a.m.	stacktrace: na+0x27317 @ 0x427317 na+0x26e88 @ 0x426e88 na+0x37dc7 @ 0x437dc7 na+0x543c9 @ 0x4543c9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 43 3c 0f b7 c9 8b 44 18 78 2b 4c 18 10 8b 44 exception.symbol: na+0x28388 exception.instruction: mov eax, dword ptr [ebx + 0x3c] exception.module: Na.exe exception.exception_code: 0xc0000005 exception.offset: 164744 exception.address: 0x428388 registers.esp: 1637984 registers.edi: 45994584 registers.eax: 0 registers.ebp: 1638028 registers.edx: 45613056 registers.ebx: 0 registers.esi: 46200600 registers.ecx: 2147483650	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 2544 region_size: 634880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d24000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 1964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71914000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71952000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71881000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 10:37 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73501000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000f7058

size

0x00000240

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 5, 2024, 10:36 a.m.	show_type: 0 filepath_r: C:\Windows\Resources\Themes\aero.theme parameters: filepath: C:\Windows\Resources\Themes\aero.theme	1	1	0
ShellExecuteExW Aug. 5, 2024, 10:37 a.m.	show_type: 0 filepath_r: C:\Windows\Resources\Themes\aero.theme parameters: filepath: C:\Windows\Resources\Themes\aero.theme	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007d000', u'virtual_address': u'0x00079000', u'entropy': 7.999266911137163, u'name': u'UPX1', u'virtual_size': u'0x0007d000'}

entropy

7.99926691114

description

A section with a high entropy has been found

entropy

0.996015936255

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	sc config "UxSms" start= demand
cmdline	cmd /c sc config "UxSms" start= demand
cmdline	cmd /c net start "Desktop Window Manager Session Manager"
cmdline	net stop "Desktop Window Manager Session Manager"
cmdline	net start "Desktop Window Manager Session Manager"
cmdline	cmd /c net stop "Desktop Window Manager Session Manager"

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService Aug. 5, 2024, 10:36 a.m.	service_handle: 0x007bd5a0 service_name: UxSms control_code: 1	1	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.BlackMoon.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.hc
ALYac	Gen:Variant.Zusy.554925
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.554925
Sangfor	Trojan.Win32.Blackmoon.V33t
BitDefender	Gen:Variant.Zusy.554925
Cybereason	malicious.2b5c5a
Arcabit	Trojan.Zusy.D877AD
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A suspicious
APEX	Malicious
McAfee	Artemis!E91D7D92B5C5
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Worm:Win32/MalwareX.3cf0c735
MicroWorld-eScan	Gen:Variant.Zusy.554925
Rising	Downloader.Convagent!8.123D1 (CLOUD)
Emsisoft	Application.Generic (A)
F-Secure	Trojan.TR/ATRAPS.Gen
TrendMicro	TrojanSpy.Win32.BLACKMOON.YXEHDZ
McAfeeD	Real Protect-LS!E91D7D92B5C5
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.e91d7d92b5c5ab6d
Sophos	BlackMoon Packed (PUA)
Ikarus	Trojan.Win32.FakeAV
Google	Detected
Avira	TR/ATRAPS.Gen
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Packed]/Win32.Blackmoon
Kingsoft	malware.kb.b.986
Gridinsoft	Ransom.Win32.Sabsik.sa
Xcitium	TrojWare.Win32.TrojanSpy.Banker.OV@6e1pyh
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Zusy.554925
Varist	W32/Trojan.GRW.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R658019
BitDefenderTheta	Gen:NN.ZexaF.36810.FqKfamzNWUcb
DeepInstinct	MALICIOUS
Malwarebytes	PUP.Optional.ChinAd
TrendMicro-HouseCall	TrojanSpy.Win32.BLACKMOON.YXEHDZ
SentinelOne	Static AI - Malicious PE
MaxSecure	Dropper.Dinwod.frindll
Fortinet	W32/CoinMiner.ESFJ!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml

Na.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All