Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 17, 2024, 1:15 p.m.	Sept. 17, 2024, 1:18 p.m.

Size	706.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b691fc64d3750b2f7fd2041064f7cbc4`
SHA256	`d52a633fee08de3642e5cdbf18c2e57e2b46ec1a43cfb5cd7e1591ba175d4600`
CRC32	`ECB0B2E6`
ssdeep	`12288:ZoeJDzAJAAuQqA9WU7eDoy7IhnFD9xQFBeJ2bmrHIu/YuaJQ8abvAcqdB7P9ykJ:K4x3QqA9KMy7IXRyeJsmU2KyvAcE7xJ`
Yara	PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

me.exe "C:\Users\test22\AppData\Local\Temp\me.exe"
2448
- cmd.exe cmd /c C:\Users\test22\Desktop\..\360Downloads\Pester.bat
  2508
  - PING.EXE ping -n 4 127.0.0.1
    2568

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (23 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 17, 2024, 1:15 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:15 p.m.	buffer: ping console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:15 p.m.	buffer: -n 4 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Sept. 17, 2024, 1:15 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2024, 1:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	CODE
section	DATA
section	BSS
section	.aspack
section	.adata

The executable uses a known packer (1 event)

packer

ASPack v2.12 -> Alexey Solodovnikov

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 17, 2024, 1:15 p.m.	process_identifier: 2448 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (50 out of 120 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001ee1a8

size

0x00000268

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\360Downloads\Pester.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\me.exe

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00097600', u'virtual_address': u'0x00001000', u'entropy': 7.9996424094090735, u'name': u'CODE', u'virtual_size': u'0x001aa000'}

entropy

7.99964240941

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003800', u'virtual_address': u'0x001ab000', u'entropy': 7.971347799672101, u'name': u'DATA', u'virtual_size': u'0x00008000'}

entropy

7.97134779967

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001200', u'virtual_address': u'0x001b7000', u'entropy': 7.8996258025312915, u'name': u'.idata', u'virtual_size': u'0x00004000'}

entropy

7.89962580253

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000ea00', u'virtual_address': u'0x001da000', u'entropy': 7.465974589909418, u'name': u'.rsrc', u'virtual_size': u'0x0006a000'}

entropy

7.46597458991

description

A section with a high entropy has been found

entropy

0.967399007796

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping -n 4 127.0.0.1

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Znyonm.4!c
ALYac	Trojan.GenericKD.74127287
VIPRE	Trojan.GenericKD.74127287
Sangfor	Trojan.Win32.Znyonm.Vjhb
BitDefender	Trojan.GenericKD.74127287
Arcabit	Trojan.Generic.D46B17B7
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
Avast	Win32:Malware-gen
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Trojan.GenericKD.74127287
Rising	Trojan.Znyonm!8.18A3A (LESS:bWQ1Ot/f3Uo17GC1)
Emsisoft	Trojan.GenericKD.74127287 (B)
DrWeb	Trojan.MulDrop28.20947
McAfeeD	ti!D52A633FEE08
CTX	exe.trojan.znyonm
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.74127287
Google	Detected
Antiy-AVL	Trojan/Win32.Znyonm
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.74127287
Varist	W32/ABTrojan.QVJQ-5606
McAfee	Artemis!B691FC64D375
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Paloalto	generic.ml

me.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All