Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2024, 12:46 p.m.	Oct. 6, 2024, 12:50 p.m.

Size	5.4MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`925ec45b5ac88ab7af039190589204b9`
SHA256	`419901e7e1747a9c413e657920429ce1d31e1b5af24e68a7dd79629066118133`
CRC32	`D9E36488`
ssdeep	`98304:uN96axtbMmHcvr8kqxr5XXZqUNoe++Bgt78ACWbQXMc/FzqTx8neP:k9LXMmHcvr8rXXXZqe10t78ACWbUVUTG`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Updater.exe "C:\Users\test22\AppData\Local\Temp\Updater.exe"
2064
- cmd.exe "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2176
  - schtasks.exe schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    2252

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 6, 2024, 12:46 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 6, 2024, 12:46 p.m.	buffer: SUCCESS: The scheduled task "MyApp" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2024, 12:46 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.vmp\xe2\x98\x8fh

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	STYLE_XML
resource name	None

Creates a suspicious process (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 6, 2024, 12:46 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f filepath: cmd.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0054cc00', u'virtual_address': u'0x002b2000', u'entropy': 7.8958944956166865, u'name': u'.vmp\\xe2\\x98\\x8fh', u'virtual_size': u'0x0054ca90'}

entropy

7.89589449562

description

A section with a high entropy has been found

entropy

0.981818181818

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

The executable is likely packed with VMProtect (3 events)

section	.vmp\xe2\x98\x8fh	description	Section name indicates VMProtect
section	.vmp\xe2\x98\x8fh	description	Section name indicates VMProtect
section	.vmp\xe2\x98\x8fh	description	Section name indicates VMProtect

Installs itself for autorun at Windows startup (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

Uses Sysinternals tools in order to add additional command line functionality (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
Skyhigh	Artemis!Trojan
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_90% (D)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Avast	Win32:MalwareX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Dropper.Win32.Agent.tjbmor
Rising	Trojan.Generic!8.C3 (CLOUD)
F-Secure	Trojan.TR/AD.Nekark.qzrwp
McAfeeD	ti!419901E7E174
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.925ec45b5ac88ab7
Google	Detected
Avira	TR/AD.Nekark.qzrwp
Kingsoft	Win32.Trojan-Dropper.Agent.tjbmor
Gridinsoft	Ransom.Win32.Wacatac.ca
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win.Z.Wacatac.5699232
ZoneAlarm	Trojan-Dropper.Win32.Agent.tjbmor
Varist	W32/ABTrojan.SAZR-3568
AhnLab-V3	Suspicious/Win.MalPe.X2197
McAfee	Artemis!925EC45B5AC8
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4277566029
Ikarus	Win32.Outbreak
Panda	Trj/Chgt.AD
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[dropper]:Win/Wacatac.H9nj

Updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All