Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 15, 2024, 2:18 p.m.	Oct. 15, 2024, 2:24 p.m.

Size	19.0MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5f08961671234960517cefb9df7a8c41`
SHA256	`d5008a50f2867a9ec72e557977f54f9867b861dd184149016e98c4ee0b02806a`
CRC32	`265A5216`
ssdeep	`393216:wEkQc5SEaB1+TtIiFxcijMOGEt0V8IPSbLYY60XlimptqqSRVd:w9Sd1QtI4jMOi8IkLYY/5Sh`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

worker.exe "C:\Users\test22\AppData\Local\Temp\worker.exe"
2056
- worker.exe "C:\Users\test22\AppData\Local\Temp\worker.exe"
  2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 15, 2024, 2:12 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 15, 2024, 2:11 p.m.		1	1	0

Creates executable files on the filesystem (46 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\pywin32_system32\pywintypes312.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\VCRUNTIME140_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\libcrypto-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\libssl-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\python312.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-runtime-l1-1-0.dll

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000f600', u'virtual_address': u'0x00047000', u'entropy': 7.554976062358976, u'name': u'.rsrc', u'virtual_size': u'0x0000f41c'}

entropy

7.55497606236

description

A section with a high entropy has been found

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Bkav	W64.AIDetectMalware
CrowdStrike	win/malicious_confidence_60% (D)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Zillya	Trojan.Agent.Win32.3991781
McAfeeD	ti!D5008A50F286
Kingsoft	Win32.Troj.Unknown.a
ZoneAlarm	UDS:DangerousObject.Multi.Generic
DeepInstinct	MALICIOUS
Paloalto	generic.ml

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 817 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Mendoza
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Creston
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Asia\Novokuznetsk
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Pacific\Kosrae
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Europe\Volgograd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Asia\Aqtobe
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Anchorage
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Europe\Budapest
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Europe\Warsaw
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Asia\Barnaul
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\eth_utils\__json\eth_networks.json
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\North_Dakota\New_Salem
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Asia\Baghdad
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Pacific\Bougainville
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Moncton
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\leapseconds
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Africa\Kinshasa
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Dawson_Creek
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Africa\Ndjamena
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\attrs-24.2.0.dist-info\licenses\LICENSE
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Pacific\Norfolk
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\eth_abi-5.1.0.dist-info\RECORD
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Africa\Luanda
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Australia\Canberra
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Europe\Saratov
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\VCRUNTIME140_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\St_Kitts
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Africa\Niamey
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\Crypto\Cipher\_raw_des.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\Crypto\Hash\_keccak.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Merida
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Africa\Ceuta
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\US\Mountain
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\Crypto\Hash\_poly1305.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\Crypto\Hash\_MD2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\eth_account-0.13.3.dist-info\LICENSE
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Matamoros
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\UCT
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\_zoneinfo.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Havana
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\eth_keys-0.5.1.dist-info\LICENSE
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Australia\Broken_Hill
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\Crypto\Hash\_ghash_portable.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\America\Argentina\Mendoza
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Asia\Almaty
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Etc\GMT-8
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\multidict\_multidict.cp312-win_amd64.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20562\tzdata\zoneinfo\Asia\Atyrau

worker.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All