popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

pyi6.exe

Malicious Library UPX AntiDebug PE64 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 20, 2024, 9:17 a.m. Oct. 20, 2024, 10:16 a.m.
Size 121.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 3b16dafca7fe3c55d66d70cab5adfb3e
SHA256 e7cfb2f10dbb17f5ae9dec1025926fb7993a504f0e569f0919e3afc3d9f6f185
CRC32 67DFD882
ssdeep 3072:+2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXM0:/bJhs7QW69hd1MMdxPe9N9uA0hu9TB50
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: taskkill
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: /f /im sunday.exe
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: taskkill
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: /f /im lolclient.exe
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: taskkill
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: /f /im rigel.exe
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: z:\comgame\qqwb_client\config\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: y:\comgame\qqwb_client\config\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: X:\comgame\qqwb_client\config\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: y:\mystream\pcstory\storyservice\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: t:\mystream\pcstory\storyservice\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: F:\Terminal\nginx64\resty\core\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: w:\mystream\pcstory\storyservice\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: z:\Terminal\nginx64\resty\core\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: e:\mystream\pcstory\storyservice\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the drive specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: copy
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: d:\mystream\pcstory\storyservice\rigel.exe C:\Users\Administrator\AppData\Local\Temp\
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The device is not ready.
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000000000007
1 1 0
section .code
file C:\Users\test22\AppData\Local\Temp\BE78.tmp\BE89.tmp\BE8A.bat
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BE78.tmp\BE89.tmp\BE8A.bat C:\Users\test22\AppData\Local\Temp\pyi6.exe"
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rigel.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sunday.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lolclient.exe")
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd
parameters: /c "C:\Users\test22\AppData\Local\Temp\BE78.tmp\BE89.tmp\BE8A.bat C:\Users\test22\AppData\Local\Temp\pyi6.exe"
filepath: C:\Windows\System32\cmd
1 1 0
section {u'size_of_data': u'0x00000c00', u'virtual_address': u'0x00022000', u'entropy': 7.117009258227418, u'name': u'.rsrc', u'virtual_size': u'0x00000aec'} entropy 7.11700925823 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline taskkill /f /im rigel.exe
cmdline C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\BE78.tmp\BE89.tmp\BE8A.bat C:\Users\test22\AppData\Local\Temp\pyi6.exe"
cmdline taskkill /f /im lolclient.exe
cmdline taskkill /f /im sunday.exe
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BE78.tmp\BE89.tmp\BE8A.bat C:\Users\test22\AppData\Local\Temp\pyi6.exe"
file C:\Users\test22\AppData\Local\Temp\BE78.tmp\BE89.tmp\BE8A.bat
file C:\Users\test22\AppData\Local\Temp\BE78.tmp
file C:\Users\test22\AppData\Local\Temp\BE78.tmp\BE89.tmp
Process injection Process 524 resumed a thread in remote process 2064
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000001f4
suspend_count: 1
process_identifier: 2064
1 0 0