Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 8, 2024, 4:54 p.m.	Nov. 8, 2024, 5:02 p.m.

Size	184.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`dd4f9e2e3a884356b781bc7085c81fe7`
SHA256	`44ea7026de94c08fe8fb19cf6c659f571afd12ef5f6b4cc5c1e6b0ea50e10a39`
CRC32	`B9E8CA6B`
ssdeep	`3072:AMobR7ezAjLOZvmX1s5GWp1icKAArDZz4N9GhbkrNEkujj3O:1eR7eamm8p0yN90QET`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file

loader.exe "C:\Users\test22\AppData\Local\Temp\loader.exe"
2560
- cmd.exe cmd.exe /c "payload.bat"
  2612
  - cmd.exe C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"
    2700
    - WMIC.exe wmic path Win32_PointingDevice get PNPDeviceID /value
      2752
    - find.exe find "PNPDeviceID"
      2788

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 8, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 8, 2024, 4:54 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 8, 2024, 4:54 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 51700448 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 51706400 registers.r11: 51702208 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1978841715 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 8, 2024, 4:54 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd4fa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 51700448
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 51706400
registers.r11: 51702208
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1978841715
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 8, 2024, 4:54 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074213000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\payload.bat

Creates a suspicious process (3 events)

cmdline	wmic path Win32_PointingDevice get PNPDeviceID /value
cmdline	cmd.exe /c "payload.bat"
cmdline	C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value \| find "PNPDeviceID"

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001f000', u'virtual_address': u'0x0000f000', u'entropy': 6.819858208041683, u'name': u'.rsrc', u'virtual_size': u'0x0001f000'}

entropy

6.81985820804

description

A section with a high entropy has been found

entropy

0.688888888889

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	wmic path Win32_PointingDevice get PNPDeviceID /value
cmdline	C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value \| find "PNPDeviceID"

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Downloader.ch
ALYac	Trojan.Generic.36330277
Cylance	Unsafe
VIPRE	Trojan.Generic.36330277
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Trojan.Generic.36330277
K7GW	Trojan ( 005b216d1 )
K7AntiVirus	Trojan ( 005b216d1 )
Arcabit	Trojan.Generic.D22A5B25
VirIT	Trojan.BAT.Agent.GRZ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	BAT/TrojanDownloader.Agent.PFP
APEX	Malicious
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Dropper.QuasarRAT-10031897-0
Kaspersky	Trojan-Downloader.BAT.Agent.aen
Alibaba	TrojanDownloader:BAT/Genric.a34eb8b2
NANO-Antivirus	Trojan.Win64.KillProc2.koqstd
MicroWorld-eScan	Trojan.Generic.36330277
Emsisoft	Trojan.Generic.36330277 (B)
F-Secure	Malware.BAT/Dldr.Agent.ARB
DrWeb	Trojan.KillProc2.21405
McAfeeD	ti!44EA7026DE94
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.BAT.Agent
FireEye	Trojan.Generic.36330277
Webroot
Google	Detected
Avira	BAT/Dldr.Agent.ARB
Kingsoft	Win32.Troj.Unknown.a
Xcitium	Malware@#1tna3j8evnf80
Microsoft	TrojanDownloader:BAT/Obfuse.PAEZ!MTB
ZoneAlarm	UDS:Trojan-Downloader.BAT.Agent.aen
GData	Trojan.Generic.36330277
Varist	BAT/Agent.ARQ
AhnLab-V3	Trojan/Win.Malware-gen.C5613674
McAfee	Artemis!DD4F9E2E3A88
DeepInstinct	MALICIOUS
Malwarebytes	RiskWare.Dropper.BAT
Panda	Trj/Chgt.AD
Tencent	Bat.Trojan-Downloader.Der.Ymhl
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	BAT/Agent.PFP!tr.dldr
AVG	Other:Malware-gen [Trj]
Paloalto	generic.ml

loader.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All