Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2024, 9:59 a.m.	Nov. 11, 2024, 10:06 a.m.

Size	28.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f60e2ff775cfbf5c3656d3a7a96fff3f`
SHA256	`bec799df3b1adecc61780ac2517fb0c74f3db7fcebc6c0ebad85c9eb59bb5a0f`
CRC32	`2833F47C`
ssdeep	`192:A9IrI0TjJfWrNxDbJMydLLl3uLvqUo3gXIRrEZCOpml5kPYTP2DyuzPO0BxtxD7v:A9oI2xCP9RdNuTqp36Iil4ECU/76BOx`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

sgupdate.exe "C:\Users\test22\AppData\Local\Temp\sgupdate.exe"
840
- taskkill.exe taskkill /f /im
  1712
- cmd.exe C:\Windows\system32\cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\sgupdate.exe"
  2508

Name	Response	Post-Analysis Lookup
safe.ywxww.net		60.191.236.246

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 11, 2024, 9:59 a.m.	buffer: ERROR: Invalid syntax. Value expected for '/im'. Type "TASKKILL /?" for usage. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2024, 9:59 a.m.		1	1	0

One or more processes crashed (10 events)

Time & API	Arguments	Status
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636280 registers.edi: 5724248 registers.eax: 1636280 registers.ebp: 1636360 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1635992 registers.edi: 5724248 registers.eax: 1635992 registers.ebp: 1636072 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636280 registers.edi: 5724248 registers.eax: 1636280 registers.ebp: 1636360 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1635992 registers.edi: 5724248 registers.eax: 1635992 registers.ebp: 1636072 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636008 registers.edi: 5724248 registers.eax: 1636008 registers.ebp: 1636088 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636008 registers.edi: 5724248 registers.eax: 1636008 registers.ebp: 1636088 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636008 registers.edi: 5724248 registers.eax: 1636008 registers.ebp: 1636088 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636008 registers.edi: 5724248 registers.eax: 1636008 registers.ebp: 1636088 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636484 registers.edi: 5724248 registers.eax: 1636484 registers.ebp: 1636564 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636592 registers.edi: 5724248 registers.eax: 1636592 registers.ebp: 1636672 registers.edx: 0 registers.ebx: 5724248 registers.esi: 5724248 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 1712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73551000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000060f0

size

0x0000024c

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\sgupdate.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sgupdate.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003e0000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\system32\cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\sgupdate.exe"
cmdline	taskkill /f /im

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\sgupdate.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 840 resumed a thread in remote process 2508
NtResumeThread Nov. 11, 2024, 9:59 a.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 2508	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.Common.F08C1685
Lionic	Trojan.Win32.NewHeur.4!c
MicroWorld-eScan	Trojan.GenericKD.74630646
Skyhigh	GenericRXQV-DO!F60E2FF775CF
ALYac	Trojan.GenericKD.74630646
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74630646
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.74630646
K7GW	Trojan ( 0050ca711 )
K7AntiVirus	Trojan ( 0050ca711 )
Arcabit	Trojan.Generic.D472C5F6
VirIT	Trojan.Win32.VBGenus.FZC
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
Avast	Win32:Trojan-gen
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/NewHeur.08382e57
NANO-Antivirus	Trojan.Win32.Graftor.frxije
Rising	Trojan.Agent!8.B1E (TFE:5:btj6KuYloQC)
Emsisoft	Trojan.GenericKD.74630646 (B)
DrWeb	Trojan.DownLoader28.16284
Zillya	Trojan.Agent.Win32.1109594
TrendMicro	TROJ_GEN.R002C0PK224
McAfeeD	ti!BEC799DF3B1A
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
FireEye	Generic.mg.f60e2ff775cfbf5c
Jiangmin	Trojan.Agent.cahw
Google	Detected
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	Win32.Troj.Undef.a
Xcitium	Malware@#1bn7ev4h9d53z
Microsoft	Trojan:Win32/Stealer
ViRobot	Trojan.Win32.Z.Agent.28672.KDC
GData	Trojan.GenericKD.74630646
AhnLab-V3	Trojan/Win.Generic.R647606
McAfee	GenericRXQV-DO!F60E2FF775CF
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.VBKrypt
Malwarebytes	Malware.AI.4173978879
Ikarus	Trojan.NewHeur_VB_Downloader
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0PK224
huorong	HVM:TrojanDownloader/Small.Gen!D
Fortinet	W32/Agent.XAAMSV!tr
AVG	Win32:Trojan-gen
Paloalto	generic.ml

sgupdate.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All