Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 6, 2024, 9:30 a.m.	Dec. 6, 2024, 9:41 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`afdcb2b1b8fa9182ced13402ddeeb681`
SHA256	`8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd`
CRC32	`E37EDCEC`
ssdeep	`24576:5MjheaNTnRchpVQZeRXfrgutbvqP+8aHgbswIYiWsRvtciqgQRgOD399:QdDRcpfraPqAb9ISSciuRgC99`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

ClientServices.exe "C:\Users\test22\AppData\Local\Temp\ClientServices.exe"
1648
- ClientServices.tmp "C:\Users\test22\AppData\Local\Temp\is-H1S20.tmp\ClientServices.tmp" /SL5="$30028,965278,203776,C:\Users\test22\AppData\Local\Temp\ClientServices.exe"
  2052
  - cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\test22\AppData\Local\Temp\ClientServices.exe" /VERYSILENT /SUPPRESSMSGBOXES
    2140
    - timeout.exe timeout /T 3
      2200
    - ClientServices.exe "C:\Users\test22\AppData\Local\Temp\ClientServices.exe" /VERYSILENT /SUPPRESSMSGBOXES
      2268
      - ClientServices.tmp "C:\Users\test22\AppData\Local\Temp\is-KAKL3.tmp\ClientServices.tmp" /SL5="$20196,965278,203776,C:\Users\test22\AppData\Local\Temp\ClientServices.exe" /VERYSILENT /SUPPRESSMSGBOXES
        2312
        
        regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\test22\AppData\Roaming\\HollowSwallow.dll"
        2360

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 6, 2024, 9:30 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 6, 2024, 9:30 a.m.			0	0
IsDebuggerPresent Dec. 6, 2024, 9:30 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 6, 2024, 9:30 a.m.	buffer: Waiting for 3 console_handle: 0x00000007	1	1	0
WriteConsoleW Dec. 6, 2024, 9:30 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 114688 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 114688 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 6, 2024, 9:30 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-SH3NT.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-JLGN8.tmp\_isetup\_shfoldr.dll

Creates a suspicious process (2 events)

cmdline	"cmd.exe" /C timeout /T 3 & "C:\Users\test22\AppData\Local\Temp\ClientServices.exe" /VERYSILENT /SUPPRESSMSGBOXES
cmdline	"regsvr32.exe" /s /i:INSTALL "C:\Users\test22\AppData\Roaming\\HollowSwallow.dll"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-JLGN8.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-KAKL3.tmp\ClientServices.tmp

Queries for potentially installed applications (6 events)

Time & API	Arguments	Return
RegOpenKeyExW Dec. 6, 2024, 9:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1	2
RegOpenKeyExW Dec. 6, 2024, 9:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1	2
RegOpenKeyExW Dec. 6, 2024, 9:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1	2
RegOpenKeyExW Dec. 6, 2024, 9:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1	2
RegOpenKeyExW Dec. 6, 2024, 9:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1	2
RegOpenKeyExW Dec. 6, 2024, 9:30 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Impressionable Bear_is1	2

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Dec. 6, 2024, 9:30 a.m.	thread_identifier: 2272 thread_handle: 0x00000088 process_identifier: 2268 current_directory: C:\Windows\system32 filepath: C:\Users\test22\AppData\Local\Temp\ClientServices.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\ClientServices.exe" /VERYSILENT /SUPPRESSMSGBOXES filepath_r: C:\Users\test22\AppData\Local\Temp\ClientServices.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.Common.035BD19C
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Dropper.tc
ALYac	Gen:Variant.Babar.565469
Cylance	Unsafe
VIPRE	Gen:Variant.Babar.565469
CrowdStrike	win/grayware_confidence_60% (W)
BitDefender	Gen:Variant.Babar.565469
K7GW	Trojan ( 005bcd531 )
K7AntiVirus	Trojan ( 005bcd531 )
Arcabit	Trojan.Babar.D8A0DD
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Kryptik.HYFM
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/Kryptik.26685c52
MicroWorld-eScan	Gen:Variant.Babar.565469
Rising	Trojan.Kryptik!8.8 (CLOUD)
Emsisoft	Gen:Variant.Babar.565469 (B)
F-Secure	Trojan.TR/Crypt.Agent.bcywy
TrendMicro	Trojan.Win32.SMOKELOADER.YXELDZ
McAfeeD	ti!8F95965E8D66
CTX	exe.trojan.kryptik
Sophos	Generic Reputation PUA (PUA)
FireEye	Gen:Variant.Babar.565469
Google	Detected
Avira	TR/Crypt.Agent.kwcue
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Znyonm
GData	Gen:Variant.Babar.565469
Varist	W32/ABTrojan.DMLQ-4759
AhnLab-V3	Trojan/Win.Generic.C5702813
McAfee	Artemis!AFDCB2B1B8FA
DeepInstinct	MALICIOUS
VBA32	TrojanDownloader.Deyma
Ikarus	Trojan.Win32.Crypt
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXELDZ
Tencent	Win32.Trojan.Crypt.Ydkl
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/Kryptik.HYFM!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/Babar.Gen

ClientServices.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All