Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 2, 2025, 10:36 a.m.	Jan. 2, 2025, 10:38 a.m.

Size	3.8MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`1a15dd31838dee5ca5aae7d4771cb451`
SHA256	`0698347cb68341078844c04d3003ae98502d3efe181b654a4de3271c3c43e887`
CRC32	`DE00FB3F`
ssdeep	`98304:+3RdEXvwmv0wI5MuUoIkkoJxxE3XnwXuUsHUhwn6:+33WvDv0wyMuUUkoREHVUsHUun6`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

Coc%20Coc.exe "C:\Users\test22\AppData\Local\Temp\Coc%20Coc.exe"
1820
- cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\C07C.tmp\C07D.tmp\C07E.bat C:\Users\test22\AppData\Local\Temp\Coc%20Coc.exe"
  2064

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (17 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: C:\Users\test22\AppData\Roaming> console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: Copy console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: portable_util.exe "C:\Program Files\CocCoc\Browser\Application" /y console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: 0 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: C:\Users\test22\AppData\Roaming> console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: Copy console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: setup.exe "C:\Program Files\CocCoc\Browser\Application" /y console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: 0 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: C:\Users\test22\AppData\Roaming> console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: portable_util.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: --register-coccoc-portable --force-uid=3849d47c-687c-49be-b315-4e062899d124 --skip-import --skip-welcome --do-not-create-shortcut --force-regenerate-hid console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: C:\Users\test22\AppData\Roaming> console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: browser.exe truyenhay247.click https://upodaitie.net/4/8080037 console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 2, 2025, 10:29 a.m.	buffer: The system cannot find the file browser.exe. console_handle: 0x000000000000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 2, 2025, 10:29 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Roaming\setup.exe
file	C:\Users\test22\AppData\Local\Temp\C07C.tmp\C07D.tmp\C07E.bat
file	C:\Users\test22\AppData\Roaming\portable_util.exe
file	C:\Users\test22\AppData\Roaming\CocCocSetup.exe

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\C07C.tmp\C07D.tmp\C07E.bat C:\Users\test22\AppData\Local\Temp\Coc%20Coc.exe"

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\CocCocSetup.exe
file	C:\Users\test22\AppData\Roaming\setup.exe
file	C:\Users\test22\AppData\Roaming\portable_util.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 2, 2025, 10:29 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\C07C.tmp\C07D.tmp\C07E.bat C:\Users\test22\AppData\Local\Temp\Coc%20Coc.exe" filepath: C:\Windows\System32\cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003ac600', u'virtual_address': u'0x00022000', u'entropy': 7.985065850053966, u'name': u'.rsrc', u'virtual_size': u'0x003ac454'}

entropy

7.98506585005

description

A section with a high entropy has been found

entropy

0.969708687806

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\C07C.tmp\C07D.tmp\C07E.bat C:\Users\test22\AppData\Local\Temp\Coc%20Coc.exe"
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\C07C.tmp\C07D.tmp\C07E.bat C:\Users\test22\AppData\Local\Temp\Coc%20Coc.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\portable_util.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1820 resumed a thread in remote process 2064
NtResumeThread Jan. 2, 2025, 10:29 a.m.	thread_handle: 0x0000000000000224 suspend_count: 1 process_identifier: 2064	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Gen.tqzj
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.17295029471cb451
Skyhigh	BehavesLike.Win64.Dropper.wc
ALYac	Gen:Variant.Cerbu.213170
Cylance	Unsafe
VIPRE	Gen:Variant.Cerbu.213170
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (W)
BitDefender	Gen:Variant.Cerbu.213170
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Arcabit	Trojan.Cerbu.D340B2
VirIT	Trojan.Win32.Banker1.BMNA
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Avast	Win64:Malware-gen
Kaspersky	Trojan-Dropper.Win32.Dapato.sbab
Alibaba	TrojanDropper:Win32/Dapato.0b812dcc
MicroWorld-eScan	Gen:Variant.Cerbu.213170
Rising	Trojan.Convagent!8.12323 (CLOUD)
Emsisoft	Gen:Variant.Cerbu.213170 (B)
Zillya	Trojan.Generic.Win32.838255
McAfeeD	ti!0698347CB683
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.1a15dd31838dee5c
Google	Detected
Antiy-AVL	Trojan/Win32.SchoolGirl
Kingsoft	malware.kb.a.954
Gridinsoft	Trojan.Win64.Agent.bot!s1
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Cerbu.213170
Varist	W64/Bulz.BB.gen!Eldorado
McAfee	Artemis!1A15DD31838D
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.Win64.Banker
TrendMicro-HouseCall	TROJ_GEN.R002H0CJJ24
Tencent	Malware.Win32.Gencirc.141ec354
MaxSecure	Trojan.Malware.294739747.susgen
Fortinet	W64/CoinMiner.526230!tr
AVG	Win64:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan:Win/Convagent.gyf

Coc%20Coc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All