win.exe

The executable uses a known packer (1 event)

packer

UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Creates executable files on the filesystem (1 event)

file	C:\Windows\WindowsUpdata\jgkzvzjcoqt.exe

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c del C:\Users\test22\AppData\Local\Temp\win.exe > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\win.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x0000ba00', u'virtual_address': u'0x00018000', u'entropy': 7.970067716992362, u'name': u'UPX1', u'virtual_size': u'0x0000c000'}				entropy	7.97006771699				description	A section with a high entropy has been found
entropy	0.978947368421				description	Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 6, 2025, 6:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0
LookupPrivilegeValueW Jan. 6, 2025, 6:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\system32\cmd.exe /c del C:\Users\test22\AppData\Local\Temp\win.exe > nul

Communicates with host for which no DNS query was performed (1 event)

host	154.201.65.10

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jgkzvzjcoqt.exe

reg_value

C:\Windows\WindowsUpdata\jgkzvzjcoqt.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\win.exe

Attempts to modify UAC prompt behavior (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop

Modifies security center warnings (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 1884 resumed a thread in remote process 2640
Time & API	Arguments	Status	Return	Repeated
NtResumeThread Jan. 6, 2025, 6:34 p.m.	thread_handle: 0x000000cc suspend_count: 1 process_identifier: 2640	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

154.201.65.10:2553

Disables Windows Security features (2 events)

description	attempts to disable user access control				registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	disables user access control notifications				registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Sdbot.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.1736146904a75c8c
Skyhigh	BehavesLike.Win32.Generic.pc
McAfee	ACL/MintZard Trojan
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.Zard.45
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Heur.Mint.Zard.45
K7GW	DoS-Trojan ( 004c26b11 )
K7AntiVirus	DoS-Trojan ( 004c26b11 )
Arcabit	Trojan.Mint.Zard.45
Baidu	Win32.Trojan.Agent.asz
VirIT	Trojan.Win32.Generic.FLU
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/DDoS.Agent.NBI
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Dropper.Gh0stRAT-6992450-0
Kaspersky	Backdoor.Win32.Sdbot.agiy
Alibaba	Backdoor:Win32/Sdbot.26f229a3
NANO-Antivirus	Trojan.Win32.MLW.duuovm
MicroWorld-eScan	Gen:Heur.Mint.Zard.45
Rising	Trojan.DDOS!1.AAC6 (CLOUD)
Emsisoft	Gen:Heur.Mint.Zard.45 (B)
F-Secure	Adware.ADWARE/Taranis.993
DrWeb	DDoS.5784
Zillya	Backdoor.SdBot.Win32.1
TrendMicro	BKDR_SDBOT.SM
McAfeeD	Real Protect-LS!BE47562482B7
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Behav-044
Ikarus	Trojan.Win32.DDos
FireEye	Generic.mg.be47562482b77cba
Jiangmin	Backdoor.SdBot.hk
Google	Detected
Avira	ADWARE/Taranis.993
Antiy-AVL	Trojan[Backdoor]/Win32.SdBot
Kingsoft	malware.kb.b.984
Gridinsoft	Trojan.Win32.Agent.sa
Xcitium	Backdoor.Win32.Sdbot.AM@83hwfp
Microsoft	Trojan:Win32/Sdbot!RND
GData	Gen:Heur.Mint.Zard.45
Varist	W32/Agent.EHB.gen!Eldorado
AhnLab-V3	Trojan/Win32.Dorv.R304564
VBA32	BScope.Trojan.Win32.Inject.2