Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 10, 2025, 4:10 p.m.	Feb. 10, 2025, 4:12 p.m.

Size	573.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`a6b4918f763f99f90f595c201f50239f`
SHA256	`c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4`
CRC32	`F0BBCD4B`
ssdeep	`12288:jtuH9x+LgvHIh+bOH1JcyDIDPc5VQHzPgjc7yYzUa4y:jto9x+LgvHI+OHPcykU0zoIdL`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Network_Downloader - File Downloader Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

z.exe "C:\Users\test22\AppData\Local\Temp\z.exe"
2548
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 9, 2025, 12:52 p.m.	process_identifier: 2548 region_size: 634880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002050000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 9, 2025, 12:52 p.m.	process_identifier: 1452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd53a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 9, 2025, 12:52 p.m.	process_identifier: 1452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076cac000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Feb. 9, 2025, 12:53 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\bdfbbfbefffbfc.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Feb. 9, 2025, 12:52 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\bdfbbfbefffbfc.exe filepath: C:\ProgramData\bdfbbfbefffbfc.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Feb. 9, 2025, 12:52 p.m.	snapshot_handle: 0x000000000000009c process_name: mobsync.exe process_identifier: 2280	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00047c00', u'virtual_address': u'0x0004d000', u'entropy': 7.968137554928529, u'name': u'.idata', u'virtual_size': u'0x00048000'}

entropy

7.96813755493

description

A section with a high entropy has been found

entropy

0.501310043668

description

Overall entropy of this PE file is high

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 22be53c13ab495853f41e0a7e46ccae7ee54820e

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 9, 2025, 12:52 p.m.	process_identifier: 1452 region_size: 634880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000009c	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bdfbbfbefffbfc

reg_value

"C:\ProgramData\bdfbbfbefffbfc.exe"

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 created a remote thread in non-child process 1452
CreateRemoteThread Feb. 9, 2025, 12:52 p.m.	thread_identifier: 0 process_identifier: 1452 function_address: 0x00000000068425f0 flags: 0 stack_size: 0 parameter: 0x0000000006840000 process_handle: 0x000000000000009c	1	160	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 manipulating memory of non-child process 1452
NtAllocateVirtualMemory Feb. 9, 2025, 12:52 p.m.	process_identifier: 1452 region_size: 634880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000009c	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.PowerLoader.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Sabsik
Skyhigh	BehavesLike.Win64.Generic.hc
ALYac	Trojan.GenericKD.75828481
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75828481
K7GW	Trojan ( 004c44741 )
K7AntiVirus	Trojan ( 004c44741 )
Arcabit	Trojan.Generic.D4850D01
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/PowerLoader.A
APEX	Malicious
Avast	Win64:MalwareX-gen [Trj]
ClamAV	Win.Malware.Tinukebot-10040717-0
Kaspersky	Backdoor.Win32.Androm.vviu
Alibaba	Trojan:Win64/PowerLoader.6a4197bb
MicroWorld-eScan	Trojan.GenericKD.75828481
Rising	Malware.Undefined!8.C (TFE:2:J8X79kMbZOM)
Emsisoft	Trojan.GenericKD.75828481 (B)
F-Secure	Trojan.TR/AVI.TinyNuke.gczrk
McAfeeD	ti!C401BE0D8B68
Trapmine	malicious.high.ml.score
CTX	exe.trojan.powerloader
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.a6b4918f763f99f9
Google	Detected
Avira	TR/AVI.TinyNuke.gczrk
Antiy-AVL	Trojan/Win32.Sabsik
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win64.Sabsik.sa
Xcitium	Malware@#phxs0pwyust1
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.CobaltStrike.KXKI7A
Varist	W64/ABTrojan.FPMR-3308
AhnLab-V3	Malware/Win.Generic.R691650
Acronis	suspicious
McAfee	Artemis!A6B4918F763F
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1267149139
Ikarus	Trojan.Win64.Powerloader
Tencent	Malware.Win32.Gencirc.1431d3d8
huorong	Trojan/Generic!0B2783847BB313E2
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W64/PowerLoader.A!tr

z.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All