Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 8, 2025, 12:01 p.m.	March 8, 2025, 12:26 p.m.

Size	99.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`6ca1d8895e299ea630a4673213536564`
SHA256	`da620174bef1c7f41f581104a7193808d5aba54cf2edde9169c012854795e7f8`
CRC32	`45DA3343`
ssdeep	`1536:irae78zjORCDGwfdCSog01313XWs5gZEvw+WPi4UFr6cOyLpSRI:KahKyd2n31/5iEvw+Gi4UYu1SRI`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file

4261683a-d502-4ae4-afca-0498751d574f.exe "C:\Users\test22\AppData\Local\Temp\4261683a-d502-4ae4-afca-0498751d574f.exe"
2552
- cmd.exe cmd.exe /c 1.vbs && 2.xlsx
  2664
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1.vbs"
    2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 8, 2025, 12:01 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 8, 2025, 12:01 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 8, 2025, 12:01 p.m.	buffer: '2.xlsx' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 8, 2025, 12:01 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 8, 2025, 12:01 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory March 8, 2025, 12:01 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\21720~1.XLS

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1.vbs

Creates a suspicious process (1 event)

cmdline

cmd.exe /c 1.vbs && 2.xlsx

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1.vbs

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1.vbs

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2664 resumed a thread in remote process 2776
NtResumeThread March 8, 2025, 12:01 p.m.	thread_handle: 0x0000000000000284 suspend_count: 1 process_identifier: 2776	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win32.GuLoader.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Ghanarava.1740520631536564
Skyhigh	BehavesLike.Win64.Dropper.nm
ALYac	Trojan.Generic.37526518
Cylance	Unsafe
VIPRE	Trojan.Generic.37526518
Sangfor	Downloader.Win32.Agent.Vu6f
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Generic.37526518
K7GW	Trojan ( 005b825a1 )
K7AntiVirus	Trojan ( 005b825a1 )
Arcabit	Trojan.Generic.D23C9BF6
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	VBS/Agent.QMG
APEX	Malicious
Avast	Script:SNH-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Script/Generic.3a552e23
NANO-Antivirus	Trojan.Win64.Dwn.kvpndp
MicroWorld-eScan	Trojan.Generic.37526518
Rising	Downloader.GuLoader/VBS!1.12749 (CLASSIC)
Emsisoft	Trojan.Generic.37526518 (B)
F-Secure	Trojan.TR/AVI.Agent.btjgf
DrWeb	Trojan.DownLoader48.9429
Zillya	Trojan.Generic.Script.14
TrendMicro	TrojanSpy.Win64.LUMMASTEALER.YXFBLZ
McAfeeD	ti!DA620174BEF1
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
FireEye	Generic.mg.6ca1d8895e299ea6
Google	Detected
Avira	TR/AVI.Agent.btjgf
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.Generic.37526518
Varist	VBS/Agent.BWT
McAfee	Artemis!6CA1D8895E29
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4115918142
Ikarus	Trojan.VBS.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win64.LUMMASTEALER.YXFBLZ
Tencent	Script.Trojan.Generic.Fmnw
huorong	Trojan/VBS.GuLoader.ar
Fortinet	W32/PossibleThreat
AVG	Script:SNH-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Multi/Generic.Gen

4261683a-d502-4ae4-afca-0498751d574f

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All