popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

IntelTWO.txt

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x3201 March 17, 2021, 11:10 p.m. March 17, 2021, 11:10 p.m.
Size 603.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d2054b1b66e0d190be9eb250fada79fa
SHA256 91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
CRC32 000D322A
ssdeep 12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbJchE4GyRgh3uxBBtIanFi4DqC:U2G/nvxW3Ww0tJapnTBtIaFSC
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: WIN7-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 성공: 예약된 작업 "IntelTWO"을(를) 만들었습니다.
console_handle: 0x00000007
1 1 0
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 6084
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72322000
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\Intel\IntelTWO.exe
cmdline SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelTWO /TR C:\ProgramData\Intel\IntelTWO.exe /F
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelTWO /TR C:\ProgramData\Intel\IntelTWO.exe /F
description Listen for incoming communication rule network_tcp_listen
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelTWO /TR C:\ProgramData\Intel\IntelTWO.exe /F
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelTWO /TR C:\ProgramData\Intel\IntelTWO.exe /F
cmdline SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelTWO /TR C:\ProgramData\Intel\IntelTWO.exe /F
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelTWO /TR C:\ProgramData\Intel\IntelTWO.exe /F
Process injection Process 6084 resumed a thread in remote process 3520
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000027c
suspend_count: 1
process_identifier: 3520
1 0 0
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
FireEye Generic.mg.d2054b1b66e0d190
McAfee Artemis!D2054B1B66E0
Zillya Trojan.ScriptKD.JS.10
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_80% (W)
Cyren W32/Trojan.REOR-6425
APEX Malicious
Avast FileRepMalware
Kaspersky HEUR:Backdoor.Win32.Xaparo.gen
Paloalto generic.ml
Sophos ML/PE-A
McAfee-GW-Edition BehavesLike.Win32.Generic.jc
SentinelOne Static AI - Suspicious SFX
Microsoft Program:Win32/Wacapew.C!ml
Cynet Malicious (score: 100)
Malwarebytes Malware.Heuristic.1001
Rising Trojan.TaskRun/SFX!1.D3EF (CLASSIC)
AVG FileRepMalware
Qihoo-360 Win32/Backdoor.Generic.HgIASQ8A