Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.23 03:09
66eef0ca0fb35_lfdsa.exe
09.23 02:09
easyfirewall.exe
09.23 02:09
Name.exe
09.23 11:09
wcxoplwq.exe
09.23 11:09
66f00f515201d_otr.exe#...
09.23 11:09
Journal.exe
09.23 11:09
PI No.1070034483.exe
09.23 11:09
66f011901da27_crypted....
09.23 11:09
66f063cce5470_crypted....
09.23 11:09
notebyx.exe

Latest News
09.24 04:09
Ghostwriter v4.3: SSO,...
09.24 04:09
Ubuntu security adviso...
09.24 04:09
Red Hat security advis...
09.24 04:09
Alphawave Cuts Annual ...
09.24 03:09
Dell security advisory...
09.24 03:09
Infographic: How to mo...
09.24 03:09
Crypto Miner Truce Lea...
09.24 03:09
Cloudflare CEO Seeks t...
09.24 03:09
4 more nations sign on...
09.24 03:09
White House proposes r...

Summary | ZeroBOX

IntelONE.txt

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 17, 2021, 11:12 p.m.	March 17, 2021, 11:13 p.m.

Size	646.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8e2288bfb74d2422ff22218f8210fd22`
SHA256	`5cbafb76c6a0e930414647523ffb4abe9d9ab7f41270ddf4c4ef5d9fd1f39346`
CRC32	`9C683811`
ssdeep	`12288:aRZ+IoG/n9IQxW3OBsee2X+t4RblkFZpTXbHVEivmHQVOfGYXbs2F:U2G/nvxW3Ww0tlkPprb1EifAvgm`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

IntelONE.txt "C:\Users\test22\AppData\Local\Temp\IntelONE.txt"
2864
- schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F
  4892

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 17, 2021, 11:09 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 17, 2021, 11:09 p.m.	buffer: SUCCESS: The scheduled task "IntelONE" has successfully been created. console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 17, 2021, 11:09 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\Intel\IntelONE.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F

Yara rule detected in process memory (13 events)

description	Listen for incoming communication				rule	network_tcp_listen
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelONE /TR C:\ProgramData\Intel\IntelONE.exe /F

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.8e2288bfb74d2422
McAfee	Artemis!8E2288BFB74D
Zillya	Trojan.ScriptKD.JS.10
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/Trojan.REOR-6425
APEX	Malicious
Avast	FileRepMalware
Kaspersky	HEUR:Backdoor.Win32.Xaparo.gen
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Sophos	ML/PE-A
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
Malwarebytes	Malware.Heuristic.1001
Rising	Trojan.TaskRun/SFX!1.D3EF (CLASSIC)
AVG	FileRepMalware

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2864 resumed a thread in remote process 4892
NtResumeThread March 17, 2021, 11:09 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 4892	1	0	0