Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	March 17, 2021, 11:12 p.m.	March 17, 2021, 11:13 p.m.

Size	770.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`eb39c3a8f12a353ca9a0f64a2d2b9966`
SHA256	`8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c`
CRC32	`8A102F96`
ssdeep	`24576:U2G/nvxW3Ww0tOLz3NbQYwkadPFxcJqGhH3:UbA30oz9bQYraJCH3`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

IntelFIVE.txt "C:\Users\Administrator\AppData\Local\Temp\IntelFIVE.txt"
6272
- schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelFIVE /TR C:\ProgramData\Intel\IntelFIVE.exe /F
  5088

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 17, 2021, 11:10 p.m.	computer_name: WIN7-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 17, 2021, 11:10 p.m.	buffer: 성공: 예약된 작업 "IntelFIVE"을(를) 만들었습니다. console_handle: 0x00000007	1	1	0

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

section

.didat

resource name

PNG

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 17, 2021, 11:10 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72322000 process_handle: 0xffffffff	1	0	0

file	C:\ProgramData\Intel\IntelFIVE.exe

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelFIVE /TR C:\ProgramData\Intel\IntelFIVE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelFIVE /TR C:\ProgramData\Intel\IntelFIVE.exe /F

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelFIVE /TR C:\ProgramData\Intel\IntelFIVE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelFIVE /TR C:\ProgramData\Intel\IntelFIVE.exe /F

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC HOURLY /MO 1 /TN IntelFIVE /TR C:\ProgramData\Intel\IntelFIVE.exe /F
cmdline	SCHTASKS /CREATE /SC HOURLY /MO 1 /TN IntelFIVE /TR C:\ProgramData\Intel\IntelFIVE.exe /F

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6272 resumed a thread in remote process 5088
NtResumeThread March 17, 2021, 11:10 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 5088	1	0	0

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Symmi.44298
FireEye	Generic.mg.eb39c3a8f12a353c
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.8f12a3
Arcabit	Trojan.Symmi.DAD0A
Cyren	W32/Trojan.REOR-6425
APEX	Malicious
Kaspersky	HEUR:Backdoor.Win32.Xaparo.gen
BitDefender	Gen:Variant.Symmi.44298
Rising	Trojan.TaskRun/SFX!1.D3EF (CLASSIC)
Sophos	ML/PE-A
Zillya	Trojan.ScriptKD.JS.10
McAfee-GW-Edition	BehavesLike.Win32.Generic.bc
Emsisoft	Gen:Variant.Symmi.44298 (B)
MAX	malware (ai score=85)
ZoneAlarm	HEUR:Backdoor.Win32.Xaparo.gen
GData	Gen:Variant.Symmi.44298
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Symmi.44298
Malwarebytes	Malware.Heuristic.1001

IntelFIVE.txt