Report - ZeroBOX

ScreenShot

Info
Location map


Created	2025.04.21 13:44	Machine	s1_win7_x6401
Filename	nircmd.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	12	Behavior Score	1.8
ZERO API	file : malware
VT API (file)
md5	9cc3c07ac4b98cfaa826d10a48888bf6
sha256	cf29b37e1ff595120c23245a6e43a15c5c7bf3e59f0f675456b255d402f4bae7
ssdeep	768:XOW/mNg68vR3jU0w5N6DdM7aUsz+F2ZxJIwyZxCnogLIerQcRs842trMrvp89:Xn2gl3jBwaR5Uh0yxCzFs5zp8
imphash	b2d4b3aee34c51601ed72443f0465642
impfuzzy	6:omRgCHWvOYZBJAEoZ/OEGDzyRZGc9WNsYbtusLn:omRgYoABZG/DzyCusLn

Network IP location

Signature (6cnts)

Level	Description
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	One or more processes crashed

Rules (3cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
0x41a954 RegCloseKey
GDI32.dll
0x41a95c BitBlt
KERNEL32.DLL
0x41a964 LoadLibraryA
0x41a968 ExitProcess
0x41a96c GetProcAddress
0x41a970 VirtualProtect
msvcrt.dll
0x41a978 exit
ole32.dll
0x41a980 CoInitialize
SHELL32.dll
0x41a988 ShellExecuteA
USER32.dll
0x41a990 GetDC
WINMM.dll
0x41a998 mixerOpen

EAT(Export Address Table) is none

Report - nircmd.exe

Signature (6cnts)

Rules (3cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure