Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 9:53 a.m.	June 16, 2024, 10:17 a.m.

Size	48.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7f0bf23db6496335d9adf01fb50ec091`
SHA256	`1f2e39728d627019c482b270eabb614d39100ed910797c6884fc405ae6514412`
CRC32	`58CC6691`
ssdeep	`768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67ThPC:Ub1MsHz3JDwhyWr+N95OTga6I`
Yara	Malicious_Library_Zero - Malicious_Library hide_executable_file - Hide executable file PE_Header_Zero - PE File Signature IsPE32 - (no description)

%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe "C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe"
1680
- cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe"
  2112
  - PING.EXE ping 127.0.0.1 -n 1
    2212

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
142.250.66.129	Active	Moloch
120.79.191.234	Active	Moloch
216.58.203.78	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:53 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2024, 9:53 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b448

size

0x00000128

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b598

size

0x000001c6

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0000b570

size

0x00000022

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\31314376.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 16, 2024, 9:53 a.m.	service_start_name: start_type: 2 password: display_name: Systerm Remocte Data Ssimfulation Ldaye5 filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "Remocte1" service_name: Remocte1 filepath_r: %SystemRoot%\System32\svchost.exe -k "Remocte1" desired_access: 983551 service_handle: 0x005c42b8 error_control: 0 service_type: 272 service_manager_handle: 0x005c4358	1	6046392	0

Creates a suspicious process (2 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\31314376.dll
file	C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:53 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe" filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: mobsync.exe process_identifier: 1044	1	1
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: %E9%98%B2%E5%8A%AB%E6%8C%811.0.exe process_identifier: 1680	1	1
Process32NextW June 16, 2024, 9:53 a.m.	snapshot_handle: 0x000000b4 process_name: pw.exe process_identifier: 1096	1	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\test22\AppData\Local\Temp\%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe"
cmdline	ping 127.0.0.1 -n 1

Communicates with host for which no DNS query was performed (3 events)

host	142.250.66.129
host	120.79.191.234
host	216.58.203.78

Installs itself for autorun at Windows startup (2 events)

service_name	Remocte1				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k "Remocte1"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Remocte1\Parameters\ServiceDll				reg_value	C:\Users\test22\AppData\Local\Temp\31314376.dll

%E9%98%B2%E5%8A%AB%E6%8C%811.0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All