Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 7, 2021, 10:16 a.m.	April 7, 2021, 10:18 a.m.

Size	182.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`ac9e6b5f93ae7560c74176cd4ec2d129`
SHA256	`9eefae4b7a4bd95ddd0f411fee8bf9b7e3c4a521064d2c14c77612b5f5e68707`
CRC32	`CAFA167E`
ssdeep	`3072:/be9ljOMYM/NgDZO+jD9qMFGE3TUfK0lK0dc6ek09b+sivDkNZv8Mm0MuCtbnifp:ElqJYNZwD9Ljcz5MyQNZv84wtbnif1Y`
Yara	win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero IsPE64 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

resk8.exe "C:\Users\test22\AppData\Local\Temp\resk8.exe"
6240
- resk8.exe "C:\Users\test22\AppData\Local\Temp\resk8.exe"
  8992

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 7, 2021, 10:10 a.m.	stacktrace: 0x1c4a240 0x1c49160 0x1c522a7 resk8+0x29f86 @ 0x13ffc9f86 resk8+0x2af9e @ 0x13ffcaf9e BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 48 63 41 3c 44 8b 8c 01 88 00 00 00 8b b4 01 8c exception.instruction: movsxd rax, dword ptr [rcx + 0x3c] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1c4a240 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 3221225794 registers.rbx: 0 registers.rsp: 1964368 registers.r11: 0 registers.r8: 3204048486441 registers.r9: 3208343322666 registers.rdx: 502220219 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 112 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ed5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e52000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e49000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e5a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ec9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e5e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e56000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e42000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e56000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e5c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e51000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e49000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e57000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ea1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e61000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ea2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eb0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e9c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ecf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e41000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e42000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8a000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

resk8.exe tried to sleep 121 seconds, actually delayed analysis time by 63 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002c400', u'virtual_address': u'0x00001000', u'entropy': 7.800867576289376, u'name': u'.text', u'virtual_size': u'0x0002c418'}

entropy

7.80086757629

description

A section with a high entropy has been found

entropy

0.97520661157

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 7, 2021, 10:09 a.m.	process_identifier: 8992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077212000 process_handle: 0x0000000000000238	1	0	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.ac9e6b5f93ae7560
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.c1469c
APEX	Malicious
Sophos	ML/PE-A
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
SentinelOne	Static AI - Suspicious PE
CrowdStrike	win/malicious_confidence_60% (W)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6240 resumed a thread in remote process 8992
NtResumeThread April 7, 2021, 10:09 a.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 8992	1	0	0

resk8.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All