Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 9, 2021, 11:32 a.m.	April 9, 2021, 11:48 a.m.

Size	283.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4123dfc4a1b625d3811e46f564cf6156`
SHA256	`aaadcd4bc5084939375b355830fa646c3f2a066a670369b70f8b3be5da81ad44`
CRC32	`7F7EF4D1`
ssdeep	`3072:fUezzLopqX2vWced9e20K7kvOG9JEFTNuFabDP+DnMG7JgZDnA80RqxnT1KDjIjH:fUez3oEmydk7DF9SFTNwS6j0J0sxnu`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description)

Two.exe "C:\Users\test22\AppData\Local\Temp\Two.exe"
656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 9, 2021, 11:25 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 9, 2021, 11:25 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 56 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2361000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0004c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00045000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0005f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00181000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00182000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000075b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00046000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 9, 2021, 11:25 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00183000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000a000', u'virtual_address': u'0x00002000', u'entropy': 7.0896545964331645, u'name': u'.text', u'virtual_size': u'0x00009eec'}

entropy

7.08965459643

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0003c800', u'virtual_address': u'0x0000c000', u'entropy': 6.939413670520726, u'name': u'.rsrc', u'virtual_size': u'0x0003c76c'}

entropy

6.93941367052

description

A section with a high entropy has been found

entropy

0.998230088496

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Barys.55600
FireEye	Generic.mg.4123dfc4a1b625d3
McAfee	Artemis!4123DFC4A1B6
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.4a1b62
Arcabit	Trojan.Barys.DD930
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Adware.CsdiMonetize.BK
APEX	Malicious
Avast	FileRepMetagen [Malware]
ClamAV	Win.Dropper.Temonde-6571898-0
Kaspersky	HEUR:Trojan.MSIL.Bsymem.gen
BitDefender	Gen:Variant.Barys.55600
Paloalto	generic.ml
AegisLab	Trojan.Win32.Barys.4!c
Ad-Aware	Gen:Variant.Barys.55600
Emsisoft	Gen:Variant.Barys.55600 (B)
Comodo	ApplicUnwnt.UnclassifiedMalware@0
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Sophos	ML/PE-A
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Barys.55600
ALYac	Gen:Variant.Barys.55600
MAX	malware (ai score=89)
Malwarebytes	Malware.AI.1151198884
TrendMicro-HouseCall	TROJ_GEN.R002H09D821
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_69%
Fortinet	Malicious_Behavior.SB
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Trojan.Generic.HwMAc78A

Two.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All