Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 9, 2021, 4:57 p.m.	April 9, 2021, 5:02 p.m.

Size	274.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`57e8ac3aec87c298a240dc0853747dd5`
SHA256	`0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b`
CRC32	`A470F4B4`
ssdeep	`6144:R1urcdRp0ZtFWOorzZvKAHS2c8C2fRx3uQ1UsdHw:Yie2lztHnCO0`
Yara	win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE64 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

bg8.exe "C:\Users\test22\AppData\Local\Temp\bg8.exe"
9068
- bg8.exe "C:\Users\test22\AppData\Local\Temp\bg8.exe"
  8728

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
40.83.20.77	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 9, 2021, 4:50 p.m.	stacktrace: 0x1800092a4 exception.instruction_r: 48 63 41 3c 44 8b 94 01 88 00 00 00 8b bc 01 8c exception.instruction: movsxd rax, dword ptr [rcx + 0x3c] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1800092a4 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 502220219 registers.r10: 2 registers.rbx: 1 registers.rsp: 2747736 registers.r11: 0 registers.r8: 1 registers.r9: 4 registers.rdx: 502220219 registers.r12: 0 registers.rbp: 0 registers.rdi: 2747888 registers.rax: 1 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 110 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ed5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e52000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e49000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e5a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ec9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e5e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e56000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e42000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e56000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e5c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e51000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e49000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e62000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e57000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ea1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e61000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ea2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eb0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e9c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ecf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e41000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e42000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e4a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e59000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e8a000 process_handle: 0xffffffffffffffff	1

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Cylance	Unsafe
Avast	FileRepMalware
Kaspersky	UDS:Trojan.Win32.Injuke
Microsoft	Trojan:Win32/Wacatac.B!ml
Webroot	W32.Malware.Gen
AVG	FileRepMalware

Yara rule detected in process memory (9 events)

description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	40.83.20.77

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 9, 2021, 4:50 p.m.	process_identifier: 8728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077212000 process_handle: 0x0000000000000084	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 9068 resumed a thread in remote process 8728
NtResumeThread April 9, 2021, 4:50 p.m.	thread_handle: 0x0000000000000080 suspend_count: 1 process_identifier: 8728	1	0	0

bg8.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All