Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 12, 2021, 10:40 a.m.	April 12, 2021, 10:48 a.m.

Size	2.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ec052b150b112e80d0bfb4b8d0ff8eb9`
SHA256	`fdf6040291d24b0ee18d77d18802624c4ab604962b19878c1f43474296760305`
CRC32	`B2BEFEF2`
ssdeep	`49152:mZuLHu8yIGooM9RleBWWWqjmm8A3IwRhrOg5/AO9H/x3EzSTUB5R2rteXPM:mYLO8yqB9TN6jm69VYEFQkWM`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

32a1.com "C:\Users\test22\AppData\Local\Temp\32a1.com"
8212
- explorer.exe "C:\Windows (x86)\explorer.exe"
  4636

Name	Response	Post-Analysis Lookup
singapore01.hashvault.pro	A 131.153.159.26 A 131.153.76.130	131.153.76.130

IP Address	Status	Action
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 12, 2021, 10:40 a.m.	buffer: [2021-04-12 13:40:38.140] unable to open "C:\Windows (x86)\config.json". console_handle: 0x00000007	1	1
WriteConsoleA April 12, 2021, 10:40 a.m.	buffer: [2021-04-12 13:40:38.140] unable to open "C:\Users\test22\.Windows Explorer.json". console_handle: 0x00000007	1	1
WriteConsoleA April 12, 2021, 10:40 a.m.	buffer: [2021-04-12 13:40:38.140] unable to open "C:\Users\test22\.config\Windows Explorer.json". console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2021, 10:40 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 12, 2021, 10:40 a.m.	process_identifier: 8212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Windows (x86)\explorer.exe

Drops a binary and executes it (1 event)

file	C:\Windows (x86)\explorer.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 12, 2021, 10:40 a.m.	flags: 14 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Manager

reg_value

C:\Windows (x86)\explorer.exe

Network communications indicative of possible code injection originated from the process explorer.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
WSASend April 12, 2021, 10:40 a.m.	buffer: :²yÎ³]YSY)ùo£<DgðãõØ°[ÝÝÔ½Ü\+ Âh\bn&Ð)rawOMûI½XÓ0³ªª]>À,À0Ì©Ì¨ÌªÀ+À/À$À(kÀ#À'gÀ À9À À3=<5/ÿ # 0. + -3&$ ¯; ©Gl¿1ØÙÚ ò©ïÊMv!}& socket: 540		0	0
WSASend April 12, 2021, 10:40 a.m.	buffer: Eï<QÓªw"éøyØ2õºËnÊôS/> aù 6Ñng¦¬ÊºgñYñ<S JÖÇqJ¥^$0ë"Åt¬º¨ ¬èdî\õ;YÀ+Vkæe¯J!æ;ÞSó4SØ7ÎôW}ºS¯÷ À¦Üì×²\.£åöÓêé(¦7÷ÖÆéÐQ9!%zV®Ub=É¥þ1KÅ:M¯¾=ÓrMC"Ûúä¡`Kà}§ ¨/i¼¬x&ÿN´¦r¾×¸Û atdG@æKJ^Òòø±¬Ågê ìýÇùÛ<RLéCF¨¡¸ÆòJ!£dcAÓ»ÊàÄÛÌiK>9µ]Îè9ôâÆX ?³ ÙöìV_5¨?&qØó wéóø0_ÿ)Ê÷à\|Ú%ÿäÂ\|F¥Ü®¤øÞ'6¼§·ÕeÜÇçÂa¥28wÎ6[bÁ½Òz¹ýÕæ's´ÿ»ù¬éÀm¾æñï"pê Ì&SAIùÅh´Â4â;§ÖÃØZX½NÆÈ_énñâ1ô1ôç"<Ý\ï¥i<Â^îC©2ÆNÆÏ ½%Ïå _`PÊ¥£ò%²à½G©9æo7&fN¨»?9Ej¦MãkP2ÌýØwþ¨gÕÊM¥w+ª±ßlÕN=õÌ ?ì3èÒ +ÛP ÊQXù&Ä±¬l'ÐÐb»à°#8o.íìÊÂÀ\|ðpî socket: 540		0	0

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 12, 2021, 10:40 a.m.	thread_identifier: 9076 thread_handle: 0x00000260 process_identifier: 4636 current_directory: C:\Windows (x86) filepath: C:\Windows (x86)\explorer.exe track: 1 command_line: "C:\Windows (x86)\explorer.exe" filepath_r: C:\Windows (x86)\explorer.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000025c	1	1	0
ShellExecuteExW April 12, 2021, 10:40 a.m.	show_type: 1 filepath_r: C:\Windows (x86)\explorer.exe parameters: filepath: C:\Windows (x86)\explorer.exe	1	1	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 12, 2021, 10:40 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

32a1.com

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All