Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 14, 2021, 9:58 a.m.	May 14, 2021, 10 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3e2c09542e0f1d51896694ed1f43db8d`
SHA256	`3f7456a476c096deb62e9b8243e2e1532150cfa1cdbb832f312262120b155add`
CRC32	`1EE456D8`
ssdeep	`49152:J0dpFEjZFgwa0aTuyDAkD4qfFqlYCd6/0ihTFjKiq2:JoFKAhHcCqJ47hTBKiq2`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

taskhost.exe "C:\Users\test22\AppData\Local\Temp\taskhost.exe"
8072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 14, 2021, 9:58 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636876 registers.edi: 9128432 registers.eax: 1636876 registers.ebp: 1636956 registers.edx: 0 registers.ebx: 9128432 registers.esi: 9128432 registers.ecx: 2	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (3 events)

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0004a040

size

0x0000002c

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0004a040

size

0x0000002c

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0004a040

size

0x0000002c

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00320000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00005000', u'virtual_address': u'0x00046000', u'entropy': 7.027839161409325, u'name': u'.rsrc', u'virtual_size': u'0x000042b0'}

entropy

7.02783916141

description

A section with a high entropy has been found

Yara rule detected in process memory (8 events)

description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	Install itself for autorun at Windows startup	rule	Persistence

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: dde5c291c4964b5d44e160832d35c7cd6b457d17
buffer	Buffer with sha1: aaec9ec0b4ce164a31bfb9fd36036c48dd35b5bf
buffer	Buffer with sha1: 5097c2428b8d319a8bb086547d3d4f89b53977a9

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 4208 region_size: 1342222336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x15790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000164	1	0	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8072 manipulating memory of non-child process 4208
NtUnmapViewOfSection May 14, 2021, 9:58 a.m.	base_address: 0x15793d6a region_size: 1638060032 process_identifier: 4208 process_handle: 0x00000164		3221225497	0
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 4208 region_size: 1342222336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x15790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000164	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8072 injected into non-child 4208
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: j=y base_address: 0x7efde008 process_identifier: 4208 process_handle: 0x00000164	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8072 called NtSetContextThread to modify thread in remote process 4208
NtSetContextThread May 14, 2021, 9:58 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 1905178218 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f8 process_identifier: 4208	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8072 resumed a thread in remote process 4208
NtResumeThread May 14, 2021, 9:58 a.m.	thread_handle: 0x000000f8 suspend_count: 1 process_identifier: 4208	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 4676 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 14, 2021, 9:58 a.m.	thread_identifier: 8024 thread_handle: 0x000000f8 process_identifier: 4208 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\taskhost.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\taskhost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000164	1	1
NtUnmapViewOfSection May 14, 2021, 9:58 a.m.	base_address: 0x15793d6a region_size: 1638060032 process_identifier: 4208 process_handle: 0x00000164		3221225497
NtAllocateVirtualMemory May 14, 2021, 9:58 a.m.	process_identifier: 4208 region_size: 1342222336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x15790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000164	1	0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x15793d6a process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x54f2b6af process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x6c1ce6af process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x84e1b6e3 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xbe797e35 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x15ba090b process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x24e8e40b process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x5abce813 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x19e3e813 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x571fde6a process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x54d08dd3 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xc0227c6a process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xb6a952e3 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xb6817ea9 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x56d69ea9 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xd51ab6df process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x2af2e113 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x6ac286b3 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x1df67c6a process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x7af2b6df process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x19ba7d0d process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x54f2b6df process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xb6b85fde process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x54d77e9d process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x5b4cdfa9 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x1dba7ce3 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xfc1b45ab process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x8a863412 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x89bae40b process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x84eee40b process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xb6eee40b process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x1b1be63d process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x8ebce813 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x8af23daa process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xbc1a45ab process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x7aca3d6a process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x571fde72 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x56b8b6e3 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x7dba9ac5 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x1dba7ce3 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x63de8ec0 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x93de49df process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x15793fa9 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x7dba9ac5 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xb6817ea9 process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0xc21b3d6a process_identifier: 4208 process_handle: 0x00000164		0
WriteProcessMemory May 14, 2021, 9:58 a.m.	buffer: base_address: 0x68797e35 process_identifier: 4208 process_handle: 0x00000164		0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen13.27443
MicroWorld-eScan	Trojan.GenericKD.36881336
FireEye	Generic.mg.3e2c09542e0f1d51
McAfee	Artemis!3E2C09542E0F
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057bb441 )
Alibaba	Trojan:Win32/Injector.1773b111
K7GW	Trojan ( 0057bb441 )
Cybereason	malicious.5c3fbd
BitDefenderTheta	Gen:NN.ZevbaF.34688.go3@a052wBaO
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EPGC
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Trojan.Johnnie-9855122-0
Kaspersky	Trojan.Win32.Miner.avazg
BitDefender	Trojan.GenericKD.36881336
Paloalto	generic.ml
Rising	Dropper.VB!8.B2E (TFE:dGZlOgSwdL1tCPLEYg)
Ad-Aware	Trojan.GenericKD.36881336
Emsisoft	Trojan.GenericKD.36881336 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Trojan.vc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Jiangmin	Trojan.Generic.gwhcv
Avira	TR/Dropper.VB.Gen
MAX	malware (ai score=87)
Gridinsoft	Trojan.Win32.Downloader.oa
Microsoft	Trojan:Win32/Tiggre!rfn
AegisLab	Trojan.Win32.Miner.4!c
ZoneAlarm	Trojan.Win32.Miner.avazg
GData	Win32.Malware.Coinminer.AU0B31
Cynet	Malicious (score: 99)
VBA32	Trojan.VB.Halfman
Malwarebytes	Malware.AI.4153842726
TrendMicro-HouseCall	TROJ_GEN.R002H0CEB21
Tencent	Win32.Trojan.Miner.Lkxw
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Injector.BSHM!tr
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_90% (W)

taskhost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All