Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 14, 2021, 12:32 p.m.	June 14, 2021, 12:36 p.m.

Size	777.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`cf1048a8362b93b9cdf47260b50d8f37`
SHA256	`cb9cd8363620446c577396dd11ca16cd0ac377534c7a708cac3f94ce6d898279`
CRC32	`68EBDAB7`
ssdeep	`12288:wZJ5gK0I2omOHu1/CQ8tl//tR05iIm5Cqz7cQuBcTex:s6KlifUQ8bHtUm8qz7IBR`
PDB Path	WindowsApp26.pdb
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

Serwices.exe "C:\Users\test22\AppData\Local\Temp\Serwices.exe"
2972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 14, 2021, 12:33 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 14, 2021, 12:33 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 14, 2021, 12:32 p.m.			0	0
IsDebuggerPresent June 14, 2021, 12:32 p.m.			0	0
IsDebuggerPresent June 14, 2021, 12:33 p.m.			0	0
IsDebuggerPresent June 14, 2021, 12:33 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 14, 2021, 12:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006844d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2021, 12:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00684518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2021, 12:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00684518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

WindowsApp26.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 14, 2021, 12:32 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:32 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:33 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:33 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:33 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2021, 12:33 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00491000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c1a00', u'virtual_address': u'0x00002000', u'entropy': 7.91688767112936, u'name': u'.text', u'virtual_size': u'0x000c1934'}

entropy

7.91688767113

description

A section with a high entropy has been found

entropy

0.997424339987

description

Overall entropy of this PE file is high

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37072276
FireEye	Generic.mg.cf1048a8362b93b9
ALYac	Trojan.GenericKD.37072276
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:MSIL/XetimaLogger.f54f4107
K7GW	Spyware ( 004bf53c1 )
K7AntiVirus	Spyware ( 004bf53c1 )
BitDefenderTheta	Gen:NN.ZemsilF.34738.Wm0@aSZBcShi
Cyren	W32/Trojan.FYQT-6819
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	MSIL/Spy.Agent.AES
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.37072276
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Noon.l!c
Ad-Aware	Trojan.GenericKD.37072276
Emsisoft	Trojan.GenericKD.37072276 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R049C0PFC21
McAfee-GW-Edition	RDN/Generic PWS.y
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanSpy.MSIL.blvx
Webroot	W32.Trojan.GenKD
Avira	TR/AD.XetimaLogger.qahko
MAX	malware (ai score=85)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/AgentTesla!ml
ViRobot	Trojan.Win32.Z.Win.795648
GData	Trojan.GenericKD.37072276
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4491642
McAfee	RDN/Generic PWS.y
VBA32	TScope.Trojan.MSIL
Malwarebytes	MachineLearning/Anomalous.95%
TrendMicro-HouseCall	TROJ_GEN.R049C0PFC21
Ikarus	Trojan.MSIL.Spy
Fortinet	W32/Noon.AES!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.99e4a5
Panda	Trj/GdSda.A

Serwices.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All