Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 21, 2021, 1:08 p.m.	June 21, 2021, 1:10 p.m.

Size	14.9MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`ed070e82321e34aca28364015919f78e`
SHA256	`d1483b3180344ec09555db148cc7c21439fef002124bfd7ee74150f0be138375`
CRC32	`0D44C1BE`
ssdeep	`393216:s0SLhn+DwBPwcaVSLo8phZ0K0LzSuEpdTs1Y5nXQz8:HRDwBP68o8phK7hEpdT3XQ`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
7680
- setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
  6692

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2021, 1:08 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 21, 2021, 1:08 p.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (13 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl85.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\pywintypes27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\mfc90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\mfc90u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tk85.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\pythoncom27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\mfcm90u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\mfcm90.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000ec00', u'virtual_address': u'0x00046000', u'entropy': 7.297139614323312, u'name': u'.rsrc', u'virtual_size': u'0x0000ea38'}

entropy

7.29713961432

description

A section with a high entropy has been found

entropy

0.220973782772

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 78 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp1255.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macTurkish.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\ebcdic.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp850.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\shiftjis.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso8859-9.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macRoman.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso8859-16.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp862.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macGreek.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp864.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macCroatian.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\jis0201.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\euc-cn.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\tis-620.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso8859-6.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\euc-kr.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp1251.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macUkraine.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso2022-kr.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp936.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\big5.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp1252.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\gb2312.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\ksc5601.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp852.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\ascii.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp857.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp737.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp932.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp861.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp949.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso8859-8.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macRomania.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp866.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso8859-2.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp1250.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso2022-jp.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\koi8-r.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\gb12345.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso8859-7.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\euc-jp.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\jis0208.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macCyrillic.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp865.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso2022.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macCentEuro.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\gb2312-raw.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp869.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\macDingbats.enc

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 952 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\opt0.4\pkgIndex.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\msgs\mr_in.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\Noronha
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Pacific\Wallis
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tk\ttk\panedwindow.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Europe\San_Marino
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Asia\Kuwait
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Asia\Tokyo
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Africa\Gaborone
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\Santo_Domingo
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl85.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Europe\Uzhgorod
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\US\Central
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\msgs\he.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\msgs\ar_sy.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp737.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\msgs\es_pr.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\Indiana\Marengo
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Africa\Monrovia
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\El_Salvador
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\Sao_Paulo
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp865.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\NZ-CHAT
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\msgs\hi.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\Rankin_Inlet
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Asia\Kathmandu
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\gb1988.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\Sitka
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Europe\Madrid
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\iso8859-14.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Asia\Riyadh
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\jis0212.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\US\Alaska
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Asia\Aqtobe
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Asia\Dili
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\Menominee
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Indian\Reunion
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Europe\Jersey
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\America\New_York
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\US\Eastern
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Brazil\West
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Europe\Tallinn
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tk\ttk\scrollbar.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\encoding\cp775.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\MST7MDT
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\msgs\ja.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\msgs\es_uy.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Universal
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Asia\Jerusalem
file	C:\Users\test22\AppData\Local\Temp\_MEI76802\tcl\tzdata\Etc\UTC

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

McAfee	Artemis!ED070E82321E
AegisLab	Trojan.Win32.Shellcode.4!c
Alibaba	Trojan:Win64/IRCBot.bc946815
Cyren	W64/Trojan.WGJV-2227
ESET-NOD32	Python/IRCBot.AB
APEX	Malicious
Paloalto	generic.ml
BitDefender	Generic.Exploit.Shellcode.RDI.3.013D1989
MicroWorld-eScan	Generic.Exploit.Shellcode.RDI.3.013D1989
Ad-Aware	Generic.Exploit.Shellcode.RDI.3.013D1989
F-Secure	Backdoor.BDS/Backdoor.Gen
TrendMicro	TROJ_GEN.R002C0DFJ21
FireEye	Generic.Exploit.Shellcode.RDI.3.013D1989
Emsisoft	Generic.Exploit.Shellcode.RDI.3.013D1989 (B)
Avira	BDS/Backdoor.Gen
MAX	malware (ai score=100)
Microsoft	Backdoor:PHP/Remoteshell.V
GData	Generic.Exploit.Shellcode.RDI.3.013D1989
ALYac	Generic.Exploit.Shellcode.RDI.3.013D1989
Malwarebytes	Malware.AI.3490957629
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DFJ21
eGambit	Trojan.Generic
Fortinet	W32/IRCBot.AB!tr
AVG	Win64:Trojan-gen
Avast	Win64:Trojan-gen

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All