Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 9:07 a.m.	June 24, 2021, 9:43 a.m.

Size	89.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f17b3c3000d658c9b90ac9cace3b1ebf`
SHA256	`4b4a677a8035537233757f522aee7e234789189a5ee193d251efad22fdd3598c`
CRC32	`0F6A4108`
ssdeep	`1536:Wi0NGfQpi7M5Dxhsnma97n2tRRMcG8acC9REHr7dQo283QcA0I:WXKma972tRRMcG80wak3QV1`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

ipk.exe "C:\Users\test22\AppData\Local\Temp\ipk.exe"
1016

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 24, 2021, 9:07 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755c0d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755c0d4d ipk+0x6d6f @ 0x406d6f ipk+0x45ae @ 0x4045ae ipk+0x537a @ 0x40537a IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 ipk+0x1945 @ 0x401945 IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18 BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 ipk+0x14d6 @ 0x4014d6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: f3 a5 0b ca 75 05 5f 5e c2 0c 00 f3 a4 5f 5e c2 exception.symbol: RtlMoveMemory+0x1b RtlFindActivationContextSectionGuid-0x270 ntdll+0x63c5b exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 408667 exception.address: 0x77403c5b registers.esp: 1636024 registers.edi: 30605312 registers.eax: 2000698432 registers.ebp: 1636228 registers.edx: 0 registers.ebx: 2847238 registers.esi: 1027321201 registers.ecx: 62	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 24, 2021, 9:07 a.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755c0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755c0d4d
ipk+0x6d6f @ 0x406d6f
ipk+0x45ae @ 0x4045ae
ipk+0x537a @ 0x40537a
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
ipk+0x1945 @ 0x401945
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7
IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead
IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1
IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18
BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
ipk+0x14d6 @ 0x4014d6
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: f3 a5 0b ca 75 05 5f 5e c2 0c 00 f3 a4 5f 5e c2
exception.symbol: RtlMoveMemory+0x1b RtlFindActivationContextSectionGuid-0x270 ntdll+0x63c5b
exception.instruction: movsd dword ptr es:[edi], dword ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 408667
exception.address: 0x77403c5b
registers.esp: 1636024
registers.edi: 30605312
registers.eax: 2000698432
registers.ebp: 1636228
registers.edx: 0
registers.ebx: 2847238
registers.esi: 1027321201
registers.ecx: 62

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 24, 2021, 9:07 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01c60000 process_handle: 0xffffffff	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.VbCrypt.250
MicroWorld-eScan	Gen:Variant.Johnnie.353991
FireEye	Generic.mg.f17b3c3000d658c9
CAT-QuickHeal	Trojan.Mpdd
McAfee	PWS-Zbot-FBFT!F17B3C3000D6
Cylance	Unsafe
AegisLab	Trojan.Win32.MPDD.9!c
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	DDoS:Win32/NewHeur.04289eaf
K7GW	Trojan ( 0050ce7a1 )
K7AntiVirus	Trojan ( 0050ce7a1 )
BitDefenderTheta	AI:Packer.CB76D6BF1F
Cyren	W32/VBTrojan.9!Maximus
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of NewHeur_VB_Trojan.22
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-DDoS.Win32.MPDD.z
BitDefender	Gen:Variant.Johnnie.353991
NANO-Antivirus	Trojan.Win32.MPDD.iwoqax
Avast	Win32:Trojan-gen
Ad-Aware	Gen:Variant.Johnnie.353991
Emsisoft	Gen:Variant.Johnnie.353991 (B)
Comodo	TrojWare.Win32.Inject.ALCI@53390z
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06CC0PFI21
McAfee-GW-Edition	BehavesLike.Win32.Swisyn.mh
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Avira	TR/Dropper.Gen
MAX	malware (ai score=100)
Microsoft	Trojan:MSIL/Cryptor
GData	Gen:Variant.Johnnie.353991
Cynet	Malicious (score: 100)
VBA32	Malware-Cryptor.VB.gen.1
ALYac	Gen:Variant.Johnnie.353991
Malwarebytes	Malware.AI.4135998057
TrendMicro-HouseCall	TROJ_GEN.R06CC0PFI21
Tencent	Win32.Trojan.Dropper.Ebgl
Yandex	Trojan.VbCrypt!+ZlTKsvbZmQ
Ikarus	Trojan.NewHeur_VB_Trojan
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/CoinMiner.AAPK!tr
AVG	Win32:Trojan-gen
Cybereason	malicious.000d65
Panda	Trj/CI.A

ipk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All