Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 7:45 p.m.	June 24, 2021, 8:01 p.m.

Size	20.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8d318ace341d81a82e32eaa38f88bd3c`
SHA256	`b47135a689f01b9a5ebb20657d0ae4dcbb71ca0356901f5cd0efb2f30151a91c`
CRC32	`18395F51`
ssdeep	`393216:4SlbbD0pRmi0kbAZ/SZCuBY6HOhyg4XbnKnvq1qnjsdPArcE3XhO:4OMRmi0T/SZCuLRrKy1SsRE3xO`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques Generic_Malware_Zero - Generic Malware IsPE32 - (no description) themida_packer - themida packer

download.exe "C:\Users\test22\AppData\Local\Temp\download.exe"
4936

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 7:42 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ June 24, 2021, 7:42 p.m.	stacktrace: download+0x15486d9 @ 0x19486d9 download+0x154caff @ 0x194caff exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1638148 registers.edi: 23220224 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 2416771072	1
__exception__ June 24, 2021, 7:42 p.m.	stacktrace: exception.instruction_r: ed e9 c4 cf fe ff 33 82 46 ff d0 9c 68 97 4a 72 exception.symbol: download+0x15d64ba exception.instruction: in eax, dx exception.module: download.exe exception.exception_code: 0xc0000096 exception.offset: 22897850 exception.address: 0x19d64ba registers.esp: 1638268 registers.edi: 30814706 registers.eax: 1750617430 registers.ebp: 23220224 registers.edx: 30824534 registers.ebx: 0 registers.esi: 3916040 registers.ecx: 20	1
__exception__ June 24, 2021, 7:42 p.m.	stacktrace: exception.instruction_r: ed e9 da 78 02 00 c3 e9 21 28 f1 ff 22 fe 5c 1e exception.symbol: download+0x1599b42 exception.instruction: in eax, dx exception.module: download.exe exception.exception_code: 0xc0000096 exception.offset: 22649666 exception.address: 0x1999b42 registers.esp: 1638268 registers.edi: 30814706 registers.eax: 1447909480 registers.ebp: 23220224 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3916040 registers.ecx: 10	1
__exception__ June 24, 2021, 7:42 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25 download+0x14c461d @ 0x18c461d exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x76713ef4 registers.esp: 1637572 registers.edi: 0 registers.eax: 74156432 registers.ebp: 1637600 registers.edx: 1 registers.ebx: 0 registers.esi: 31053232 registers.ecx: 1915696604	1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x000006a7', u'virtual_address': u'0x00001000', u'entropy': 7.861408021564017, u'name': u' ', u'virtual_size': u'0x00000c26'}

entropy

7.86140802156

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000010b', u'virtual_address': u'0x00003000', u'entropy': 7.110180178956598, u'name': u' ', u'virtual_size': u'0x0000d6f0'}

entropy

7.11018017896

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x011bac00', u'virtual_address': u'0x00011000', u'entropy': 7.942413676590066, u'name': u' ', u'virtual_size': u'0x011bab00'}

entropy

7.94241367659

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0025665e', u'virtual_address': u'0x0160d000', u'entropy': 7.958576165112883, u'name': u'.boot', u'virtual_size': u'0x00256800'}

entropy

7.95857616511

description

A section with a high entropy has been found

entropy

0.983272608472

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Checks for the presence of known windows from debuggers and forensic tools (21 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 24, 2021, 7:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 24, 2021, 7:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 24, 2021, 7:42 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 24, 2021, 7:42 p.m.	stacktrace: exception.instruction_r: ed e9 da 78 02 00 c3 e9 21 28 f1 ff 22 fe 5c 1e exception.symbol: download+0x1599b42 exception.instruction: in eax, dx exception.module: download.exe exception.exception_code: 0xc0000096 exception.offset: 22649666 exception.address: 0x1999b42 registers.esp: 1638268 registers.edi: 30814706 registers.eax: 1447909480 registers.ebp: 23220224 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3916040 registers.ecx: 10	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.864286
FireEye	Generic.mg.8d318ace341d81a8
ALYac	Gen:Variant.Razy.864286
Cylance	Unsafe
K7AntiVirus	Trojan ( 0057d1a41 )
Alibaba	Packed:Win32/Themida.42641a74
K7GW	Trojan ( 0057d1a41 )
Cybereason	malicious.6b66fd
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HVE
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Trojan-PSW.MSIL.Reline.cqs
BitDefender	Gen:Variant.Razy.864286
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Paloalto	generic.ml
Ad-Aware	Gen:Variant.Razy.864286
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis
Emsisoft	Gen:Variant.Razy.864286 (B)
Ikarus	Trojan.Win32.Themida
MaxSecure	Trojan.Malware.300983.susgen
Avira	HEUR/AGEN.1140859
MAX	malware (ai score=87)
Microsoft	Trojan:Script/Phonzy.B!ml
Gridinsoft	Trojan.Heur!.032100A1
Arcabit	Trojan.Razy.DD301E
AegisLab	Trojan.Win32.Razy.4!c
GData	Gen:Variant.Razy.864286
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win32.RL_Generic.R359576
McAfee	Artemis!8D318ACE341D
TrendMicro-HouseCall	TROJ_GEN.R002H09FL21
Rising	Malware.Heuristic!ET#99% (RDMK:cmRtazpFElodQdH/9l62s9cA/RXF)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/PossibleThreat
AVG	Win32:Trojan-gen
Panda	Trj/CI.A

download

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All