Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 25, 2021, 11:35 a.m.	June 25, 2021, 11:37 a.m.

Size	109.0KB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`5647f5ae95b3fe769f47c214d85989ac`
SHA256	`14c369419759256f0282034b23797c6f279ecbd283ff1b32c930773af9b54b9e`
CRC32	`D71D6CF9`
ssdeep	`1536:+1cq2U2JhHk+GoMctoraGH/oBBiaLiP56k6om2zvtAyhRCVjDZndjLRYqYQ:+cs2JhXPkH8BXojRAqR+1nr`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

April_2016_IMG128315 jpeg.jpeg.exe "C:\Users\test22\AppData\Local\Temp\April_2016_IMG128315 jpeg.jpeg.exe"
1868
- explorer.exe "C:\Windows\system32\explorer.exe"
  2260

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 25, 2021, 11:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:35 a.m.	computer_name: TEST22-PC	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	driz1
section	4datr1
section	.restr1
section	tyrz

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 225280 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:35 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d82000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00018200', u'virtual_address': u'0x0001d000', u'entropy': 7.181275614533558, u'name': u'.restr1', u'virtual_size': u'0x000181f0'}

entropy

7.18127561453

description

A section with a high entropy has been found

entropy

0.914691943128

description

Overall entropy of this PE file is high

Yara rule detected in process memory (11 events)

description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Executes one or more WMI queries which can be used to identify virtual machines (4 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_ComputerSystem
wmi	SELECT * FROM Win32_PhysicalMemory

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer

reg_value

C:\Users\test22\AppData\Roaming\GUuzajq0tkqRWTX8J2W8ecEfgFcv.exe

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 25, 2021, 11:35 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000238 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 128 (FILE_ATTRIBUTE_NORMAL) filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl June 25, 2021, 11:35 a.m.	input_buffer: control_code: 458752 (IOCTL_DISK_GET_DRIVE_GEOMETRY) device_handle: 0x00000238 output_buffer: Qÿ?	1	1	0

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntiVirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_PhysicalMemory
wmi	SELECT * FROM Win32_ComputerSystem
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_SystemEnclosure
wmi	SELECT * FROM Win32_Processor

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1868 called NtSetContextThread to modify thread in remote process 2260
NtSetContextThread June 25, 2021, 11:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 1063920 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000016c process_identifier: 2260	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1868 resumed a thread in remote process 2260
NtResumeThread June 25, 2021, 11:35 a.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2260	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 25, 2021, 11:35 a.m.	thread_identifier: 2680 thread_handle: 0x0000016c process_identifier: 2260 current_directory: filepath: C:\Windows\System32\explorer.exe track: 1 command_line: filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000164	1	1	0

Executed a process and injected code into it, probably while unpacking (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 25, 2021, 11:35 a.m.	thread_identifier: 2680 thread_handle: 0x0000016c process_identifier: 2260 current_directory: filepath: C:\Windows\System32\explorer.exe track: 1 command_line: filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000164	1	1
NtGetContextThread June 25, 2021, 11:35 a.m.	thread_handle: 0x0000016c	1	0
NtMapViewOfSection June 25, 2021, 11:35 a.m.	section_handle: 0x00000174 process_identifier: 2260 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00100000 allocation_type: 0 () section_offset: 0 view_size: 77824 process_handle: 0x00000164	1	0
NtSetContextThread June 25, 2021, 11:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 1063920 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000016c process_identifier: 2260	1	0
NtResumeThread June 25, 2021, 11:35 a.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2260	1	0

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.3181080
FireEye	Generic.mg.5647f5ae95b3fe76
CAT-QuickHeal	Ransomware.Locky.WR9
McAfee	Generic.ys
Cylance	Unsafe
Zillya	Dropper.Injector.Win32.77125
SUPERAntiSpyware	Trojan.Agent/Gen-Malagent
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Agentb.5bd1f908
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.e95b3f
Arcabit	Trojan.Generic
TrendMicro	TROJ_INJECTO.DPZ
Baidu	Win32.Trojan.Kryptik.pd
Cyren	W32/Trojan.BYJI-4616
Symantec	W32.Gosys
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Locky-28209
Kaspersky	Trojan.Win32.Agentb.bsgn
BitDefender	Trojan.GenericKD.3181080
NANO-Antivirus	Trojan.Win32.Fareit.fcgwnn
Paloalto	generic.ml
ViRobot	Trojan.Win32.Agent.96256.AK
Rising	Ransom.Locky!8.1CD4 (TFE:1:CnBJHqPajgI)
Ad-Aware	Trojan.GenericKD.3181080
Emsisoft	Trojan.GenericKD.3181080 (B)
Comodo	TrojWare.Win32.TrojanDownloader.Waski.DYS@6118f4
F-Secure	Trojan.TR/Crypt.ZPACK.ewim
DrWeb	Trojan.Encoder.3976
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-R + Troj/Agent-ARMA
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Troj/Agent-ARMA
Ikarus	Trojan.Win32.Agent
Webroot	W32.Trojan.Gen
Avira	TR/Crypt.ZPACK.ewim
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Win32.Agentb
Microsoft	Ransom:Win32/Locky
AegisLab	Trojan.Win32.Upatre.mCSi
ZoneAlarm	Trojan.Win32.Agentb.bsgn
GData	Win32.Trojan.Agent.E86EG0
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/Lockycrypt.Gen
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34254.gqW@ayXmQio

April_2016_IMG128315 jpeg.jpeg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All