Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 29, 2021, 1:45 p.m.	June 29, 2021, 1:48 p.m.

Size	100.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`92d8c89e8dc92d61a9ff78a304711791`
SHA256	`0e4c2040ee56cf81df3334e99fb2e419e9ed81a3c9d47bd8f57bb8a95a927baa`
CRC32	`97978D86`
ssdeep	`1536:I+32lhFXyi+aXm+CCAUAPkxP8ZSa6THm2vI4V:IjxXKLqJAshTHVvI4V`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

92d8c89e8dc92d61a9ff78a304711791.exe "C:\Users\test22\AppData\Local\Temp\92d8c89e8dc92d61a9ff78a304711791.exe"
1932

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
192.250.240.130	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 29, 2021, 1:45 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Foreign language identified in PE resource (26 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016e40

size

0x00000428

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016cf0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016cf0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016cf0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016cf0

size

0x00000128

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00017288

size

0x000000d4

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000175d0

size

0x0000020e

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000175d0

size

0x0000020e

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000180e8

size

0x0000003a

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00017360

size

0x00000070

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016e18

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016e18

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000177e0

size

0x000002e0

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00017268

size

0x0000001e

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (36 events)

Time & API	Arguments	Status	Return
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: mobsync.exe process_identifier: 8816	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: pw.exe process_identifier: 3220	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: taskhost.exe process_identifier: 6464	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: cmd.exe process_identifier: 6856	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: conhost.exe process_identifier: 8356	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: 92d8c89e8dc92d61a9ff78a304711791.exe process_identifier: 1932	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: pw.exe process_identifier: 7092	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: slui.exe process_identifier: 8768	1	1
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: slui.exe process_identifier: 6881397		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000214 process_name: slui.exe process_identifier: 7602224		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000118 process_name: slui.exe process_identifier: 7536688		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000210 process_name: slui.exe process_identifier: 3014768		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000218 process_name: slui.exe process_identifier: 7274573		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000021c process_name: slui.exe process_identifier: 5046390		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000220 process_name: slui.exe process_identifier: 6815859		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000228 process_name: slui.exe process_identifier: 7602277		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000022c process_name: slui.exe process_identifier: 6619235		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000230 process_name: slui.exe process_identifier: 4456552		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000234 process_name: slui.exe process_identifier: 7536758		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000238 process_name: slui.exe process_identifier: 6684769		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000023c process_name: slui.exe process_identifier: 4390992		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000240 process_name: process_identifier: 5439572		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000244 process_name: slui.exe process_identifier: 6619182		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000248 process_name: slui.exe process_identifier: 6553715		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000024c process_name: slui.exe process_identifier: 5046338		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000250 process_name: slui.exe process_identifier: 6619246		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000254 process_name: slui.exe process_identifier: 6750273		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000258 process_name: slui.exe process_identifier: 7471220		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000025c process_name: slui.exe process_identifier: 7733331		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000260 process_name: slui.exe process_identifier: 4980808		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000264 process_name: slui.exe process_identifier: 6619251		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000268 process_name: slui.exe process_identifier: 7864421		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000026c process_name: slui.exe process_identifier: 3342387		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000270 process_name: slui.exe process_identifier: 3014722		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000274 process_name: process_identifier: 7733362		0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000278 process_name: slui.exe process_identifier: 6553705		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 29, 2021, 1:45 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (30 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000d8 process_name: slui.exe process_identifier: 6881397		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x000000e8 process_name: slui.exe process_identifier: 6881397		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000214 process_name: slui.exe process_identifier: 7602224		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000118 process_name: slui.exe process_identifier: 7536688		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000210 process_name: slui.exe process_identifier: 3014768		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000218 process_name: slui.exe process_identifier: 7274573		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000021c process_name: slui.exe process_identifier: 5046390		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000220 process_name: slui.exe process_identifier: 6815859		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000224 process_name: slui.exe process_identifier: 6881397		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000228 process_name: slui.exe process_identifier: 7602277		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000022c process_name: slui.exe process_identifier: 6619235		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000230 process_name: slui.exe process_identifier: 4456552		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000234 process_name: slui.exe process_identifier: 7536758		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000238 process_name: slui.exe process_identifier: 6684769		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000023c process_name: slui.exe process_identifier: 4390992		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000240 process_name: process_identifier: 5439572		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000244 process_name: slui.exe process_identifier: 6619182		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000248 process_name: slui.exe process_identifier: 6553715		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000024c process_name: slui.exe process_identifier: 5046338		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000250 process_name: slui.exe process_identifier: 6619246		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000254 process_name: slui.exe process_identifier: 6750273		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000258 process_name: slui.exe process_identifier: 7471220		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000025c process_name: slui.exe process_identifier: 7733331		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000260 process_name: slui.exe process_identifier: 4980808		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000264 process_name: slui.exe process_identifier: 6619251		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000268 process_name: slui.exe process_identifier: 7864421		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x0000026c process_name: slui.exe process_identifier: 3342387		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000270 process_name: slui.exe process_identifier: 3014722		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000274 process_name: process_identifier: 7733362		0	0
Process32NextW June 29, 2021, 1:45 p.m.	snapshot_handle: 0x00000278 process_name: slui.exe process_identifier: 6553705		0	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	192.250.240.130

Creates known Nitol/ServStart files, registry keys and/or mutexes (1 event)

regkey

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Software\Defghi Klmnopqr Tuv\MarkTime

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Graftor.860945
FireEye	Generic.mg.92d8c89e8dc92d61
ALYac	Gen:Variant.Graftor.860945
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
Alibaba	Trojan:Win32/Farfli.b1c6193c
Cybereason	malicious.e8dc92
BitDefenderTheta	Gen:NN.ZexaCO.34758.gq0@aKtA@6ab
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Gh0stRAT-7459730-1
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
BitDefender	Gen:Variant.Graftor.860945
Paloalto	generic.ml
Rising	Trojan.Kryptik!1.CC61 (CLASSIC)
Ad-Aware	Gen:Variant.Graftor.860945
Emsisoft	Gen:Variant.Graftor.860945 (B)
McAfee-GW-Edition	RDN/Generic.grp
Ikarus	Trojan.Win32.Farfli
eGambit	Unsafe.AI_Score_58%
Avira	TR/AD.Farfli.ngrmt
MAX	malware (ai score=99)
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/Ditertag.A
Gridinsoft	Trojan.Win32.Agent.oa
Arcabit	Trojan.Graftor.DD2311
GData	Gen:Variant.Graftor.860945
Cynet	Malicious (score: 99)
McAfee	RDN/Generic.grp
TrendMicro-HouseCall	TROJ_GEN.R002H07FP21
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Kryptik.HFPG!tr
AVG	Win32:Malware-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_80% (W)

92d8c89e8dc92d61a9ff78a304711791.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All