Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 7, 2021, 10:53 a.m.	July 7, 2021, 10:58 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`13cf6e639bd4d6c7478f438e001beec7`
SHA256	`548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0`
CRC32	`A772940A`
ssdeep	`49152:p528wME4n6U/COuRMdt/8zexPwT0zZb9Im/xnGi5GvJs:bdFuzelA01si5CJs`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

119.exe "C:\Users\test22\AppData\Local\Temp\119.exe"
8212

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
31.44.184.119	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	fta3
section	.fta2

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 7, 2021, 10:53 a.m.	process_identifier: 8212 region_size: 1777664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2021, 10:53 a.m.	process_identifier: 8212 region_size: 1773568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 10:53 a.m.	process_identifier: 8212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1871872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

119.exe tried to sleep 302 seconds, actually delayed analysis time by 302 seconds

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (41 events)

Time & API	Arguments	Status	Return
Process32FirstW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: [System Process] process_identifier: 0	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: System process_identifier: 4	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: smss.exe process_identifier: 224	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: services.exe process_identifier: 440	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: pw.exe process_identifier: 2596	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: taskhost.exe process_identifier: 4032	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: 119.exe process_identifier: 8212	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: cmd.exe process_identifier: 3532	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: conhost.exe process_identifier: 5096	1	1
Process32NextW July 7, 2021, 10:53 a.m.	snapshot_handle: 0x00000148 process_name: pw.exe process_identifier: 9076	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 7, 2021, 10:53 a.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001c5800', u'virtual_address': u'0x00007000', u'entropy': 7.408173389150699, u'name': u'.fta2', u'virtual_size': u'0x001c560f'}

entropy

7.40817338915

description

A section with a high entropy has been found

entropy

0.943317732709

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	31.44.184.119

Installs itself for autorun at Windows startup (1 event)

service_name

s3svc

service_path

C:\Users\test22\AppData\Local\Temp\119.exe -r

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA July 7, 2021, 10:53 a.m.	service_start_name: start_type: 2 password: display_name: Enterprise Mailing Service filepath: C:\Users\test22\AppData\Local\Temp\119.exe -r service_name: s3svc filepath_r: C:\Users\test22\AppData\Local\Temp\119.exe -r desired_access: 983551 service_handle: 0x007094b8 error_control: 1 service_type: 16 service_manager_handle: 0x00709468	1	7378104	0

Generates some ICMP traffic

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Malwarebytes	Malware.AI.960227836
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.8bdb94
Symantec	Packed.Generic.459
APEX	Malicious
Kaspersky	VHO:Trojan.Win32.Bsymem.gen
FireEye	Generic.mg.13cf6e639bd4d6c7
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Generic
eGambit	PE.Heur.InvalidSig
Antiy-AVL	Trojan/Generic.ASCommon.1BE
Microsoft	Program:Win32/Wacapew.C!ml
Gridinsoft	Trojan.Heur!.00012131
Cylance	Unsafe
Rising	Trojan.Kryptik!1.C73F (CLASSIC)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Ursnif.CZ!tr.spy
BitDefenderTheta	Gen:NN.ZexaF.34790.4z1@a8wOM2gi
Qihoo-360	HEUR/QVM20.1.68E7.Malware.Gen

119.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All