Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 22, 2021, 10:57 a.m.	July 22, 2021, 11:02 a.m.

Size	442.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`de9a1e3fbb72d4a01fabee53230f2017`
SHA256	`0a3c1d6736893714d0e5552795fb8ba026ba2bd3f5e34afd975b9d463c1e46fe`
CRC32	`0449F403`
ssdeep	`12288:c0gg5IfdyZTg1JjOQKZCqHYWv8IECAX4LdDRveu4nUu:3C1ZnOQkxrtvlRveuoUu`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

lv.exe "C:\Users\test22\AppData\Local\Temp\lv.exe"
1164
- 4.exe "C:\Users\test22\AppData\Local\Temp\New Feature\4.exe"
  2144
- vpn.exe "C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe"
  2180

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2021, 10:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x767a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2144 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:57 a.m.	process_identifier: 2180 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Users\test22\AppData\Local\Temp\nsk56A7.tmp\UAC.dll
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Local\Temp\New Feature\4.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsk56A7.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file	C:\Users\test22\AppData\Local\Temp\New Feature\4.exe

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Elastic	malicious (high confidence)
McAfee	RDN/Generic PWS.y
Alibaba	TrojanPSW:Win32/Coins.975c0d61
K7GW	Trojan ( 0054c4a01 )
K7AntiVirus	Trojan ( 0054c4a01 )
Cyren	W32/Kryptik.EMQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	HEUR:Trojan-Dropper.Win32.Scrop.gen
BitDefender	Dropped:Trojan.GenericKD.37271163
MicroWorld-eScan	Dropped:Trojan.GenericKD.37271163
Tencent	Win32.Trojan-qqpass.Qqrob.Wvaw
Ad-Aware	Dropped:Trojan.GenericKD.37271163
McAfee-GW-Edition	RDN/Generic PWS.y
FireEye	Dropped:Trojan.GenericKD.37271163
Emsisoft	Dropped:Trojan.GenericKD.37271163 (B)
Avira	HEUR/AGEN.1140896
Microsoft	Trojan:Win32/Azorult.FW!MTB
Arcabit	Trojan.Agent.FKRS
GData	Win32.Trojan.BSE.HLJWVB
AhnLab-V3	Trojan/Win.Generic.C4560100
ALYac	Gen:Variant.Doina.10795
MAX	malware (ai score=86)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Malware.AI.4024116118
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002H0CGL21
Rising	Trojan.Generic@ML.87 (RDML:tiq5AN7OtVhpYyLdL2oWuw)
Ikarus	Trojan-Downloader.Win32.Glupteba
eGambit	Unsafe.AI_Score_83%
AVG	NSIS:MalwareX-gen [Trj]
Cybereason	malicious.04551b
Avast	NSIS:MalwareX-gen [Trj]
Qihoo-360	Win32/TrojanDropper.Scrop.HgIASY0A

lv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All