popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

console-play.exe

Gen1 Generic Malware UPX Malicious Library Malicious Packer Anti_VM GIF Format PE64 .NET DLL PNG Format PE File OS Processor Check PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 17, 2021, 7:35 a.m. Aug. 17, 2021, 7:37 a.m.
Size 6.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a43be7341e3d13810d20b9e64e329c83
SHA256 e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464
CRC32 7DD1AC97
ssdeep 98304:oSilBhaEFMX+MEGi6OEJ0ehjDhGSib2RDWBXW4Gd72eg7GpAadkBlsr1SFF0:KhaIRMEXehxitdogqtqBq9
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .itext
section .didata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 console-play+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 console-play+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x20e90c dbkFCallWrapperAddr-0xded4 console-play+0x2c476c @ 0x6c476c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 1637804
registers.edi: 0
registers.eax: 1637804
registers.ebp: 1637884
registers.edx: 0
registers.ebx: 3
registers.esi: 2
registers.ecx: 7
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 745472
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 196608
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73522000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73522000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00780000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73193000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 745472
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 196608
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73492000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73492000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02200000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73173000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10910482432
free_bytes_available: 10910482432
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bouncy for .NET Helper\Bouncy for .NET Helper.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bouncy for .NET Helper\Bouncy for .NET Helper.lnk
file C:\Users\test22\AppData\Local\Temp\is-HOKII.tmp\console-play.tmp
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{C6589130-07A1-40ED-9BA6-A548F96A7EF8}_is1
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C6589130-07A1-40ED-9BA6-A548F96A7EF8}_is1
2 0
cmdline C:\Users\test22\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe
cmdline "C:\Users\test22\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"
file C:\Users\test22\AppData\Local\Temp\is-HOKII.tmp\console-play.tmp
MicroWorld-eScan Trojan.GenericKD.37403811
FireEye Trojan.GenericKD.37403811
Sangfor Backdoor.Win32.Androm.usiw
Alibaba Backdoor:Win32/Androm.4358452e
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/GenCBL.ARN
Kaspersky Backdoor.Win32.Androm.usiw
BitDefender Trojan.GenericKD.37403811
Avast Win32:DangerousSig [Trj]
Ad-Aware Trojan.GenericKD.37403811
Emsisoft Trojan.GenericKD.37403811 (B)
McAfee-GW-Edition Artemis!Trojan
Sophos Mal/Generic-S
MAX malware (ai score=85)
GData Win32.Trojan-Spy.Ursnif.KGNOB5
McAfee Artemis!A43BE7341E3D
TrendMicro-HouseCall TROJ_GEN.R002H0DHD21
Ikarus Trojan.Win32.Agent
Fortinet W32/Androm.USIW!tr.bdr
AVG Win32:DangerousSig [Trj]
Qihoo-360 Win32/Backdoor.Androm.HgIASaQA