Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 4, 2021, 1:54 p.m.	Sept. 4, 2021, 2:07 p.m.

Size	564.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`250e548c641a259913efe572efa37914`
SHA256	`d59cc2a48ae66096aadcf1ea1b7ae46fb0f56fe19ac5d82320a7ff68bc982d49`
CRC32	`7F0A9FB5`
ssdeep	`12288:QWxI5X0kR9LqnuATDxM2PDeejWr8ivlNvhA01rWzHpN3plMCb:ZI0kRR+uaDLdjWgISHp/6C`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

pcpedemo.exe "C:\Users\test22\AppData\Local\Temp\pcpedemo.exe"
2220
- pcpedemo.exe "C:\Users\test22\AppData\Local\Temp\9f4108b9e5\pcpedemo.exe"
  1896

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 4, 2021, 1:54 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 4, 2021, 1:54 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c10000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c10000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c10000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c10000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c10000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06170000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06170000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06170000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06170000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06170000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (2 events)

name

RT_RCDATA

language

LANG_ARABIC

filetype

Zip archive data, at least v2.0 to extract

sublanguage

SUBLANG_NEUTRAL

offset

0x0005ecf0

size

0x00057411

name

RT_RCDATA

language

LANG_ARABIC

filetype

Zip archive data, at least v2.0 to extract

sublanguage

SUBLANG_NEUTRAL

offset

0x0005ecf0

size

0x00057411

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\9f4108b9e5\pcpedemo.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\9f4108b9e5\pcpedemo.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\9f4108b9e5\pcpedemo.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05c10000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00009000', u'virtual_address': u'0x0002c000', u'entropy': 6.800123093513604, u'name': u'.data', u'virtual_size': u'0x00031768'}

entropy

6.80012309351

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00058108', u'virtual_address': u'0x0005e000', u'entropy': 7.9941350430829985, u'name': u'.rsrc', u'virtual_size': u'0x00058f5a'}

entropy

7.99413504308

description

A section with a high entropy has been found

entropy

0.692998480052

description

Overall entropy of this PE file is high

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

DrWeb	Trojan.MulDrop6.43174
Zillya	Trojan.GenericKD.Win32.10528
K7AntiVirus	Trojan ( 0055e3ef1 )
K7GW	Trojan ( 0055e3ef1 )
APEX	Malicious
Paloalto	generic.ml
NANO-Antivirus	Trojan.Win32.Drop.eyzxwn
Avast	FileRepMalware
McAfee-GW-Edition	BehavesLike.Win32.Gael.hc
Jiangmin	Trojan.StartPage.ckn
Antiy-AVL	Trojan/Generic.ASMalwS.18F6853
McAfee	Artemis!250E548C641A
Rising	Trojan.Generic@ML.93 (RDML:d3pNRJ5EMfbcg+aGO2pzYg)
Yandex	Trojan.GenAsa!0kueZvHlrWs
AVG	FileRepMalware
MaxSecure	Trojan.Malware.300983.susgen

pcpedemo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All