Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 9, 2021, 9 a.m.	Sept. 9, 2021, 9:09 a.m.

Size	99.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4103a2b04ede0d36e5079f6799cdfa14`
SHA256	`b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310`
CRC32	`BBDBBECE`
ssdeep	`1536:ND6lvtwb+xf5+DHztjos4Jmmq9vwzYxaIVUDqeMk3:N+twbk5+ZYmmqRnVU2eMk3`
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file IsPE32 - (no description)

BIN.exe "C:\Users\test22\AppData\Local\Temp\BIN.exe"
2516

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.21.31.210	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 9, 2021, 9 a.m.	stacktrace: DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x77ae0000 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 0x5c7e18 exception.instruction_r: 00 34 7e 5c 00 1c 56 6a 02 a4 55 6a 02 00 00 00 exception.instruction: add byte ptr [esi + edi*2], dh exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5c7e1f registers.esp: 1635540 registers.edi: 5111808 registers.eax: 6029336 registers.ebp: 1635644 registers.edx: 2130566132 registers.ebx: 4743636 registers.esi: 69632 registers.ecx: 3872915457	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 9, 2021, 9 a.m.

stacktrace:

DbgUserBreakPoint-0x10008 ntdll+0x0 @ 0x77ae0000
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18
0x5c7e18

exception.instruction_r: 00 34 7e 5c 00 1c 56 6a 02 a4 55 6a 02 00 00 00
exception.instruction: add byte ptr [esi + edi*2], dh
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5c7e1f
registers.esp: 1635540
registers.edi: 5111808
registers.eax: 6029336
registers.ebp: 1635644
registers.edx: 2130566132
registers.ebx: 4743636
registers.esi: 69632
registers.ecx: 3872915457

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 9, 2021, 9 a.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f92000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 9, 2021, 9 a.m.	process_identifier: 2516 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x000170f0

size

0x0000033c

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 9, 2021, 9 a.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00330000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

104.21.31.210

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

104.21.31.210:443

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Elastic	malicious (high confidence)
ALYac	Trojan.GenericKD.46941175
BitDefender	Trojan.GenericKD.46941175
K7GW	Trojan ( 00581ff21 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FKCH
APEX	Malicious
Kaspersky	Trojan.Win32.Mucc.qyf
MicroWorld-eScan	Trojan.GenericKD.46941175
Avast	Win32:Trojan-gen
Ad-Aware	Trojan.GenericKD.46941175
Emsisoft	Trojan.GenericKD.46941175 (B)
Comodo	TrojWare.Win32.UMal.qetvq@0
DrWeb	Trojan.VbCrypt.2331
McAfee-GW-Edition	RDN/Generic.dx
FireEye	Trojan.GenericKD.46941175
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Krypt
GData	Trojan.GenericKD.46941175
Webroot	W32.Trojan.Gen
MAX	malware (ai score=86)
ZoneAlarm	Trojan.Win32.Mucc.qyf
Microsoft	Trojan:Win32/VBObfuse.RA!MTB
McAfee	RDN/Generic.dx
Cylance	Unsafe
Fortinet	W32/GenKryptik.FKCH!tr
BitDefenderTheta	Gen:NN.ZevbaF.34142.gm1@aal7@5nb
AVG	Win32:Trojan-gen
Panda	Trj/RnkBend.A
MaxSecure	Trojan.Malware.300983.susgen

BIN.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All