Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 23, 2021, 8:24 a.m.	Sept. 23, 2021, 8:27 a.m.

Size	3.1MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`8db72b47d0e9b71bd08f6adf47818291`
SHA256	`497cf5588ab1e6fe25e37346d688a9f3a5aac924a384aab4bb0e4899b049bfc2`
CRC32	`C31F68A1`
ssdeep	`98304:g209YD7r72Bs+oKTXAQ2liHfk4+eCUifpck:cYD7Wu+oKTXp2gJ7ifSk`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Lazarus_Zero - Lazarus Generic Malware anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library themida_packer - themida packer IsPE32 - (no description)

24.exe "C:\Users\test22\AppData\Local\Temp\24.exe"
1868

Name	Response	Post-Analysis Lookup
tambisup.com	A 2.57.90.16 A 91.206.15.183	2.57.90.16

IP Address	Status	Action
164.124.101.2	Active	Moloch
2.57.90.16	Active	Moloch
91.206.15.183	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 23, 2021, 8:24 a.m.			0	0
IsDebuggerPresent Sept. 23, 2021, 8:24 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 23, 2021, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cd280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2021, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cd280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2021, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cd300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 23, 2021, 8:24 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	Asus Exp
section	.themida
section	.boot

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Sept. 23, 2021, 8:24 a.m.	stacktrace: 24+0x3d7b6b @ 0xf67b6b 24+0x3ad293 @ 0xf3d293 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 49 79 31 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2488880 registers.edi: 12632064 registers.eax: 2488880 registers.ebp: 2488960 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 3471507456	1
__exception__ Sept. 23, 2021, 8:24 a.m.	stacktrace: exception.instruction_r: ed e9 1c 8e 02 00 c3 e9 d4 a5 fe ff bf 62 77 af exception.symbol: 24+0x3fc66e exception.instruction: in eax, dx exception.module: 24.exe exception.exception_code: 0xc0000096 exception.offset: 4179566 exception.address: 0xf8c66e registers.esp: 2489000 registers.edi: 14864473 registers.eax: 1750617430 registers.ebp: 12632064 registers.edx: 22614 registers.ebx: 12124160 registers.esi: 14218144 registers.ecx: 20	1
__exception__ Sept. 23, 2021, 8:24 a.m.	stacktrace: exception.instruction_r: ed e9 21 06 02 00 f1 bf ae f8 7e e7 f6 34 0a 00 exception.symbol: 24+0x3ff9fc exception.instruction: in eax, dx exception.module: 24.exe exception.exception_code: 0xc0000096 exception.offset: 4192764 exception.address: 0xf8f9fc registers.esp: 2489000 registers.edi: 14864473 registers.eax: 1447909480 registers.ebp: 12632064 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14218144 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 127 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a8b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a8b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7575c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75735000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a84000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75483000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a7b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7574c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2021, 8:24 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

24.exe tried to sleep 175 seconds, actually delayed analysis time by 175 seconds

The binary likely contains encrypted or compressed data indicative of a packer (12 events)

section

{u'size_of_data': u'0x00019a00', u'virtual_address': u'0x00002000', u'entropy': 7.982323021221648, u'name': u' ', u'virtual_size': u'0x00034000'}

entropy

7.98232302122

description