Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 28, 2021, 1:46 p.m.	Sept. 28, 2021, 1:58 p.m.

Size	755.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fa0b89043edf03a3e3c27f0ad56114ea`
SHA256	`9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448`
CRC32	`2E838C1D`
ssdeep	`12288:xEO2OYzW3RbnYxGtGnYxGtX0i5t7KY2JaGNK6laMSWcyoiY+Y683h:b25zW3Ro05gSeiY+V4h`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

winpro.exe "C:\Users\test22\AppData\Local\Temp\winpro.exe"
2480

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
79.134.225.19	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

CUSTOM

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Sept. 28, 2021, 1:46 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1636092 registers.edi: 6471776 registers.eax: 1636092 registers.ebp: 1636172 registers.edx: 0 registers.ebx: 6471776 registers.esi: 6471776 registers.ecx: 2	1
__exception__ Sept. 28, 2021, 1:46 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1636660 registers.edi: 1636848 registers.eax: 1636660 registers.ebp: 1636740 registers.edx: 0 registers.ebx: 6471776 registers.esi: 1636848 registers.ecx: 2	1
__exception__ Sept. 28, 2021, 1:46 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1636744 registers.edi: 1636932 registers.eax: 1636744 registers.ebp: 1636824 registers.edx: 0 registers.ebx: 6471776 registers.esi: 1636932 registers.ecx: 2	1
__exception__ Sept. 28, 2021, 1:46 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1634792 registers.edi: 6471776 registers.eax: 1634792 registers.ebp: 1634872 registers.edx: 0 registers.ebx: 6471776 registers.esi: 6471776 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f92000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e23000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0004ad2c

size

0x00000030

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0004ad2c

size

0x00000030

name

RT_STRING

language

LANG_LITHUANIAN

filetype

data

sublanguage

SUBLANG_LITHUANIAN_CLASSIC

offset

0x0004ad2c

size

0x00000030

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00890000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00033000', u'virtual_address': u'0x00001000', u'entropy': 7.6040704176827205, u'name': u'.text', u'virtual_size': u'0x00032740'}

entropy

7.60407041768

description

A section with a high entropy has been found

entropy

0.708333333333

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

79.134.225.19

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.938017
FireEye	Generic.mg.fa0b89043edf03a3
CAT-QuickHeal	Trojan.Multi
ALYac	Gen:Variant.Razy.938017
Malwarebytes	Trojan.Injector
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Scarsi.42a972e5
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.446097
BitDefenderTheta	Gen:NN.ZevbaF.34170.Vm3@aerl0KaO
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EQDR
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Scarsi.axgt
BitDefender	Gen:Variant.Razy.938017
NANO-Antivirus	Trojan.Win32.Scarsi.jchqpy
Avast	Win32:Malware-gen
Ad-Aware	Gen:Variant.Razy.938017
McAfee-GW-Edition	BehavesLike.Win32.Autorun.bc
Emsisoft	Gen:Variant.Razy.938017 (B)
Ikarus	Trojan.Win32.Injector
Jiangmin	Trojan.Scarsi.cwc
Webroot	W32.Scarsi.axgt
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Scarsi.AXGR!MTB
Gridinsoft	Trojan.Win32.Agent.oa!s1
GData	Gen:Variant.Razy.938017
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R442562
McAfee	RDN/Generic.com
VBA32	Trojan.Sabsik.FL
TrendMicro-HouseCall	TROJ_GEN.R002H09IM21
Yandex	Trojan.Injector!xcZw5lKeEc0
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.14EA!tr
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

winpro.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All