Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

64.exe

Emotet Malicious Library Malicious Packer AntiDebug PE File OS Processor Check PE32 AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 1, 2021, 6:11 p.m.	Oct. 1, 2021, 6:14 p.m.

Size	774.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ba0c30c85ff45d4a7dfbf010ebff1ca8`
SHA256	`be1fe05856af0cb8678fff94ccbbb5ed99a7ebb8e4d2a0725e196d5c38f093b5`
CRC32	`7846F650`
ssdeep	`24576:wFkwZtqfuHOsY25nIMfZ5NS0Zu0IL/ysBRU9329BANJTFFF0:+HXHyis`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

64.exe "C:\Users\test22\AppData\Local\Temp\64.exe"
2100
- 64.exe "C:\Users\test22\AppData\Local\Temp\64.exe"
  1260

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.77.127.230	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 1, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 1, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 1, 2021, 6:11 p.m.	computer_name: TEST22-PC	1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 1, 2021, 6:11 p.m.	process_identifier: 2100 region_size: 10006528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 1, 2021, 6:11 p.m.	process_identifier: 1260 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 1, 2021, 6:11 p.m.	process_identifier: 1260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 1, 2021, 6:11 p.m.	process_identifier: 1260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Yara rule detected in process memory (7 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Bypass DEP				rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 5d28ab6445277378033852e6867383107e4c48ea

Communicates with host for which no DNS query was performed (1 event)

host

45.77.127.230

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 1, 2021, 6:11 p.m.	process_identifier: 1260 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000044	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 1, 2021, 6:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1260 process_handle: 0x00000044	1	1	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.ba0c30c85ff45d4a
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win32.HTA.gen
Avast	FileRepMalware
Emsisoft	Trojan.Agent (A)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
VBA32	Malware-Cryptor.Inject.gen
Malwarebytes	Malware.AI.4182512756
SentinelOne	Static AI - Suspicious PE
BitDefenderTheta	Gen:NN.ZexaF.34170.Wq3@aGy!XXpc
AVG	FileRepMalware

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2100 called NtSetContextThread to modify thread in remote process 1260
NtSetContextThread Oct. 1, 2021, 6:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000040 process_identifier: 1260	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2100 resumed a thread in remote process 1260
NtResumeThread Oct. 1, 2021, 6:11 p.m.	thread_handle: 0x00000040 suspend_count: 1 process_identifier: 1260	1	0	0

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 1, 2021, 6:11 p.m.	thread_identifier: 2420 thread_handle: 0x00000040 process_identifier: 1260 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\64.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000044	1	1	0
NtGetContextThread Oct. 1, 2021, 6:11 p.m.	thread_handle: 0x00000040	1	0	0
NtUnmapViewOfSection Oct. 1, 2021, 6:11 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1260 process_handle: 0x00000044	1	0	0
NtAllocateVirtualMemory Oct. 1, 2021, 6:11 p.m.	process_identifier: 1260 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000044	1	0	0
WriteProcessMemory Oct. 1, 2021, 6:11 p.m.	buffer: base_address: 0x00400000 process_identifier: 1260 process_handle: 0x00000044	1	1	0
WriteProcessMemory Oct. 1, 2021, 6:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1260 process_handle: 0x00000044	1	1	0
NtSetContextThread Oct. 1, 2021, 6:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000040 process_identifier: 1260	1	0	0
NtResumeThread Oct. 1, 2021, 6:11 p.m.	thread_handle: 0x00000040 suspend_count: 1 process_identifier: 1260	1	0	0