Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 11, 2021, 9:53 a.m.	Oct. 11, 2021, 9:57 a.m.

Size	417.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`facac9092fbd9878bd2b5a0bbc2d0055`
SHA256	`f2809a3dbd2d8364421edbaffacd9ef549947cf0f955ed244d2a8bba55d65810`
CRC32	`E00063D4`
ssdeep	`3072:CwAM4NjvB4vMdq5hs5Uz/nVu4wLT+4aHBgMwYX7aVKiEgjfSTsxCatgfVapBXt:Cc4vq5hs5I/nc4w0oVKiEgbaratgMZ`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

DS.exe "C:\Users\test22\AppData\Local\Temp\DS.exe"
2416

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 11, 2021, 9:53 a.m.	stacktrace: gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755c0d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755c0d4d ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a ProcCallEngine+0x5dfd __vbaUdtVar-0xab7 msvbvm60+0x102e5a @ 0x72a42e5a ProcCallEngine+0x5e3e __vbaUdtVar-0xa76 msvbvm60+0x102e9b @ 0x72a42e9b ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 ds+0x127a @ 0x40127a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 4e 34 89 4f 04 89 f9 83 c1 48 89 4f 0c 83 c1 exception.instruction: mov ecx, dword ptr [esi + 0x34] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5ee870 registers.esp: 1636324 registers.edi: 8912896 registers.eax: 2000419504 registers.ebp: 1636324 registers.edx: 2130566132 registers.ebx: 6220553 registers.esi: 3006966375 registers.ecx: 6662184	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 11, 2021, 9:53 a.m.

stacktrace:

gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755c0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755c0d4d
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x5dfd __vbaUdtVar-0xab7 msvbvm60+0x102e5a @ 0x72a42e5a
ProcCallEngine+0x5e3e __vbaUdtVar-0xa76 msvbvm60+0x102e9b @ 0x72a42e9b
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
ds+0x127a @ 0x40127a
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 4e 34 89 4f 04 89 f9 83 c1 48 89 4f 0c 83 c1
exception.instruction: mov ecx, dword ptr [esi + 0x34]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5ee870
registers.esp: 1636324
registers.edi: 8912896
registers.eax: 2000419504
registers.ebp: 1636324
registers.edx: 2130566132
registers.ebx: 6220553
registers.esi: 3006966375
registers.ecx: 6662184

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 11, 2021, 9:53 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 11, 2021, 9:53 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\ba\bc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\ba\bc.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 11, 2021, 9:53 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00320000 process_handle: 0xffffffff	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bg

reg_value

C:\Users\test22\AppData\Roaming\ba\bc.exe

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Midie.100183
FireEye	Generic.mg.facac9092fbd9878
McAfee	GenericRXQG-XT!FACAC9092FBD
Cylance	Unsafe
K7AntiVirus	Riskware ( 00584baa1 )
K7GW	Riskware ( 00584baa1 )
CrowdStrike	win/malicious_confidence_80% (D)
BitDefenderTheta	Gen:NN.ZevbaF.34170.Am3@au8q68di
Cyren	W32/VBKrypt.BBE.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMTB
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Backdoor.MSIL.Crysan
BitDefender	Gen:Variant.Midie.100183
Avast	Win32:Malware-gen
Ad-Aware	Gen:Variant.Midie.100183
Emsisoft	Trojan.Crypt (A)
DrWeb	Trojan.KillProc2.16723
McAfee-GW-Edition	BehavesLike.Win32.VBObfus.gm
Jiangmin	TrojanSpy.Solmyr.cm
Avira	TR/Dropper.Gen
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
Microsoft	Trojan:Script/Phonzy.C!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Bulz.780925
Cynet	Malicious (score: 99)
AhnLab-V3	Backdoor/Win32.NetWiredRC.C3631196
VBA32	Malware-Cryptor.VB.gen.1
ALYac	Gen:Variant.Bulz.780925
MAX	malware (ai score=85)
Malwarebytes	Trojan.Injector
Yandex	Backdoor.Crysan!TNCTCqeb8Qs
SentinelOne	Static AI - Malicious PE
AVG	Win32:Malware-gen
Cybereason	malicious.8f06db

DS.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All