Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 15, 2021, 9:10 a.m.	Oct. 15, 2021, 9:16 a.m.

Size	2.9MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`503015d7869b5edd64e07b0c733df2fc`
SHA256	`1beaa5a72b41905f0013182593756701b5f723170bc5551bbc0d5b71e7f3f966`
CRC32	`8561FDAA`
ssdeep	`49152:D4macLg8BO9vzviFK66lAt0a8wI3TuSCs:FSzGb98wI3b`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description) Lazarus_Zero - Lazarus Generic Malware anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library themida_packer - themida packer

112.exe "C:\Users\test22\AppData\Local\Temp\112.exe"
2456

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
138.124.186.66	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 15, 2021, 9:10 a.m.			0	0
IsDebuggerPresent Oct. 15, 2021, 9:10 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 15, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d87d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d87d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d87d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d87d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d86d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 15, 2021, 9:10 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	\xea\x99\xb0\xea\x99\xb0\xea\x99
section	.themida
section	.boot

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 15, 2021, 9:10 a.m.	stacktrace: 112+0x2d3f49 @ 0x15a3f49 112+0x2d7c5b @ 0x15a7c5b exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 cd c2 d2 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 3603560 registers.edi: 19980288 registers.eax: 3603560 registers.ebp: 3603640 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2008380459 registers.ecx: 3943366656	1
__exception__ Oct. 15, 2021, 9:10 a.m.	stacktrace: exception.instruction_r: ed e9 8e c4 fe ff c3 e9 06 ac ff ff 44 c8 5d 3a exception.symbol: 112+0x32882c exception.instruction: in eax, dx exception.module: 112.exe exception.exception_code: 0xc0000096 exception.offset: 3311660 exception.address: 0x15f882c registers.esp: 3603680 registers.edi: 21401065 registers.eax: 1750617430 registers.ebp: 19980288 registers.edx: 3627094 registers.ebx: 2147483650 registers.esi: 20757875 registers.ecx: 20	1
__exception__ Oct. 15, 2021, 9:10 a.m.	stacktrace: exception.instruction_r: ed e9 b4 43 00 00 56 fd f0 23 1a 9f fb 70 e9 01 exception.symbol: 112+0x316dac exception.instruction: in eax, dx exception.module: 112.exe exception.exception_code: 0xc0000096 exception.offset: 3239340 exception.address: 0x15e6dac registers.esp: 3603680 registers.edi: 21401065 registers.eax: 1447909480 registers.ebp: 19980288 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20757875 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 126 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a6c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a6c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a6d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76abf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7567b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7567b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

112.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds

Foreign language identified in PE resource (4 events)

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00613d4c

size

0x00000022

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00613d4c

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062ce5c

size

0x00000318

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062d924

size

0x0000000e

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 15, 2021, 9:10 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (6 events)

section

{u'size_of_data': u'0x00017400', u'virtual_address': u'0x00002000', u'entropy': 7.98040927421357, u'name': u' ', u'virtual_size': u'0x00032000'}

entropy

7.98040927421

description