Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 19, 2021, 9:42 a.m.	Oct. 19, 2021, 9:47 a.m.

Size	563.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`57be051a2a20b292fc8cb67c4f31c4f9`
SHA256	`04ed65784009bd39c546c4a6473a44799d0444d40ff9796c2921a70db6ec2a72`
CRC32	`E6954D6B`
ssdeep	`6144:cKheIEpyb/eDE6j87TZ48zMKf6ZyNN68M07+AGlqtIMdcJDhepYYX:nEpySIzCKf6ZyNx7/OqtIMyJDheuY`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

office.exe "C:\Users\test22\AppData\Local\Temp\office.exe"
1944
- office.exe "C:\Users\test22\AppData\Local\Temp\office.exe"
  1776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 19, 2021, 9:42 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:42 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2021, 9:42 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70592000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:42 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a6e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:46 a.m.	process_identifier: 1776 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00062e00', u'virtual_address': u'0x00002000', u'entropy': 7.794820931926478, u'name': u'.text', u'virtual_size': u'0x00062c30'}

entropy

7.79482093193

description

A section with a high entropy has been found

entropy

0.702486678508

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 19, 2021, 9:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1776 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 19, 2021, 9:43 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELíßWPà ~ðÔ@@.text\|~ ` base_address: 0x00400000 process_identifier: 1776 process_handle: 0x00000254	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:43 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1776 process_handle: 0x00000254	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 19, 2021, 9:43 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELíßWPà ~ðÔ@@.text\|~ ` base_address: 0x00400000 process_identifier: 1776 process_handle: 0x00000254	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1944 called NtSetContextThread to modify thread in remote process 1776
NtSetContextThread Oct. 19, 2021, 9:43 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314352 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 1776	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1944 resumed a thread in remote process 1776
NtResumeThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 1776	1	0	0

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 19, 2021, 9:42 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1944	1	0
NtResumeThread Oct. 19, 2021, 9:42 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1944	1	0
NtResumeThread Oct. 19, 2021, 9:42 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1944	1	0
CreateProcessInternalW Oct. 19, 2021, 9:43 a.m.	thread_identifier: 2760 thread_handle: 0x00000250 process_identifier: 1776 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\office.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\office.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000254	1	1
NtGetContextThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x00000250	1	0
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 1776 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254	1	0
WriteProcessMemory Oct. 19, 2021, 9:43 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELíßWPà ~ðÔ@@.text\|~ ` base_address: 0x00400000 process_identifier: 1776 process_handle: 0x00000254	1	1
WriteProcessMemory Oct. 19, 2021, 9:43 a.m.	buffer: base_address: 0x00401000 process_identifier: 1776 process_handle: 0x00000254	1	1
WriteProcessMemory Oct. 19, 2021, 9:43 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1776 process_handle: 0x00000254	1	1
NtSetContextThread Oct. 19, 2021, 9:43 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314352 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 1776	1	0
NtResumeThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 1776	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.MSIL.Taskun.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37817102
Malwarebytes	Spyware.TelegramBot
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 005891a11 )
K7AntiVirus	Trojan ( 005891a11 )
Cyren	W32/MSIL_Kryptik.FWN.gen!Eldorado
ESET-NOD32	a variant of MSIL/Kryptik.ADEZ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.GenericKD.37817102
Ad-Aware	Trojan.GenericKD.37817192
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.UMal.negpi@0
DrWeb	Trojan.Inject4.17696
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
FireEye	Generic.mg.57be051a2a20b292
Emsisoft	Trojan.GenericKD.37817102 (B)
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=84)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:MSIL/AgenteslaPacker!MTB
Gridinsoft	Trojan.Win32.Gen.oa
Arcabit	Trojan.Generic.D2410B68
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
GData	Trojan.GenericKD.37817102
Cynet	Malicious (score: 100)
McAfee	RDN/Generic.grp
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_FRS.VSNW12J21
Ikarus	Trojan.MSIL.Krypt
Fortinet	MSIL/GenKryptik.FMEV!tr
BitDefenderTheta	Gen:NN.ZemsilF.34218.Jm0@aOvbnYf
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
MaxSecure	Trojan.Malware.300983.susgen

office.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All