Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 19, 2021, 4:44 p.m.	Oct. 19, 2021, 4:50 p.m.

Size	4.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bfbbb8571fc1d4dbd8053e5154cda305`
SHA256	`8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60`
CRC32	`2397070E`
ssdeep	`98304:mEzyXcTqaJ9IyyPc2iBZ83hHla+FOuWyVO5mo8/xCV:NzlTq742iBIHllFOhyxXw`
Yara	VMProtect_Zero - VMProtect packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
896

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.121.177.177	Active	Moloch
91.136.8.131	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.vmp0
section	.vmp1

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7efa0000 allocation_type: 1060864 (MEM_COMMIT\|MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77af0000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 19, 2021, 4:44 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 2664	1	1
Process32NextW Oct. 19, 2021, 4:44 p.m.	snapshot_handle: 0x00000130 process_name: sppsvc.exe process_identifier: 2988	1	1
Process32NextW Oct. 19, 2021, 4:44 p.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 2328	1	1
Process32NextW Oct. 19, 2021, 4:44 p.m.	snapshot_handle: 0x00000130 process_name: SearchProtocolHost.exe process_identifier: 2020	1	1
Process32NextW Oct. 19, 2021, 4:44 p.m.	snapshot_handle: 0x00000130 process_name: SearchFilterHost.exe process_identifier: 2132	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 19, 2021, 4:44 p.m.	process_identifier: 896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00230000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0040b800', u'virtual_address': u'0x00291000', u'entropy': 7.916703874966222, u'name': u'.vmp1', u'virtual_size': u'0x0040b760'}

entropy

7.91670387497

description

A section with a high entropy has been found

entropy

0.97838667769

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (2 events)

host	185.121.177.177
host	91.136.8.131

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Tasker.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop18.45087
MicroWorld-eScan	Trojan.GenericKD.37820168
McAfee	Artemis!BFBBB8571FC1
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 7000001c1 )
Alibaba	Trojan:Win32/Tasker.048a54e1
K7GW	Trojan ( 7000001c1 )
CrowdStrike	win/malicious_confidence_60% (W)
BitDefenderTheta	Gen:NN.ZexaF.34218.@F0@aWLuuJoi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.JHPBIMJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Tasker.vho
BitDefender	Trojan.GenericKD.37820168
ViRobot	Trojan.Win32.Z.Tasker.4336128
Tencent	Win32.Trojan.Generik.Pkhf
Ad-Aware	Trojan.GenericKD.37820168
Sophos	Mal/VMProtBad-A
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
FireEye	Generic.mg.bfbbb8571fc1d4db
Ikarus	Win32.Outbreak
GData	Trojan.GenericKD.37820168
Kingsoft	Win32.Troj.Undef.(kcloud)
ZoneAlarm	HEUR:Trojan.Win32.Tasker.vho
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Acronis	suspicious
MAX	malware (ai score=81)
Rising	Trojan.Generic@ML.99 (RDML:9k1xlOebjzDuuUGbWT4hXw)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/PossibleThreat
AVG	FileRepMalware
Avast	FileRepMalware
MaxSecure	Trojan.Malware.300983.susgen

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All