Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.20 09:11
mainbas.bat
11.20 09:11
dll007.dll
11.20 09:11
exe004.exe
11.20 09:11
exe010.exe
11.20 09:11
blecher.exe
11.20 09:11
GetAdapterInfo.exe
11.20 09:11
dll004.dll
11.20 09:11
dll008.dll
11.20 09:11
bestthingsalwaysgetbes...
11.20 09:11
DKM-9067291.pdf.lnk

Latest News
11.20 11:11
62만 유튜버 연츄, 인천 노인주간보호센...
11.20 11:11
Unveiling LIMINAL PAND...
11.20 11:11
이천청솔기숙학원, 2025 입시 준비 조...
11.20 11:11
모즈 탄소매트, 전자파 없는 원적외선 매...
11.20 11:11
유어네스트 ‘이터널 라이트’ 아틀리에 투...
11.20 11:11
누미에르, THE F&C와 파트너...
11.20 11:11
China’s SpaceSail to C...
11.20 11:11
AI innovations for a m...
11.20 10:11
Redefining Modern Secu...
11.20 10:11
Fintech Giant Finastra...

Summary | ZeroBOX

serwices.exe

[m] Generic Malware task schedule UPX Anti_VM AntiDebug PE File PE32 AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 5, 2021, 10:41 a.m.	Nov. 5, 2021, 10:43 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`486700627b68a06007dac77bd7efebb4`
SHA256	`f5a4e4751621937b8758bb4fa9b9db5938110c6a9a571b41c32fa2b701bc9ba6`
CRC32	`A7736740`
ssdeep	`49152:V7QzfYPrbjy4rfyxzyTBDTpvaIHGarlUfE2XD2N:V8zYPPjfyxz2DlvaonlUf1Xs`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques UPX_Zero - UPX packed file themida_packer - themida packer

serwices.exe "C:\Users\test22\AppData\Local\Temp\serwices.exe"
2776
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2892
  - schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\test22\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    2964

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 5, 2021, 10:41 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 5, 2021, 10:41 a.m.	buffer: SUCCESS: The scheduled task "Telemetry Logging" has successfully been created. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.debug
section	.128xeq2
section	.boot

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 5, 2021, 10:41 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 d7 a4 ee ff exception.symbol: serwices+0x331bbc exception.instruction: in eax, dx exception.module: serwices.exe exception.exception_code: 0xc0000096 exception.offset: 3349436 exception.address: 0x14e1bbc registers.esp: 4192220 registers.edi: 8138010 registers.eax: 1750617430 registers.ebp: 18812928 registers.edx: 22614 registers.ebx: 18546688 registers.esi: 20789046 registers.ecx: 20	1	0	0
__exception__ Nov. 5, 2021, 10:41 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: serwices+0x331c30 exception.instruction: in eax, dx exception.module: serwices.exe exception.exception_code: 0xc0000096 exception.offset: 3349552 exception.address: 0x14e1c30 registers.esp: 4192220 registers.edi: 8138010 registers.eax: 1447909480 registers.ebp: 18812928 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20789046 registers.ecx: 10	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011e2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011d4000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011d4000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011d4000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011d4000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2776 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fe000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2776 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746f1000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (8 events)

section

{u'size_of_data': u'0x00011800', u'virtual_address': u'0x00001000', u'entropy': 7.995620202526813, u'name': u' ', u'virtual_size': u'0x00021f52'}

entropy

7.99562020253

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000800', u'virtual_address': u'0x00023000', u'entropy': 6.978689073245101, u'name': u' ', u'virtual_size': u'0x00000c36'}

entropy

6.97868907325

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00006000', u'virtual_address': u'0x00024000', u'entropy': 7.989214626350801, u'name': u' ', u'virtual_size': u'0x0000ea26'}

entropy

7.98921462635

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000400', u'virtual_address': u'0x00033000', u'entropy': 7.314352897490997, u'name': u' ', u'virtual_size': u'0x00001cf8'}

entropy

7.31435289749

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x00035000', u'entropy': 7.940507612421558, u'name': u' ', u'virtual_size': u'0x00002e1d'}

entropy

7.94050761242

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001600', u'virtual_address': u'0x00038000', u'entropy': 7.817443448705043, u'name': u' ', u'virtual_size': u'0x00001c58'}

entropy

7.81744344871

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00165600', u'virtual_address': u'0x00361000', u'entropy': 7.9613768048927405, u'name': u'.boot', u'virtual_size': u'0x00165600'}

entropy

7.96137680489

description

A section with a high entropy has been found

entropy

0.987812700449

description

Overall entropy of this PE file is high

Yara rule detected in process memory (10 events)

description	task schedule				rule	schtasks_Zero
description	[m] Generic Malware				rule	Generic_Malware_Zero_m
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\test22\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 07698af75b7b7e143f431c1f48fce43864f2d654

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2892 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000090		3221225496	0
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2892 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000090	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (15 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 5, 2021, 10:41 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 5, 2021, 10:41 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2892 process_handle: 0x00000090	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 called NtSetContextThread to modify thread in remote process 2892
NtSetContextThread Nov. 5, 2021, 10:41 a.m.	registers.eip: 2003108292 registers.esp: 4849332 registers.edi: 0 registers.eax: 794667 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000008c process_identifier: 2892	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 resumed a thread in remote process 2892
NtResumeThread Nov. 5, 2021, 10:41 a.m.	thread_handle: 0x0000008c suspend_count: 1 process_identifier: 2892	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 5, 2021, 10:41 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 5, 2021, 10:41 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: serwices+0x331c30 exception.instruction: in eax, dx exception.module: serwices.exe exception.exception_code: 0xc0000096 exception.offset: 3349552 exception.address: 0x14e1c30 registers.esp: 4192220 registers.edi: 8138010 registers.eax: 1447909480 registers.ebp: 18812928 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20789046 registers.ecx: 10	1	0	0

Executed a process and injected code into it, probably while unpacking (9 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Nov. 5, 2021, 10:41 a.m.	thread_identifier: 2896 thread_handle: 0x0000008c process_identifier: 2892 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000090	1	1	0
NtGetContextThread Nov. 5, 2021, 10:41 a.m.	thread_handle: 0x0000008c	1	0	0
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2892 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000090		3221225496	0
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2892 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000090	1	0	0
WriteProcessMemory Nov. 5, 2021, 10:41 a.m.	buffer: base_address: 0x000c0000 process_identifier: 2892 process_handle: 0x00000090	1	1	0
WriteProcessMemory Nov. 5, 2021, 10:41 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2892 process_handle: 0x00000090	1	1	0
NtSetContextThread Nov. 5, 2021, 10:41 a.m.	registers.eip: 2003108292 registers.esp: 4849332 registers.edi: 0 registers.eax: 794667 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000008c process_identifier: 2892	1	0	0
NtResumeThread Nov. 5, 2021, 10:41 a.m.	thread_handle: 0x0000008c suspend_count: 1 process_identifier: 2892	1	0	0
CreateProcessInternalW Nov. 5, 2021, 10:41 a.m.	thread_identifier: 2968 thread_handle: 0x000000e4 process_identifier: 2964 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\test22\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000e8	1	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.Tasker.4!c
ALYac	Gen:Variant.Zusy.405808
Cylance	Unsafe
K7GW	Trojan ( 00589ae01 )
Cybereason	malicious.470270
Arcabit	Trojan.Zusy.D63130
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FMVV
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Tasker.aucx
BitDefender	Gen:Variant.Zusy.405808
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
MicroWorld-eScan	Gen:Variant.Zusy.405808
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Zusy.405808
Emsisoft	Gen:Variant.Zusy.405808 (B)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Zusy.405808
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=87)
Gridinsoft	Trojan.Heur!.012120B1
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Zusy.405808
AhnLab-V3	Trojan/Win.Generic.R448161
McAfee	Artemis!486700627B68
VBA32	BScope.Adware.DealPly
eGambit	PE.Heur.InvalidSig
Fortinet	W32/GenKryptik.FMVV!tr
AVG	FileRepMalware
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_100% (W)
MaxSecure	Trojan.Malware.300983.susgen