Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 7, 2021, 10:15 a.m.	Nov. 7, 2021, 10:27 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`12cfaad5459882b5532d62afc9b2a60b`
SHA256	`0d677087d1b98a7cc8d75feeb8abb233a340173e6488aed8c052cc03da13120f`
CRC32	`E3720587`
ssdeep	`24576:Ag7x7Oj9puoBWcO23MGg91Vtco7fYW8bLg6ZCLXWNeuIqyCLROqJafk8lk:c/vWZs9ydco7fYW2E6ZcWAuIq3LMYD8+`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) UPX_Zero - UPX packed file themida_packer - themida packer

9075_1636092915_9777.exe "C:\Users\test22\AppData\Local\Temp\9075_1636092915_9777.exe"
2768
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2888

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.219.63.223	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 7, 2021, 10:15 a.m.			0	0
IsDebuggerPresent Nov. 7, 2021, 10:15 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 7, 2021, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00285468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2021, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00285468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2021, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002854a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2021, 10:15 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.debug
section	.128xeq2
section	.boot

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 7, 2021, 10:15 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 f8 27 f0 ff exception.symbol: 9075_1636092915_9777+0x2de21b exception.instruction: in eax, dx exception.module: 9075_1636092915_9777.exe exception.exception_code: 0xc0000096 exception.offset: 3007003 exception.address: 0x132e21b registers.esp: 2031184 registers.edi: 5320046 registers.eax: 1750617430 registers.ebp: 17469440 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 19081394 registers.ecx: 20	1	0	0
__exception__ Nov. 7, 2021, 10:15 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: 9075_1636092915_9777+0x2de28f exception.instruction: in eax, dx exception.module: 9075_1636092915_9777.exe exception.exception_code: 0xc0000096 exception.offset: 3007119 exception.address: 0x132e28f registers.esp: 2031184 registers.edi: 5320046 registers.eax: 1447909480 registers.ebp: 17469440 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19081394 registers.ecx: 10	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (46 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01082000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2768 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001ef000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2768 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73472000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dfb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d2a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73991000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2021, 10:15 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ed48000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00011800', u'virtual_address': u'0x00001000', u'entropy': 7.995407619654739, u'name': u' ', u'virtual_size': u'0x00021f52'}

entropy

7.99540761965

description