Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 7, 2021, 10:40 a.m.	Nov. 7, 2021, 10:43 a.m.

Size	11.9MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`70ffb4ac447b5135651ec3d7437760d7`
SHA256	`c6313c4114b6c7945fed7b86869ca4fc789459647fdfd36a37ad6d6fa274e07c`
CRC32	`F4F13523`
ssdeep	`196608:aMlgBZbZhTAhT8hTBhTghTDhTfhTjhTqhTfhTrK+qabhTqn4KmEmQggWeMqUjA1Q:aMlgBZ2+qaAAEmQCo91fj6a`
Yara	Antivirus - Contains references to security software PE_Header_Zero - PE File Signature NorthKorea_Zero - Maybe it's North Korea File Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult ILProtector_Packer - ILProtector Packer

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\^.exe.js
2140

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 7, 2021, 10:40 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75e8d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75e8964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75e74d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75e76f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75e7e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75e76002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75e75fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75e749e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75e75a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77869a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77888f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77888e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75097a25 wscript+0x2fbd @ 0x5c2fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ea3ef4 registers.esp: 2423348 registers.edi: 0 registers.eax: 32044208 registers.ebp: 2423376 registers.edx: 1 registers.ebx: 0 registers.esi: 8201232 registers.ecx: 1949120212	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 7, 2021, 10:40 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75e8d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75e8964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75e74d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75e76f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75e7e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75e76002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75e75fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75e749e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75e75a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77869a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77888f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77888e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75097a25
wscript+0x2fbd @ 0x5c2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ea3ef4
registers.esp: 2423348
registers.edi: 0
registers.eax: 32044208
registers.ebp: 2423376
registers.edx: 1
registers.ebx: 0
registers.esi: 8201232
registers.ecx: 1949120212

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 7, 2021, 10:40 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74733000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00bee000', u'virtual_address': u'0x00002000', u'entropy': 7.201521354658773, u'name': u'.text', u'virtual_size': u'0x00bede44'}

entropy

7.20152135466

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002c00', u'virtual_address': u'0x00bf0000', u'entropy': 7.140717459064447, u'name': u'.rsrc', u'virtual_size': u'0x00002a4b'}

entropy

7.14071745906

description

A section with a high entropy has been found

entropy

0.999959108567

description

Overall entropy of this PE file is high

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Cerbu.115172
CAT-QuickHeal	Trojan.MsilFC.S21583275
ALYac	Gen:Variant.Cerbu.115172
Malwarebytes	Trojan.Crypt
Arcabit	Trojan.Cerbu.D1C1E4
Cyren	W32/MSIL_Kryptik.EFR.gen!Eldorado
ESET-NOD32	a variant of MSIL/IRPlan.I
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agent.gen
BitDefender	Gen:Variant.Cerbu.115172
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Gen:Variant.Cerbu.115172
Emsisoft	Trojan.IRPlan (A)
DrWeb	Trojan.DownLoader23.22913
FireEye	Gen:Variant.Cerbu.115172
Ikarus	Trojan.MSIL.IRPlan
Avira	HEUR/AGEN.1144096
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Cerbu.115172
AhnLab-V3	Trojan/Win.Generic.C4522057
MAX	malware (ai score=84)
VBA32	CIL.StupidPInvoker-1.Heur
SentinelOne	Static AI - Suspicious PE
BitDefenderTheta	Gen:NN.ZemsilF.34266.@p0@aiicFxd
AVG	Win32:MalwareX-gen [Trj]
MaxSecure	Trojan.Malware.300983.susgen

^.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All