Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 12, 2021, 8:03 a.m.	Nov. 12, 2021, 8:07 a.m.

Size	5.2MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`c1e722db229bd6dd596663f6f08aa654`
SHA256	`6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578`
CRC32	`92F59BD2`
ssdeep	`98304:Laj1Fpo79rrN12R6qyBQPnRNJe1B+XK6bFfVJ9FevDYMeBFh5iFIRv2Vb81+KpI:Gpo7Rv2R67GRNJpHnedeR5U81+5`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

%e9%87%8d%e8%a6%81%e9%80%9a%e7%9f%a5%e9%99%84%e4%bb%b6-%e6%96%87%e4%bb%b6%e9%98%b2%e6%b3%84%e5%af%86%e8%87%aa%e6%9f%a5%e6%89%8b%e5%86%8c.doc.exe "C:\Users\test22\AppData\Local\Temp\%e9%87%8d%e8%a6%81%e9%80%9a%e7%9f%a5%e9%99%84%e4%bb%b6-%e6%96%87%e4%bb%b6%e9%98%b2%e6%b3%84%e5%af%86%e8%87%aa%e6%9f%a5%e6%89%8b%e5%86%8c.doc.exe"
2336
- %e9%87%8d%e8%a6%81%e9%80%9a%e7%9f%a5%e9%99%84%e4%bb%b6-%e6%96%87%e4%bb%b6%e9%98%b2%e6%b3%84%e5%af%86%e8%87%aa%e6%9f%a5%e6%89%8b%e5%86%8c.doc.exe "C:\Users\test22\AppData\Local\Temp\%e9%87%8d%e8%a6%81%e9%80%9a%e7%9f%a5%e9%99%84%e4%bb%b6-%e6%96%87%e4%bb%b6%e9%98%b2%e6%b3%84%e5%af%86%e8%87%aa%e6%9f%a5%e6%89%8b%e5%86%8c.doc.exe"
  2396

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
101.35.100.211	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 12, 2021, 8:03 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 12, 2021, 8:03 a.m.	stacktrace: 0x5b0030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b0030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 5964246 registers.rsp: 38403176 registers.r11: 514 registers.r8: 8791738687752 registers.r9: 0 registers.rdx: 1998595680 registers.r12: 0 registers.rbp: 5963786 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 12, 2021, 8:03 a.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Nov. 12, 2021, 8:03 a.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000005b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI23362\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI23362\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI23362\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI23362\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI23362\pywintypes27.dll

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

McAfee	Artemis!C1E722DB229B
APEX	Malicious
VIPRE	Trojan.Win32.Generic.pak!cobra
McAfee-GW-Edition	BehavesLike.Win64.TrojanVeil.tc
AhnLab-V3	Trojan/Win32.Abnores.R194594

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00005600', u'virtual_address': u'0x0000c000', u'entropy': 6.800407588306095, u'name': u'.rdata', u'virtual_size': u'0x00005460'}

entropy

6.80040758831

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 event)

host

101.35.100.211

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (11 events)

dead_host	192.168.56.103:49171
dead_host	101.35.100.211:58888
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49165
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49166

%e9%87%8d%e8%a6%81%e9%80%9a%e7%9f%a5%e9%99%84%e4%bb%b6-%e6%96%87%e4%bb%b6%e9%98%b2%e6%b3%84%e5%af%86%e8%87%aa%e6%9f%a5%e6%89%8b%e5%86%8c.doc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All