Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 15, 2021, 2:28 p.m.	Nov. 15, 2021, 2:51 p.m.

Size	1.2MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`38df87ccac12d33a0fa25687b1341d0e`
SHA256	`69e66efe150fc4cc9685bb0c57fd164edb85979281643ec63b6b54490aae9374`
CRC32	`9D963A66`
ssdeep	`6144:u5XYXEeWwC42fWao+tPY7fnEOv31ewJWTTXhLDE2Wlut65ahYgsnfva6Oz8dePT2:uZanCHONvyDTW3jfo8drTKziy+P`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet Antivirus - Contains references to security software PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

hazmat.exe "C:\Users\test22\AppData\Local\Temp\hazmat.exe"
2760

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (22 events)

section	.thymene
section	.palaeoe
section	.soporif
section	.reuphol
section	.thermot
section	.compreh
section	.torrent
section	.pleuroc
section	.totaliz
section	.hemerol
section	.odontop
section	.rhodoth
section	.brevilo
section	.wristle
section	.permuta
section	.reassay
section	.irradia
section	.prebest
section	.osphyar
section	.intrafa
section	.antanac
section	.adultne

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2760 region_size: 331776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2760 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2760 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b62000 process_handle: 0xffffffff	1

Performs 220 file moves indicative of a ransomware file encryption process (50 out of 220 events)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0
MoveFileWithProgressW Nov. 15, 2021, 2:28 p.m.	newfilepath_r: flags: 2 oldfilepath_r: newfilepath: oldfilepath:		0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47398123
FireEye	Generic.mg.38df87ccac12d33a
ALYac	Gen:Variant.Jaik.49267
Cylance	Unsafe
K7AntiVirus	Trojan ( 0058a5fb1 )
Alibaba	Trojan:Win32/GenKryptik.d01fecf4
K7GW	Trojan ( 0058a5fb1 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.FNLI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.47398123
Avast	Win32:HacktoolX-gen [Trj]
Tencent	Win32.Trojan.Falsesign.Lmvf
Ad-Aware	Trojan.GenericKD.47398123
Sophos	Mal/Generic-S
Comodo	.UnclassifiedMalware@0
DrWeb	Program.Unwanted.2520
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.47398123 (B)
Ikarus	Trojan.Win32.Krypt
Webroot	W32.Trojan.Gen
Avira	TR/AD.MeterpreterSC.cmlwr
Gridinsoft	Trojan.Heur!.00002031
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Win32.Application.iObit.B
Cynet	Malicious (score: 100)
McAfee	Artemis!38DF87CCAC12
MAX	malware (ai score=89)
TrendMicro-HouseCall	TROJ_GEN.R002H0CKD21
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
Fortinet	Riskware/GenKryptik
AVG	Win32:HacktoolX-gen [Trj]
Panda	Trj/Agent.CTG
CrowdStrike	win/malicious_confidence_90% (W)

hazmat.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All