Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 15, 2021, 2:28 p.m.	Nov. 15, 2021, 2:49 p.m.

Size	2.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7b1c3f5010c8703d58a2d0cfa15b3b12`
SHA256	`879fccdf9b4b09063a6dbf1ac2cc381a1ebcacf6e38f5b8d4889785a4ccde22a`
CRC32	`0B1EC425`
ssdeep	`49152:dD1Zo/BXVv2eK9cgiwMv2DKirx9N1eEuNgi4ANahMxByZuRDjdXggke0j4w+vdtV:HZCUegV1x9W7F45grfdXF7dtxIm`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

itaves.exe "C:\Users\test22\AppData\Local\Temp\itaves.exe"
2320
- obolet.exe "C:\Users\test22\AppData\Local\Temp\darius\obolet.exe"
  2420
- patacavp.exe "C:\Users\test22\AppData\Local\Temp\darius\patacavp.exe"
  2456

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 15, 2021, 2:28 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Nov. 15, 2021, 2:28 p.m.	stacktrace: patacavp+0x2f60cd @ 0xe460cd patacavp+0x356484 @ 0xea6484 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 4060948 registers.edi: 12029952 registers.eax: 4060948 registers.ebp: 4061028 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1999795243 registers.ecx: 511574016	1
__exception__ Nov. 15, 2021, 2:28 p.m.	stacktrace: exception.instruction_r: ed e9 5f f1 0a 00 c3 e9 c6 04 09 00 1d 16 58 22 exception.symbol: patacavp+0x2f8f87 exception.instruction: in eax, dx exception.module: patacavp.exe exception.exception_code: 0xc0000096 exception.offset: 3116935 exception.address: 0xe48f87 registers.esp: 4061068 registers.edi: 4206224 registers.eax: 1750617430 registers.ebp: 12029952 registers.edx: 4216918 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Nov. 15, 2021, 2:28 p.m.	stacktrace: exception.instruction_r: ed e9 4c 65 fe ff 6a 78 35 00 20 00 a1 00 ca fd exception.symbol: patacavp+0x36bd3e exception.instruction: in eax, dx exception.module: patacavp.exe exception.exception_code: 0xc0000096 exception.offset: 3587390 exception.address: 0xebbd3e registers.esp: 4061068 registers.edi: 4206224 registers.eax: 1447909480 registers.ebp: 12029952 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 2420 region_size: 331776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 2420 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 2420 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7734f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b6a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b6a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b6a000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Users\test22\AppData\Local\Temp\nsm8E37.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\darius\patacavp.exe
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Local\Temp\darius\obolet.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsm8E37.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\darius\patacavp.exe

Expresses interest in specific running processes (1 event)

process

system

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 15, 2021, 2:28 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\darius\obolet.exe

Manipulates memory of a non-child process indicative of process injection (9 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2420 manipulating memory of non-child process 0
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0
NtProtectVirtualMemory Nov. 15, 2021, 2:28 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0
NtProtectVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0
NtProtectVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0
NtProtectVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0
NtProtectVirtualMemory Nov. 15, 2021, 2:29 p.m.	process_identifier: 0 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 103 (PAGE_EXECUTE_READ\|PAGE_EXECUTE_READWRITE\|PAGE_NOACCESS\|PAGE_READONLY\|PAGE_READWRITE) base_address: 0x00000000 process_handle: 0x00000001	3221225541	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 15, 2021, 2:28 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 15, 2021, 2:28 p.m.	stacktrace: exception.instruction_r: ed e9 4c 65 fe ff 6a 78 35 00 20 00 a1 00 ca fd exception.symbol: patacavp+0x36bd3e exception.instruction: in eax, dx exception.module: patacavp.exe exception.exception_code: 0xc0000096 exception.offset: 3587390 exception.address: 0xebbd3e registers.esp: 4061068 registers.edi: 4206224 registers.eax: 1447909480 registers.ebp: 12029952 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Heur.D.DMW@dmI064ji
FireEye	Generic.mg.7b1c3f5010c8703d
ALYac	Gen:Trojan.Heur.D.DMW@dmI064ji
Cylance	Unsafe
Zillya	Dropper.Scrop.Win32.1379
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.010c87
BitDefenderTheta	Gen:NN.ZexaF.34266.er2@aK64ZWii
Cyren	W32/Kryptik.FHH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	UDS:Trojan.Win32.AntiVM
BitDefender	Gen:Trojan.Heur.D.DMW@dmI064ji
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	Win32:CrypterX-gen [Trj]
Tencent	Win32.Trojan-qqpass.Qqrob.Ahey
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic.pak!cobra
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Emsisoft	Gen:Trojan.Heur.D.DMW@dmI064ji (B)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_98%
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
GData	Win32.Trojan.BSE.HLJWVB
Cynet	Malicious (score: 100)
McAfee	Artemis!7B1C3F5010C8
MAX	malware (ai score=89)
VBA32	BScope.TrojanBanker.Ponteiro
Malwarebytes	Malware.AI.2672519033
Rising	Trojan.Generic@ML.100 (RDML:E6l5VP1vvn9ceOg5rpgHaw)
Ikarus	Win32.Outbreak
Webroot	W32.Gen.pak
AVG	Win32:CrypterX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

itaves.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All