Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 23, 2022, 9:31 a.m.	May 23, 2022, 9:34 a.m.

Size	7.2MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`e91529f0e5cfd905fe9b3460ba50eef8`
SHA256	`e2a560ab014411433ad31ecfe13de3b561170660a86c726b2c803d94781f8680`
CRC32	`FC384115`
ssdeep	`24576:4/C2WJACchgZczfkTGsHfaGDGLuCC2LYeghf0gf3eCmmORi59LnYz1abA+KX8Vi:48uQfACd3NmCmg59Yz1abAlXb`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

crypted.exe "C:\Users\test22\AppData\Local\Temp\crypted.exe"
2352
- crypted.exe "C:\Users\test22\AppData\Local\Temp\crypted.exe"
  2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
46.138.71.75	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2544 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 23, 2022, 9:31 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 126976 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x001e0000 process_handle: 0x00000110	1	0	0

Yara rule detected in process memory (14 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

46.138.71.75

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 23, 2022, 9:31 a.m.	buffer: ¸ÿà base_address: 0x00451d40 process_identifier: 2544 process_handle: 0x00000110	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2352 resumed a thread in remote process 2544
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2544	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress May 23, 2022, 9:31 a.m.	ordinal: 0 function_address: 0x0018fe29 function_name: wine_get_version module: ntdll module_address: 0x772b0000		3221225785	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

46.138.71.75:50191

Executed a process and injected code into it, probably while unpacking (50 out of 274 events)

Time & API	Arguments	Status
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1
NtGetContextThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108	1
NtResumeThread May 23, 2022, 9:31 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2352	1

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Lionic	Trojan.Win64.Donut.4!c
MicroWorld-eScan	Gen:Variant.Lazy.173771
FireEye	Generic.mg.e91529f0e5cfd905
ALYac	Gen:Variant.Lazy.173771
Malwarebytes	Trojan.Dropper
Sangfor	Trojan.Win64.Donut.peq
K7AntiVirus	Trojan ( 00592ca01 )
Alibaba	Trojan:Win64/Donut.1e9a45ff
K7GW	Trojan ( 00592ca01 )
CrowdStrike	win/malicious_confidence_70% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of WinGo/Injector.Z
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win64.Donut.peq
BitDefender	Gen:Variant.Lazy.173771
Rising	Trojan.Generic@AI.100 (RDML:+WxmF2UOVke5HR1us5riSg)
Ad-Aware	Gen:Variant.Lazy.173771
TrendMicro	TROJ_GEN.R002C0PEJ22
Sophos	Mal/Generic-S
Ikarus	Trojan.WinGo.Agent
Avira	HEUR/AGEN.1249546
MAX	malware (ai score=83)
Gridinsoft	Trojan.Win32.Downloader.sa
GData	Gen:Variant.Lazy.173771
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R492765
McAfee	GenericRXNH-UL!E91529F0E5CF
VBA32	BScope.TrojanRansom.Convagent
TrendMicro-HouseCall	TROJ_GEN.R002C0PEJ22
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Lazy.1760!tr

crypted.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All