Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.29 05:04
tomcaterror.bmpqoq
04.29 04:04
qoq.ps1
04.29 04:04
Important_Document.pdf...
04.29 04:04
dllbase64reverse.txt.exe
04.29 10:04
RuntimeBroker.exe
04.29 10:04
2555d50c-0b7e-4aa3-8d8...
04.29 10:04
csr.bin
04.29 10:04
test.exe
04.29 10:04
FreePhotoShop%20Meme%2...
04.29 10:04
discord.exe

Latest News
04.30 12:04
스노웨이 눈꽃빙수기, 친환경 CE 인증 획득
04.30 12:04
Chinese AI Stocks Adva...
04.30 11:04
한국장학진흥원, 조향사 자격증 무료수강 ...
04.30 11:04
Comparing ‘AI’ for Bas...
04.30 11:04
만잠 욕실화 슬리퍼 6차 완판 및 7차 ...
04.30 11:04
[사전규격공개] 5G 新기술 도입 기업의...
04.30 11:04
2025년 블록체인 공공분야 집중사업 사...
04.30 10:04
RSAC 2025: Being reali...
04.30 10:04
브랜치앤바운드, 코딩의 정석 ‘코드트리’...
04.30 10:04
Apple Reshuffles Gover...

Summary | ZeroBOX

2.exe

Malicious Packer PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 25, 2022, 9:45 a.m.	May 25, 2022, 9:48 a.m.

Size	2.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`046804d6a8900b2fff9596823db0ce93`
SHA256	`abde95665f00d689ae82d87023f15c909e8648e5d320b7fe680cdf910ec489ad`
CRC32	`4199EDC1`
ssdeep	`49152:9hgfaw6+fnvkWEp/z0IKbj4nJegtcpuyAtX2ZWLT/XMEWKBK1MJ5FdLOJegTZkyW:9hgfXrfnwYJboJntX2ZQLXMEP1OJeg6b`
Yara	IsPE32 - (no description) themida_packer - themida packer Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

2.exe "C:\Users\test22\AppData\Local\Temp\2.exe"
2344

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (6 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: 2+0x3936f8 @ 0x16936f8 2+0x3b8ed4 @ 0x16b8ed4 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 2816412 registers.edi: 20451328 registers.eax: 2816412 registers.ebp: 2816492 registers.edx: 2130566132 registers.ebx: 22447736 registers.esi: 1999795243 registers.ecx: 397672448	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: exception.instruction_r: ed e9 9c 17 ff ff 8c 79 42 59 0c 14 17 1f 0f c2 exception.symbol: 2+0x3e792d exception.instruction: in eax, dx exception.module: 2.exe exception.exception_code: 0xc0000096 exception.offset: 4094253 exception.address: 0x16e792d registers.esp: 2816532 registers.edi: 5058099 registers.eax: 1750617430 registers.ebp: 20451328 registers.edx: 5068886 registers.ebx: 0 registers.esi: 3522540 registers.ecx: 20	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: exception.instruction_r: ed e9 56 66 07 00 c3 e9 6b 5f 07 00 75 00 55 ed exception.symbol: 2+0x3828d1 exception.instruction: in eax, dx exception.module: 2.exe exception.exception_code: 0xc0000096 exception.offset: 3680465 exception.address: 0x16828d1 registers.esp: 2816532 registers.edi: 5058099 registers.eax: 1447909480 registers.ebp: 20451328 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3522540 registers.ecx: 10	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x755bcf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x755ef73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x755efa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x755efb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73f077b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x755efd15 2+0x379f10 @ 0x1679f10 2+0x395937 @ 0x1695937 2+0x3e1258 @ 0x16e1258 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x73d03f46 registers.esp: 2815204 registers.edi: 0 registers.eax: 1943027526 registers.ebp: 2815244 registers.edx: 0 registers.ebx: 0 registers.esi: 1943027526 registers.ecx: 7671144	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x755bcf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x755ef73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x755efa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x755efb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73f077b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x755efd15 2+0x379f10 @ 0x1679f10 2+0x395937 @ 0x1695937 2+0x3e1258 @ 0x16e1258 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x73d03f46 registers.esp: 2815204 registers.edi: 0 registers.eax: 1943027526 registers.ebp: 2815244 registers.edx: 0 registers.ebx: 0 registers.esi: 1943027526 registers.ecx: 7671144	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x754ad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x754a964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75494d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75496f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x7549e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75496002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75495fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x754949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75495a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x772e9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77308f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77308e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x76877a25 2+0x33d698 @ 0x163d698 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x754c3ef4 registers.esp: 2815836 registers.edi: 0 registers.eax: 3134752 registers.ebp: 2815864 registers.edx: 1 registers.ebx: 0 registers.esi: 5221392 registers.ecx: 1942893948	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 25, 2022, 9:45 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7734f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 25, 2022, 9:45 a.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772c0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (8 events)

section

{u'size_of_data': u'0x0002e441', u'virtual_address': u'0x00001000', u'entropy': 7.986407549230483, u'name': u' ', u'virtual_size': u'0x00052aed'}

entropy

7.98640754923

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000a410', u'virtual_address': u'0x00054000', u'entropy': 7.96081637461343, u'name': u' ', u'virtual_size': u'0x00016fb4'}

entropy

7.96081637461

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000309', u'virtual_address': u'0x0006b000', u'entropy': 7.643307698587816, u'name': u' ', u'virtual_size': u'0x00003eec'}

entropy

7.64330769859

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000134', u'virtual_address': u'0x00070000', u'entropy': 7.0546117047561285, u'name': u' ', u'virtual_size': u'0x00000230'}

entropy

7.05461170476

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001508', u'virtual_address': u'0x00071000', u'entropy': 7.928426462115351, u'name': u' ', u'virtual_size': u'0x00004ae0'}

entropy

7.92842646212

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002f0c', u'virtual_address': u'0x00076000', u'entropy': 7.960977824548948, u'name': u' ', u'virtual_size': u'0x00003884'}

entropy

7.96097782455

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0029a800', u'virtual_address': u'0x0049b000', u'entropy': 7.94649383291319, u'name': u'.boot', u'virtual_size': u'0x0029a800'}

entropy

7.94649383291

description

A section with a high entropy has been found

entropy

0.993505214065

description

Overall entropy of this PE file is high

Checks for the presence of known windows from debuggers and forensic tools (21 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 25, 2022, 9:45 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 25, 2022, 9:45 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: exception.instruction_r: ed e9 56 66 07 00 c3 e9 6b 5f 07 00 75 00 55 ed exception.symbol: 2+0x3828d1 exception.instruction: in eax, dx exception.module: 2.exe exception.exception_code: 0xc0000096 exception.offset: 3680465 exception.address: 0x16828d1 registers.esp: 2816532 registers.edi: 5058099 registers.eax: 1447909480 registers.ebp: 20451328 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3522540 registers.ecx: 10	1	0	0