Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.29 05:04
tomcaterror.bmpqoq
04.29 04:04
qoq.ps1
04.29 04:04
Important_Document.pdf...
04.29 04:04
dllbase64reverse.txt.exe
04.29 10:04
RuntimeBroker.exe
04.29 10:04
2555d50c-0b7e-4aa3-8d8...
04.29 10:04
csr.bin
04.29 10:04
test.exe
04.29 10:04
FreePhotoShop%20Meme%2...
04.29 10:04
discord.exe

Latest News
04.30 11:04
한국장학진흥원, 조향사 자격증 무료수강 ...
04.30 11:04
Comparing ‘AI’ for Bas...
04.30 11:04
만잠 욕실화 슬리퍼 6차 완판 및 7차 ...
04.30 11:04
[사전규격공개] 5G 新기술 도입 기업의...
04.30 11:04
2025년 블록체인 공공분야 집중사업 사...
04.30 10:04
RSAC 2025: Being reali...
04.30 10:04
브랜치앤바운드, 코딩의 정석 ‘코드트리’...
04.30 10:04
Apple Reshuffles Gover...
04.30 10:04
DHS Secretary Noem: CI...
04.30 10:04
2H메디컬, ‘라이트 휠체어’ 리뉴얼 출시

Summary | ZeroBOX

1.exe

Malicious Packer Malicious Library PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 25, 2022, 9:45 a.m.	May 25, 2022, 9:52 a.m.

Size	2.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`df7bcc6a339e5d1d61f040c538669b2b`
SHA256	`e44d45e08e69bdd44317e5cac98e49b242323e87f5a706ca870dd25079af1d17`
CRC32	`CECB0959`
ssdeep	`49152:YoiS5cQs+nAZ+6mtY1ECgzxGB6qUUPvZeCzmteDR3uRCc8gLAF4KA2bab+6GvoFg:YoiErrtlYaCg7qlvQC5R3uRtEFlQb+6Y`
Yara	IsPE32 - (no description) themida_packer - themida packer Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
2844

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2022, 9:45 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (4 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: 1+0x3c8d4e @ 0x1668d4e 1+0x388691 @ 0x1628691 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 2096272 registers.edi: 20058112 registers.eax: 2096272 registers.ebp: 2096352 registers.edx: 2130566132 registers.ebx: 22086772 registers.esi: 2003530795 registers.ecx: 1881669632	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: exception.instruction_r: ed e9 da a8 00 00 c3 e9 e0 7e ff ff 49 f5 29 28 exception.symbol: 1+0x3c4e18 exception.instruction: in eax, dx exception.module: 1.exe exception.exception_code: 0xc0000096 exception.offset: 3952152 exception.address: 0x1664e18 registers.esp: 2096392 registers.edi: 5582171 registers.eax: 1750617430 registers.ebp: 20058112 registers.edx: 2512982 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: exception.instruction_r: ed e9 74 86 06 00 f9 7f f7 01 1c 6f ff ff a2 00 exception.symbol: 1+0x3533f6 exception.instruction: in eax, dx exception.module: 1.exe exception.exception_code: 0xc0000096 exception.offset: 3486710 exception.address: 0x15f33f6 registers.esp: 2096392 registers.edi: 5582171 registers.eax: 1447909480 registers.ebp: 20058112 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x7659d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x7659964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x76584d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x76586f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x7658e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x76586002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x76585fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x765849e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x76585a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77679a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77698f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77698e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x766e7a25 1+0x3319b1 @ 0x15d19b1 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x765b3ef4 registers.esp: 2095696 registers.edi: 0 registers.eax: 18649880 registers.ebp: 2095724 registers.edx: 1 registers.ebx: 0 registers.esi: 5798888 registers.ecx: 1939355100	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 25, 2022, 9:45 a.m.	process_identifier: 2844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 25, 2022, 9:45 a.m.	process_identifier: 2844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (8 events)

section

{u'size_of_data': u'0x0002e441', u'virtual_address': u'0x00001000', u'entropy': 7.983448048014257, u'name': u' ', u'virtual_size': u'0x00052aed'}

entropy

7.98344804801

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000a410', u'virtual_address': u'0x00054000', u'entropy': 7.957548449144089, u'name': u' ', u'virtual_size': u'0x00016fb4'}

entropy

7.95754844914

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000309', u'virtual_address': u'0x0006b000', u'entropy': 7.65581275739957, u'name': u' ', u'virtual_size': u'0x00003eec'}

entropy

7.6558127574

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000134', u'virtual_address': u'0x00070000', u'entropy': 7.262855099195791, u'name': u' ', u'virtual_size': u'0x00000230'}

entropy

7.2628550992

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001508', u'virtual_address': u'0x00071000', u'entropy': 7.93444938253743, u'name': u' ', u'virtual_size': u'0x00004ae0'}

entropy

7.93444938254

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002f0c', u'virtual_address': u'0x00076000', u'entropy': 7.925704391516915, u'name': u' ', u'virtual_size': u'0x00003884'}

entropy

7.92570439152

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00289a00', u'virtual_address': u'0x0049b000', u'entropy': 7.9532743167372955, u'name': u'.boot', u'virtual_size': u'0x00289a00'}

entropy

7.95327431674

description

A section with a high entropy has been found

entropy

0.993352018163

description

Overall entropy of this PE file is high

Checks for the presence of known windows from debuggers and forensic tools (15 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 25, 2022, 9:45 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 25, 2022, 9:45 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 25, 2022, 9:45 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 25, 2022, 9:45 a.m.	stacktrace: exception.instruction_r: ed e9 74 86 06 00 f9 7f f7 01 1c 6f ff ff a2 00 exception.symbol: 1+0x3533f6 exception.instruction: in eax, dx exception.module: 1.exe exception.exception_code: 0xc0000096 exception.offset: 3486710 exception.address: 0x15f33f6 registers.esp: 2096392 registers.edi: 5582171 registers.eax: 1447909480 registers.ebp: 20058112 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0