Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 21, 2022, 10:06 a.m.	Sept. 21, 2022, 10:09 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c277b4a70743041f28445f57129a9927`
SHA256	`2009b71b6184f9e235d604b7b6e4afb7021453ceb3f35631edba7c6be3d729d8`
CRC32	`C23FEF70`
ssdeep	`24576:97FUDowAyrTVE3U5Fm2T7WZVoA/dKTC7ro5x7awFhJdNo69lOy7KTijlY:9BuZrEUnCZ2A/ETS055DdN7POGjS`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

arg_rar.exe "C:\Users\test22\AppData\Local\Temp\arg_rar.exe"
2308
- arg_rar.tmp "C:\Users\test22\AppData\Local\Temp\is-5447S.tmp\arg_rar.tmp" /SL5="$3002C,1133818,832512,C:\Users\test22\AppData\Local\Temp\arg_rar.exe"
  2388
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 21, 2022, 10:06 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 21, 2022, 10:06 a.m.	stacktrace: TMethodImplementationIntercept+0x13fc1e dbkFCallWrapperAddr-0xddbaa arg_rar+0x1f5a96 @ 0x5f5a96 TMethodImplementationIntercept+0x1ecdc7 dbkFCallWrapperAddr-0x30a01 arg_rar+0x2a2c3f @ 0x6a2c3f TMethodImplementationIntercept+0x1ed9a8 dbkFCallWrapperAddr-0x2fe20 arg_rar+0x2a3820 @ 0x6a3820 TMethodImplementationIntercept+0x20f8f4 dbkFCallWrapperAddr-0xded4 arg_rar+0x2c576c @ 0x6c576c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1637648 registers.edi: 0 registers.eax: 1637648 registers.ebp: 1637728 registers.edx: 0 registers.ebx: 35640096 registers.esi: 35848512 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 21, 2022, 10:06 a.m.

stacktrace:

TMethodImplementationIntercept+0x13fc1e dbkFCallWrapperAddr-0xddbaa arg_rar+0x1f5a96 @ 0x5f5a96
TMethodImplementationIntercept+0x1ecdc7 dbkFCallWrapperAddr-0x30a01 arg_rar+0x2a2c3f @ 0x6a2c3f
TMethodImplementationIntercept+0x1ed9a8 dbkFCallWrapperAddr-0x2fe20 arg_rar+0x2a3820 @ 0x6a3820
TMethodImplementationIntercept+0x20f8f4 dbkFCallWrapperAddr-0xded4 arg_rar+0x2c576c @ 0x6c576c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 1637648
registers.edi: 0
registers.eax: 1637648
registers.ebp: 1637728
registers.edx: 0
registers.ebx: 35640096
registers.esi: 35848512
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2022, 10:06 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2022, 10:06 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2022, 10:06 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2022, 10:06 a.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2022, 10:06 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2022, 10:08 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 21, 2022, 10:08 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 10237554688 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-3K1UU.tmp\service.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-3K1UU.tmp\service.dll
file	C:\Users\test22\AppData\Local\Temp\is-5447S.tmp\arg_rar.tmp

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-5447S.tmp\arg_rar.tmp

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Cynet	Malicious (score: 99)
FireEye	Gen:Heur.Pack.Emotet.1
Malwarebytes	Malware.AI.4213368951
VIPRE	Gen:Heur.Pack.Emotet.1
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Gen:Heur.Pack.Emotet.1
Arcabit	Trojan.Pack.Emotet.1
Cyren	W32/Convagent.AH.gen!Eldorado
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Kryptik_AGen.AHF
Kaspersky	UDS:Trojan-Downloader.Win32.Satacom.gen
MicroWorld-eScan	Gen:Heur.Pack.Emotet.1
Avast	Win32:Malware-gen
Rising	Malware.Obscure/Heur!1.A89F (CLASSIC)
Emsisoft	Gen:Heur.Pack.Emotet.1 (B)
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Emotet
Avira	HEUR/AGEN.1251348
MAX	malware (ai score=84)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Script/Phonzy.C!ml
GData	Gen:Heur.Pack.Emotet.1
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5239925
ALYac	Gen:Heur.Pack.Emotet.1
AVG	Win32:Malware-gen
CrowdStrike	win/grayware_confidence_70% (D)

arg_rar.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All