Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 5, 2022, 9:31 a.m.	Oct. 5, 2022, 9:33 a.m.

Size	2.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f57cf9f58d3bf82639a733c0d8119878`
SHA256	`0803113ba69eb2f75dd6bc5cbed7cb946f7220f4d299672bab97d911ac8f85a6`
CRC32	`16F50C72`
ssdeep	`49152:xBuZrEU3ZgFiI/zZsFiJI7c3o55DdN7POGji:XkL3Z7I/6iAc3o55lji`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature

unknown.exe "C:\Users\test22\AppData\Local\Temp\unknown.exe"
1072
- unknown.tmp "C:\Users\test22\AppData\Local\Temp\is-70VVC.tmp\unknown.tmp" /SL5="$30028,1468388,832512,C:\Users\test22\AppData\Local\Temp\unknown.exe"
  2104
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 5, 2022, 9:31 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 5, 2022, 9:31 a.m.	stacktrace: TMethodImplementationIntercept+0x13fc1e dbkFCallWrapperAddr-0xddbaa unknown+0x1f5a96 @ 0x5f5a96 TMethodImplementationIntercept+0x1ecdc7 dbkFCallWrapperAddr-0x30a01 unknown+0x2a2c3f @ 0x6a2c3f TMethodImplementationIntercept+0x1ed9a8 dbkFCallWrapperAddr-0x2fe20 unknown+0x2a3820 @ 0x6a3820 TMethodImplementationIntercept+0x20f8f4 dbkFCallWrapperAddr-0xded4 unknown+0x2c576c @ 0x6c576c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1637648 registers.edi: 0 registers.eax: 1637648 registers.ebp: 1637728 registers.edx: 0 registers.ebx: 34984736 registers.esi: 35193152 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 5, 2022, 9:31 a.m.

stacktrace:

TMethodImplementationIntercept+0x13fc1e dbkFCallWrapperAddr-0xddbaa unknown+0x1f5a96 @ 0x5f5a96
TMethodImplementationIntercept+0x1ecdc7 dbkFCallWrapperAddr-0x30a01 unknown+0x2a2c3f @ 0x6a2c3f
TMethodImplementationIntercept+0x1ed9a8 dbkFCallWrapperAddr-0x2fe20 unknown+0x2a3820 @ 0x6a3820
TMethodImplementationIntercept+0x20f8f4 dbkFCallWrapperAddr-0xded4 unknown+0x2c576c @ 0x6c576c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1637648
registers.edi: 0
registers.eax: 1637648
registers.ebp: 1637728
registers.edx: 0
registers.ebx: 34984736
registers.esi: 35193152
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 5, 2022, 9:31 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2022, 9:31 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2022, 9:31 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2022, 9:31 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2022, 9:31 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2022, 9:24 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-0CBR1.tmp\gug.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-0CBR1.tmp\gug.dll
file	C:\Users\test22\AppData\Local\Temp\is-70VVC.tmp\unknown.tmp

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-70VVC.tmp\unknown.tmp

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

MicroWorld-eScan	Gen:Variant.Zusy.438616
Malwarebytes	Malware.AI.2721880045
K7AntiVirus	Riskware ( 00584baa1 )
K7GW	Riskware ( 00584baa1 )
Cyren	W32/Convagent.AH.gen!Eldorado
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik.GAOP
Kaspersky	VHO:Trojan.Win32.Agentb.gen
BitDefender	Gen:Variant.Zusy.438616
Avast	Win32:DangerousSig [Trj]
Emsisoft	Gen:Variant.Zusy.438616 (B)
VIPRE	Gen:Variant.Zusy.438616
FireEye	Gen:Variant.Zusy.438616
GData	Gen:Variant.Zusy.438616
Google	Detected
MAX	malware (ai score=81)
Arcabit	Trojan.Zusy.D6B158
ZoneAlarm	VHO:Trojan.Win32.Agentb.gen
Microsoft	Trojan:Win32/Androm.RA!MTB
ALYac	Gen:Variant.Zusy.438616
Rising	Malware.Obscure/Heur!1.9E03 (CLASSIC)
MaxSecure	Trojan.Malware.121218.susgen
AVG	Win32:DangerousSig [Trj]
CrowdStrike	win/grayware_confidence_70% (D)

unknown.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All