Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 21, 2022, 9:59 a.m.	Dec. 21, 2022, 10:03 a.m.

Size	1.5MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`a383534669ff5ef9786e6aa9dc78ca66`
SHA256	`eda90d64d5942b6c08d2b91ac5f6e0f6008f7fcf30d1f606371319c4fa8fe8f0`
CRC32	`4988C8B6`
ssdeep	`24576:xyn7scgimzXv1vbFswwfrIldHjDkg13hc4uHoo6XlbxT2WYOzziHUEBbkXRr:kazXNvbFswV13hoS1b7Q/BbkX`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

server5.EXE "C:\Users\test22\AppData\Local\Temp\server5.EXE"
1608

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 21, 2022, 9:59 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 21, 2022, 9:59 a.m.	stacktrace: 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x7fef7c97ef8 registers.r14: 0 registers.r15: 262496 registers.rcx: 262496 registers.rsi: 1 registers.r10: 262496 registers.rbx: 0 registers.rsp: 2222152 registers.r11: 0 registers.r8: 1 registers.r9: 0 registers.rdx: 28 registers.r12: 0 registers.rbp: 8431216 registers.rdi: 0 registers.rax: 2222256 registers.r13: 28	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 21, 2022, 9:59 a.m.

stacktrace:

0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x7fef7c97ef8
registers.r14: 0
registers.r15: 262496
registers.rcx: 262496
registers.rsi: 1
registers.r10: 262496
registers.rbx: 0
registers.rsp: 2222152
registers.r11: 0
registers.r8: 1
registers.r9: 0
registers.rdx: 28
registers.r12: 0
registers.rbp: 8431216
registers.rdi: 0
registers.rax: 2222256
registers.r13: 28

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\certutil.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00179e00', u'virtual_address': u'0x0000f000', u'entropy': 7.978445240717292, u'name': u'.rsrc', u'virtual_size': u'0x0017a000'}

entropy

7.97844524072

description

A section with a high entropy has been found

entropy

0.973904639175

description

Overall entropy of this PE file is high

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.GenericKD.64326012
ALYac	Trojan.GenericKD.64326012
Cylance	Unsafe
VIPRE	Trojan.GenericKD.64326012
Sangfor	Spyware.Msil.AutoRun.Vkvd
K7AntiVirus	Trojan ( 00309b371 )
Alibaba	Trojan:MSIL/Autorun.d88c6156
K7GW	Trojan ( 00309b371 )
Cybereason	malicious.669ff5
Cyren	W64/ABRisk.CDPQ-6412
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Autorun.Spy.Agent.R
Cynet	Malicious (score: 99)
APEX	Malicious
ClamAV	Txt.File.EXEinPEM-7099209-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.64326012
NANO-Antivirus	Trojan.Win64.Autorun.jtpfwp
Tencent	Win32.Trojan.Generic.Ewnw
Ad-Aware	Trojan.GenericKD.64326012
Emsisoft	Trojan.GenericKD.64326012 (B)
Zillya	Trojan.Generic.Win32.1675018
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.a383534669ff5ef9
Sophos	Mal/Generic-S
GData	Trojan.GenericKD.64326012
Avira	TR/Dropper.Gen2
MAX	malware (ai score=82)
Arcabit	Trojan.Generic.D3D5897C
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Trojan:Win32/Tiggre!rfn
Google	Detected
Acronis	suspicious
McAfee	Artemis!A383534669FF
Malwarebytes	Trojan.Dropper
Panda	Trj/CI.A
Rising	Worm.Autorun!8.50 (CLOUD)
Ikarus	Worm.MSIL.Autorun
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	MSIL/Spy_Agent.R!worm
AVG	Other:Malware-gen [Trj]
Avast	Other:Malware-gen [Trj]

server5.EXE

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All