Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 26, 2022, 9:51 a.m.	Dec. 26, 2022, 9:59 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`afd26f223230ad20eb208dbaa0164e43`
SHA256	`fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4`
CRC32	`EDB33F12`
ssdeep	`24576:cfR85lrIXtinFaRYaWZ22CJVf6GvhrRR44gaGVllYVYItTP4au+TK+Mx:cfS55IXluX4t2ID4au+2d`
Yara	Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library anti_vm_detect - Possibly employs anti-virtualization techniques PE_Header_Zero - PE File Signature themida_packer - themida packer UPX_Zero - UPX packed file

bd.exe "C:\Users\test22\AppData\Local\Temp\bd.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 26, 2022, 9:51 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section
section	.boot

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: bd+0x25eae7 @ 0xd7eae7 bd+0x25eb96 @ 0xd7eb96 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 3145244 registers.edi: 11997184 registers.eax: 3145244 registers.ebp: 3145324 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 1995994155 registers.ecx: 2068840448	1
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 65 a8 e8 ff exception.symbol: bd+0x2883d0 exception.instruction: in eax, dx exception.module: bd.exe exception.exception_code: 0xc0000096 exception.offset: 2655184 exception.address: 0xda83d0 registers.esp: 3145364 registers.edi: 7744900 registers.eax: 1750617430 registers.ebp: 11997184 registers.edx: 7755862 registers.ebx: 0 registers.esi: 1967587090 registers.ecx: 20	1
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: bd+0x288444 exception.instruction: in eax, dx exception.module: bd.exe exception.exception_code: 0xc0000096 exception.offset: 2655300 exception.address: 0xda8444 registers.esp: 3145364 registers.edi: 7744900 registers.eax: 1447909480 registers.ebp: 11997184 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 1967587090 registers.ecx: 10	1
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: 0x709e7c 0x7080f1 0x7042e9 0x7060e6 0x78cb97 0x78c867 0x3e3fbe 0x40810f 0x3e0015 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 45937360 registers.edi: 11864995 registers.eax: 45937360 registers.ebp: 45937440 registers.edx: 2130553844 registers.ebx: 0 registers.esi: 1968998345 registers.ecx: 2068840448	1
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: 0x7080f1 0x7042e9 0x7060e6 0x78cb97 0x78c867 0x3e3fbe 0x40810f 0x3e0015 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 51 ff 15 cc 2a 71 00 a1 4c 49 71 00 c3 8b 44 24 exception.instruction: push ecx exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x709596 registers.esp: 45937472 registers.edi: 45937540 registers.eax: 0 registers.ebp: 45937596 registers.edx: 5170360 registers.ebx: 0 registers.esi: 7378293 registers.ecx: 7902464	1
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: 0x7080f1 0x7042e9 0x7060e6 0x78cb97 0x78c867 0x3e3fbe 0x40810f 0x3e0015 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: cc 50 ff 15 cc 2a 71 00 a1 4c 49 71 00 c3 8b 44 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x7095d8 registers.esp: 45937472 registers.edi: 45937544 registers.eax: 7902464 registers.ebp: 45937596 registers.edx: 5170360 registers.ebx: 0 registers.esi: 7378369 registers.ecx: 1	1
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: 0x708221 0x7080f1 0x7042e9 0x7060e6 0x78cb97 0x78c867 0x3e3fbe 0x40810f 0x3e0015 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 15 cc 2a 71 00 a1 4c 49 71 00 c9 c3 8b 44 24 exception.instruction: call dword ptr [0x712acc] exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x709ec0 registers.esp: 45937460 registers.edi: 45937548 registers.eax: 838 registers.ebp: 45937468 registers.edx: 5170360 registers.ebx: 0 registers.esi: 7380628 registers.ecx: 7902464	1

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 167936 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 26, 2022, 9:51 a.m.	process_identifier: 2556 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x0002c400', u'virtual_address': u'0x00001000', u'entropy': 7.998963235901202, u'name': u' ', u'virtual_size': u'0x00040e34'}

entropy

7.9989632359

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000200', u'virtual_address': u'0x00042000', u'entropy': 7.224685915773197, u'name': u' ', u'virtual_size': u'0x0000144c'}

entropy

7.22468591577

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000e00', u'virtual_address': u'0x0004a000', u'entropy': 7.938505257246747, u'name': u' ', u'virtual_size': u'0x000011f8'}

entropy

7.93850525725

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00122200', u'virtual_address': u'0x0033f000', u'entropy': 7.955606072327978, u'name': u'.boot', u'virtual_size': u'0x00122200'}

entropy

7.95560607233

description

A section with a high entropy has been found

entropy

0.971045964531

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 26, 2022, 9:51 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Queries information on disks, possibly for anti-virtualization (3 events)

Time & API	Arguments	Status
NtCreateFile Dec. 26, 2022, 9:51 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x000000e4 filepath: \??\PhysicalDrive0 desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1
NtCreateFile Dec. 26, 2022, 9:51 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x000000e4 filepath: \??\Scsi0: desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\Scsi0: create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1
DeviceIoControl Dec. 26, 2022, 9:51 a.m.	input_buffer: SCSIDISK'2b703ec12 6ì0 BVXOH RADDS control_code: 315400 () device_handle: 0x000000e4 output_buffer: <INVALID POINTER>

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 26, 2022, 9:51 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 26, 2022, 9:51 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: bd+0x288444 exception.instruction: in eax, dx exception.module: bd.exe exception.exception_code: 0xc0000096 exception.offset: 2655300 exception.address: 0xda8444 registers.esp: 3145364 registers.edi: 7744900 registers.eax: 1447909480 registers.ebp: 11997184 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 1967587090 registers.ecx: 10	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

tehtris	Generic.Malware
MicroWorld-eScan	Gen:Trojan.Heur.wH0@vr1LDOiin
FireEye	Generic.mg.afd26f223230ad20
CAT-QuickHeal	Trojan.Strab
ALYac	Gen:Trojan.Heur.wH0@vr1LDOiin
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Strab.8b08b7cf
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.23230a
Arcabit	Trojan.Heur.EECA02
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan.Win32.Strab.vt
BitDefender	Gen:Trojan.Heur.wH0@vr1LDOiin
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	Win32:Malware-gen
Tencent	Win32.Trojan.Strab.Zfow
Ad-Aware	Gen:Trojan.Heur.wH0@vr1LDOiin
Emsisoft	Gen:Trojan.Heur.wH0@vr1LDOiin (B)
VIPRE	Gen:Trojan.Heur.wH0@vr1LDOiin
McAfee-GW-Edition	BehavesLike.Win32.Trojan.tc
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Downloader]/Win32.Emotet
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Malware.Win32.Gen.bot
Microsoft	Trojan:Win32/Tiggre!rfn
GData	Gen:Trojan.Heur.wH0@vr1LDOiin
Acronis	suspicious
McAfee	Artemis!AFD26F223230
Malwarebytes	Trojan.Crypt
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	TROJ_GEN.R002H07LN22
Rising	PUF.Presenoker!8.F608 (TFE:5:0nOjQwwcDTV)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.PALLAS.H
BitDefenderTheta	AI:Packer.DFADD2FD1D
AVG	Win32:Malware-gen

bd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All