Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 19, 2023, 12:35 p.m.	Jan. 19, 2023, 12:38 p.m.

Size	1.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`ca75120570056492d53d682e9b90f94c`
SHA256	`82ea51d64adc6b407ed4853d7142d3db010f731767ae4ab124e5d71094db01cd`
CRC32	`677413A4`
ssdeep	`49152:H+l7BA6esT8yVkQnXX0LDfKFgOq1GUu0:HMA6esT2an0LmFgOqk`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

svcrun.exe "C:\Users\test22\AppData\Local\Temp\svcrun.exe"
1872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (4 events)

resource name	PNG
resource name	REGISTRY
resource name	TEXTFILE
resource name	TYPELIB

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 19, 2023, 12:35 p.m.	stacktrace: 0xccbd03 svcrun+0x17e103 @ 0x118e103 0xdf6012 0xcc99f0 exception.instruction_r: 90 eb 02 43 bb eb 04 15 f0 5c 8d eb 04 8a 8b 8f exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0xccbd03 registers.r14: 0 registers.r15: 0 registers.rcx: 3 registers.rsi: 14646489 registers.r10: 0 registers.rbx: 5 registers.rsp: 4782888 registers.r11: 582 registers.r8: 4782504 registers.r9: 18468760 registers.rdx: 13417701 registers.r12: 13350200 registers.rbp: 4782944 registers.rdi: 13416464 registers.rax: 258 registers.r13: 3822	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 1872 region_size: 266240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000cb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Jan. 19, 2023, 12:35 p.m.	process_identifier: 1872 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00098800', u'virtual_address': u'0x000e2000', u'entropy': 7.5830254398484405, u'name': u'.rsrc', u'virtual_size': u'0x0009864c'}

entropy

7.58302543985

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00107400', u'virtual_address': u'0x0017c000', u'entropy': 7.999786638152722, u'name': u'.data', u'virtual_size': u'0x00107400'}

entropy

7.99978663815

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

McAfee	Artemis!CA7512057005
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Avast	CoinminerX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win64.Generic.tc
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Google	Detected
AhnLab-V3	Trojan/Win.Agent.R543531
Zoner	Probably Heur.ExeHeaderL
Rising	Spyware.Bobik!8.108FF (TFE:1:uv5VD15mg9I)
Ikarus	Trojan.Win32.Generic
AVG	CoinminerX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

svcrun.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All