Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 6, 2023, 5:48 p.m.	March 6, 2023, 5:52 p.m.

Size	12.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a18b95c829a40237ff0e7fc93aeb641b`
SHA256	`eb9445e9be4d04ce2f6248e43d0cd912b157ca36ee8da123430f94d8609c219b`
CRC32	`EFBD444B`
ssdeep	`196608:bLF3ZyqzxbAQvaNJm3AqowejuJDUX47dwdW0tnFwB2nT7vYPJSuI2wlH:nFJyyxy/m3poaUX47d4VnNHeU`
PDB Path	C:\Users\anast\source\repos\OSInfo\OSInfo\obj\Release\OSInfo.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

os.exe "C:\Users\test22\AppData\Local\Temp\os.exe"
2552
- HfNVizcyGemoZXgW.exe "C:\Users\test22\AppData\Local\Temp\HfNVizcyGemoZXgW.exe"
  2644
  - HfNVizcyGemoZXgW.exe "C:\Users\test22\AppData\Local\Temp\HfNVizcyGemoZXgW.exe"
    2772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 6, 2023, 5:48 p.m.			0	0
IsDebuggerPresent March 6, 2023, 5:48 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\anast\source\repos\OSInfo\OSInfo\obj\Release\OSInfo.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 6, 2023, 5:48 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 6, 2023, 5:48 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (50 out of 51 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI26442\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\mfc140u.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\pywin32_system32\pywintypes311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\HfNVizcyGemoZXgW.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\pywin32_system32\pythoncom311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\registers.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\python311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26442\api-ms-win-core-interlocked-l1-1-0.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\HfNVizcyGemoZXgW.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\registers.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00c12800', u'virtual_address': u'0x00002000', u'entropy': 7.9889890102658665, u'name': u'.text', u'virtual_size': u'0x00c127c4'}

entropy

7.98898901027

description

A section with a high entropy has been found

entropy

0.999838240052

description

Overall entropy of this PE file is high

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

MicroWorld-eScan	IL:Trojan.MSILZilla.25842
FireEye	Generic.mg.a18b95c829a40237
ALYac	IL:Trojan.MSILZilla.25842
Malwarebytes	Trojan.Dropper.MSIL.Generic
VIPRE	IL:Trojan.MSILZilla.25842
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.1135f3
Arcabit	IL:Trojan.MSILZilla.D64F2
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDropper.Agent.FUP
APEX	Malicious
BitDefender	IL:Trojan.MSILZilla.25842
Avast	FileRepMalware [Misc]
Rising	Trojan.Generic@AI.97 (RDML:oc5w8lEsWjMrq48bNz86dw)
Emsisoft	IL:Trojan.MSILZilla.25842 (B)
Trapmine	malicious.high.ml.score
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	IL:Trojan.MSILZilla.25842
Acronis	suspicious
MAX	malware (ai score=85)
Cylance	unsafe
BitDefenderTheta	Gen:NN.ZemsilF.36308.@p0@aOEZSr
AVG	FileRepMalware [Misc]
CrowdStrike	win/malicious_confidence_100% (D)

os.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All