Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 15, 2023, 8:47 a.m.	March 15, 2023, 8:49 a.m.

Size	959.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`41687e58130c8bdca248e1403e565afb`
SHA256	`fef1f9664fde9b23754c691b15a05fdc35a51a0ceb8a18fb9a5a0166e6377c69`
CRC32	`A1BBB877`
ssdeep	`24576:TLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdAF:Pjrc2So1Ff+B3k796W`
Yara	Generic_Malware_Zero - Generic Malware IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software

sample2.exe "C:\Users\test22\AppData\Local\Temp\sample2.exe"
2568
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 15, 2023, 8:47 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 15, 2023, 8:47 a.m.	computer_name: TEST22-PC	1	1	0

Tries to locate where the browsers are installed (2 events)

file	c:\program files (x86)\Google\Chrome\application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 15, 2023, 8:47 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 15, 2023, 8:47 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729e2000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 15, 2023, 8:49 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

sample2.exe tried to sleep 224 seconds, actually delayed analysis time by 224 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW March 15, 2023, 8:47 a.m.	number_of_free_clusters: 3252687 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceExW March 15, 2023, 8:47 a.m.	total_number_of_free_bytes: 13323005952 free_bytes_available: 13323005952 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW March 15, 2023, 8:47 a.m.	snapshot_handle: 0x00000254 process_name: pw.exe process_identifier: 2332	1	1
Process32NextW March 15, 2023, 8:47 a.m.	snapshot_handle: 0x00000254 process_name: sample2.exe process_identifier: 2568	1	1
Process32NextW March 15, 2023, 8:47 a.m.	snapshot_handle: 0x00000254 process_name: vc process_identifier: 6357093		0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (9 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 8:47 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{6E5E24E4-E8E8-78AC-0E52-0E6D43D0CFEE}

reg_value

"C:\Users\test22\AppData\Local\Temp\sample2.exe"

Writes a potential ransom message to disk (2 events)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile March 15, 2023, 8:47 a.m.	buffer: LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FB5EDCE4A6E8787527BD5FE83FDF914E offset: 0 file_handle: 0x00000318 filepath: C:\GPKI\Restore-My-Files.txt	1	259	0
NtWriteFile March 15, 2023, 8:47 a.m.	buffer: LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FB5EDCE4A6E8787527BD5FE83FDF914E offset: 0 file_handle: 0x0000027c filepath: C:\Restore-My-Files.txt	1	259	0

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.4!c
Elastic	Windows.Ransomware.Lockbit
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.LckbitRnsm.S21641235
ALYac	Trojan.Ransom.LockBit
Zillya	Trojan.Agent.Win32.2362610
Sangfor	Ransom.Win32.Lockbit.Vbng
K7AntiVirus	Trojan ( 0057f63d1 )
Alibaba	Ransom:Win32/Lockbit.c99
K7GW	Trojan ( 0057f63d1 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaF.36344.7mW@aqwWnog
VirIT	Ransom.Win32.LockBit.DAM
Cyren	W32/Ransom.PM.gen!Eldorado
Symantec	Downloader
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Filecoder.Lockbit.E
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Obfus-43
Kaspersky	HEUR:Trojan-Ransom.Win32.Generic
BitDefender	Gen:Variant.Ransom.Lockbit2.9
NANO-Antivirus	Trojan.Win32.Encoder.jtuemz
ViRobot	Trojan.Win32.Lockbit.982528
MicroWorld-eScan	Gen:Variant.Ransom.Lockbit2.9
Avast	Win32:LockBit-A [Ransom]
Rising	Ransom.LockBit!1.D854 (CLASSIC)
Emsisoft	Gen:Variant.Ransom.Lockbit2.9 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.Encoder.34248
VIPRE	Gen:Variant.Ransom.Lockbit2.9
TrendMicro	Ransom.Win32.LOCKBIT.SMYEBGW
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.41687e58130c8bdc
Sophos	Troj/Lockbit-D
Ikarus	Trojan-Ransom.LockBit
GData	Win32.Trojan-Ransom.LockBit.A
Jiangmin	Trojan.Agent.dltk
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.GenKryptik
Gridinsoft	Ransom.Win32.LockBit.bot
Arcabit	Trojan.Ransom.Lockbit2.9
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Generic
Microsoft	Ransom:Win32/Lockbit.STA
Google	Detected
AhnLab-V3	Ransomware/Win.LockBit.R487041
McAfee	Lockbit!41687E58130C

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.101:49167
dead_host	192.168.56.1:445
dead_host	192.168.56.1:135
dead_host	192.168.56.101:49166

sample2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All