Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 20, 2023, 9:42 a.m.	March 20, 2023, 9:46 a.m.

Size	7.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f5d957a42f578847664cacb8a4c3d695`
SHA256	`00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc`
CRC32	`5B9E0F1C`
ssdeep	`196608:ZOtzW0BrGc/4GmLcBh8YSZIEqsyZr2caC78:kVW6Gc//B/xEh+a`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

f2f16bc7-e50f-45d2-9d83-c860d538d8ed.exe "C:\Users\test22\AppData\Local\Temp\f2f16bc7-e50f-45d2-9d83-c860d538d8ed.exe"
2076

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.106.92.104	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 20, 2023, 9:42 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.>-W
section	.kd%
section	.Mdp

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 20, 2023, 9:42 a.m.	stacktrace: f2f16bc7-e50f-45d2-9d83-c860d538d8ed+0x4b43f5 @ 0x16643f5 GetEnvironmentVariableA+0x18 VerifyConsoleIoHandle-0xc5 kernel32+0x133b8 @ 0x757f33b8 exception.instruction_r: 90 51 9c b9 5f 2b 6f 6c 81 c1 f6 15 f6 7a 53 23 exception.symbol: f2f16bc7-e50f-45d2-9d83-c860d538d8ed+0x53f471 exception.instruction: nop exception.module: f2f16bc7-e50f-45d2-9d83-c860d538d8ed.exe exception.exception_code: 0x80000004 exception.offset: 5502065 exception.address: 0x16ef471 registers.esp: 2553072 registers.edi: 0 registers.eax: 1173281897 registers.ebp: 2555096 registers.edx: 78 registers.ebx: 18546688 registers.esi: 0 registers.ecx: 1971191808	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 20, 2023, 9:42 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00930000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00705000', u'virtual_address': u'0x00439000', u'entropy': 7.973221863404521, u'name': u'.Mdp', u'virtual_size': u'0x00704fc0'}

entropy

7.9732218634

description

A section with a high entropy has been found

entropy

0.939915004904

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

185.106.92.104

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 20, 2023, 9:42 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x000000b0 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl March 20, 2023, 9:42 a.m.	input_buffer: control_code: 458752 (IOCTL_DISK_GET_DRIVE_GEOMETRY) device_handle: 0x000000b0 output_buffer: Qÿ?	1	1	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
Malwarebytes	Malware.Heuristic.1003
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.VMProtect.AHG
Cynet	Malicious (score: 100)
APEX	Malicious
Avast	Win32:Trojan-gen
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
FireEye	Generic.mg.f5d957a42f578847
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Rising	Trojan.Generic@AI.100 (RDML:fD7xnyp691p8Vr4OIQrX6A)
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZexaF.36344.@J0@aa@hO@hi
AVG	Win32:Trojan-gen

f2f16bc7-e50f-45d2-9d83-c860d538d8ed

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All