Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 22, 2023, 8:44 a.m.	April 22, 2023, 8:58 a.m.

Size	3.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f43ab10a6a9570e4bdc2fd04aa3aa7c3`
SHA256	`b970c327c2e8914749e73713d4dd743ae3907f0a66bd5c34806c6e5f23cf9aa3`
CRC32	`1669BFE6`
ssdeep	`98304:iYPGZ6Gqx5CyuqoEsgy6SDVpqyEAYOV+pyIXlmgCE660v2Pu0n:iKGqx5Cxq+gNSDzqFacpPM7Jk`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature VMProtect_Zero - VMProtect packed file Malicious_Library_Zero - Malicious_Library

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

section	.vmp0
section	.vmp1

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3321856 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b2000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 22, 2023, 8:44 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\15.ocx parameters: filepath: C:\Users\test22\AppData\Local\15.ocx		0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

section

{u'size_of_data': u'0x003d4000', u'virtual_address': u'0x0056a000', u'entropy': 7.866820244422946, u'name': u'.vmp1', u'virtual_size': u'0x003d35c2'}

entropy

7.86682024442

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 22, 2023, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect

Bkav	W32.AIDetect.malware1
MicroWorld-eScan	Gen:Trojan.Heur.PT.1FW@ayWS7Rl
FireEye	Generic.mg.f43ab10a6a9570e4
ALYac	Gen:Trojan.Heur.PT.1FW@ayWS7Rl
VIPRE	Gen:Trojan.Heur.PT.1FW@ayWS7Rl
K7AntiVirus	Trojan ( 7000001c1 )
K7GW	Trojan ( 7000001c1 )
CrowdStrike	win/malicious_confidence_90% (D)
BitDefenderTheta	AI:Packer.D77056DE1E
Cyren	W32/Autorun.HE.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.VMProtect.ABO
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Trojan.Heur.PT.1FW@ayWS7Rl
Avast	Win32:Evo-gen [Trj]
Emsisoft	Gen:Trojan.Heur.PT.1FW@ayWS7Rl (B)
F-Secure	Trojan.TR/Black.Gen2
McAfee-GW-Edition	BehavesLike.Win32.VirRansom.wc
Trapmine	malicious.high.ml.score
Sophos	Mal/VMProtBad-A
Ikarus	Trojan.Win32.VMProtect
Avira	TR/Black.Gen2
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Arcabit	Trojan.Heur.PT.EBD840
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Trojan.Heur.PT.1FW@ayWS7Rl
Google	Detected
Acronis	suspicious
MAX	malware (ai score=86)
Cylance	unsafe
Zoner	Probably Heur.ExeHeaderL
Rising	Trojan.Generic@AI.100 (RDML:y5yP5RBmy308VyocT0yznQ)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/AutoRun.AGENT.ASP!worm
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS

15.ocx