Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2023, 9:58 a.m.	May 4, 2023, 9:58 a.m.

Size	6.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5a6929c141164830993b2c604e14a2a2`
SHA256	`02f8735f09f9c89a65d165ce098fe649039f0d08352353c69d8018d4c3db75c7`
CRC32	`0B790C0D`
ssdeep	`98304:ponC5g4H7xXJqStkoRYXGRdKocRaG/n85B7Gv9n+J4P6F9RuBhSMf5rXEAxbxtqm:pz5z1JNSo2XlzuB7M9nRYuXzf+ABZ`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

vdcs.exe "C:\Users\test22\AppData\Local\Temp\vdcs.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2023, 9:58 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.cDr
section	.w."
section	.0_b

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 4, 2023, 9:58 a.m.	stacktrace: vdcs+0x984ae3 @ 0xd84ae3 vdcs+0x3ca362 @ 0x7ca362 exception.instruction_r: 90 e8 0c 75 02 00 f8 40 80 ff 12 41 81 ed f3 0b exception.symbol: vdcs+0x8b4b4a exception.instruction: nop exception.module: vdcs.exe exception.exception_code: 0x80000004 exception.offset: 9128778 exception.address: 0xcb4b4a registers.esp: 1636216 registers.edi: 0 registers.eax: 603434932 registers.ebp: 1638240 registers.edx: 43 registers.ebx: 4194304 registers.esi: 0 registers.ecx: 1968898048	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 4, 2023, 9:58 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02780000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0062b400', u'virtual_address': u'0x003b7000', u'entropy': 7.969675317669964, u'name': u'.0_b', u'virtual_size': u'0x0062b2a0'}

entropy

7.96967531767

description

A section with a high entropy has been found

entropy

0.969831887618

description

Overall entropy of this PE file is high

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 4, 2023, 9:58 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x000000b0 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl May 4, 2023, 9:58 a.m.	input_buffer: control_code: 458752 (IOCTL_DISK_GET_DRIVE_GEOMETRY) device_handle: 0x000000b0 output_buffer: Qÿ?	1	1	0

vdcs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All