Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 22, 2023, 8:42 a.m.	May 22, 2023, 8:59 a.m.

Size	146.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a96ac42f9ccc7d11663f2741d5dfe930`
SHA256	`b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded`
CRC32	`9199CF08`
ssdeep	`3072:q6glyuxE4GsUPnliByocWepqzYq7G9HkRgeXCDy8MD5:q6gDBGpvEByocWe4Y7pkRgeS28MD5`
Yara	BlackMatter_Ransomware_IN - BlackMatter Ransomware PE_Header_Zero - PE File Signature IsPE32 - (no description)

ne983n8sn3lks3.exe "C:\Users\test22\AppData\Local\Temp\ne983n8sn3lks3.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 22, 2023, 8:42 a.m.	process_identifier: 2560 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02190000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 22, 2023, 8:42 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 22, 2023, 8:42 a.m.	process_identifier: 2560 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 22, 2023, 8:42 a.m.	process_identifier: 2560 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 22, 2023, 8:42 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02306000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 22, 2023, 8:42 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02307000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 22, 2023, 8:42 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000a000', u'virtual_address': u'0x0001b000', u'entropy': 7.985784796713703, u'name': u'.data', u'virtual_size': u'0x0000adc8'}

entropy

7.98578479671

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000c00', u'virtual_address': u'0x00026000', u'entropy': 7.662317443178163, u'name': u'.pdata', u'virtual_size': u'0x00000b10'}

entropy

7.66231744318

description

A section with a high entropy has been found

entropy

0.295532646048

description

Overall entropy of this PE file is high

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Gen:Heur.Mint.Zard.25
FireEye	Generic.mg.a96ac42f9ccc7d11
CAT-QuickHeal	Ransom.Lockbit.S28885638
ALYac	Trojan.Ransom.LockBit
Malwarebytes	Qadars.Trojan.Banking.DDS
Zillya	Trojan.Filecoder.Win32.26912
Sangfor	Ransom.Win32.Save.LockBit30
Alibaba	Trojan:Win32/Lockbit.c80b4613
Cybereason	malicious.f9ccc7
BitDefenderTheta	AI:Packer.D08BD0ED1D
Cyren	W32/Filecoder.ES.gen!Eldorado
Symantec	Ransom.Lockbit!g6
Elastic	Windows.Ransomware.Lockbit
ESET-NOD32	a variant of Win32/Filecoder.BlackMatter.O
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Ransomware.BlackMatter-9965914-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Heur.Mint.Zard.25
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	Win32:Evo-gen [Trj]
Tencent	Trojan-Ransom.Win32.BlackMatter.b
TACHYON	Ransom/W32.Agent.150016.D
Sophos	Mal/Generic-S
F-Secure	Backdoor.BDS/ZeroAccess.Gen7
DrWeb	Trojan.Encoder.36011
VIPRE	Gen:Heur.Mint.Zard.25
TrendMicro	Ransom.Win32.LOCKBIT.SMYXCJN
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	malicious.high.ml.score
Emsisoft	Gen:Heur.Mint.Zard.25 (B)
SentinelOne	Static AI - Suspicious PE
GData	Gen:Heur.Mint.Zard.25
Jiangmin	Trojan.Crypmodng.cd
Avira	BDS/ZeroAccess.Gen7
Antiy-AVL	Trojan/Win32.LockBit
Gridinsoft	Ransom.Win32.LockBit.bot
Arcabit	Trojan.Mint.Zard.25
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Ransom:Win32/Lockbit.HA!MTB
Google	Detected
AhnLab-V3	Ransomware/Win.LockBit.R521581
McAfee	BlackMatter!A96AC42F9CCC
MAX	malware (ai score=82)
VBA32	TrojanRansom.Crypmodng
Cylance	unsafe
Panda	Trj/Genetic.gen
Rising	Ransom.LockBit!1.DFDC (CLASSIC)

ne983n8sn3lks3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All