Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 7, 2023, 7:37 a.m.	June 7, 2023, 7:39 a.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`38b258c567b378058ac5cad63ab59584`
SHA256	`686495bd2f04f2402b3543efd574a707caac0003dd682909db87da286173e771`
CRC32	`B42044EE`
ssdeep	`98304:jgYLkFZCB1bZZ68WY2V0FR0NupgokfAGzeV77+tl:jgYLkFZCB1bZZ68WY2Vz8ppkfhzet+r`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature IsPE32 - (no description)

Installer.exe "C:\Users\test22\AppData\Local\Temp\Installer.exe"
940

Name	Response	Post-Analysis Lookup
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
accounts.google.com	A 216.58.200.237	172.217.25.173
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
apis.google.com	A 142.250.204.142 CNAME plus.l.google.com	142.250.76.142
www.google.com	A 142.250.204.36	142.250.207.100
_googlecast._tcp.local
fonts.gstatic.com	A 142.251.222.195	142.250.206.227
fonts.googleapis.com	A 172.217.25.10	142.250.206.202
cdn.stubdownloader.services.mozilla.com	A 34.120.48.173 CNAME cdn-proxy-prod.stubattribution.prod.cloudops.mozgcp.net	34.120.48.173
www.gstatic.com	A 142.251.220.67	142.250.207.99

IP Address	Status	Action
121.254.136.27	Active	Moloch
142.250.204.142	Active	Moloch
142.250.204.36	Active	Moloch
142.251.220.67	Active	Moloch
142.251.222.195	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.10	Active	Moloch
216.58.200.237	Active	Moloch
34.104.35.123	Active	Moloch
34.120.48.173	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49162 216.58.200.237:443	None	None	None
TLS 1.3 192.168.56.103:49164 34.120.48.173:443	None	None	None
TLS 1.3 192.168.56.103:49163 216.58.200.237:443	None	None	None
TLS 1.3 192.168.56.103:49175 142.251.222.195:443	None	None	None
TLS 1.3 192.168.56.103:49173 142.251.220.67:443	None	None	None
TLS 1.3 192.168.56.103:49166 142.250.204.36:443	None	None	None
TLS 1.3 192.168.56.103:49165 142.250.204.36:443	None	None	None
TLS 1.3 192.168.56.103:49167 142.250.204.36:443	None	None	None
TLS 1.3 192.168.56.103:49178 172.217.24.227:443	None	None	None
TLS 1.3 192.168.56.103:49171 172.217.25.10:443	None	None	None
TLS 1.3 192.168.56.103:49170 142.251.220.67:443	None	None	None
TLS 1.3 192.168.56.103:49172 142.251.220.67:443	None	None	None
TLS 1.3 192.168.56.103:49176 142.250.204.142:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2023, 7:37 a.m.			0	0

Performs some HTTP requests (5 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://clients2.google.com/time/1/current?cup2key=4:3591542034&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
request	GET http://www.gstatic.com/generate_204
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/n3xmszuzmcp4pxq3qhmant63nm_9.45.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.45.0_all_ecp3yewcq3fuvht5wyi7t7s37y.crx3
request	GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/n3xmszuzmcp4pxq3qhmant63nm_9.45.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.45.0_all_ecp3yewcq3fuvht5wyi7t7s37y.crx3

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2023, 7:37 a.m.	process_identifier: 940 region_size: 2048000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:37 a.m.	process_identifier: 940 region_size: 1851392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:37 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 2637824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01290000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00024c00', u'virtual_address': u'0x00321000', u'entropy': 6.846808649692998, u'name': u'.reloc', u'virtual_size': u'0x00024ad4'}

entropy

6.84680864969

description

A section with a high entropy has been found

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 100)
McAfee	Artemis!38B258C567B3
Malwarebytes	Trojan.Crypt
Cyren	W32/ABTrojan.NOOJ-8444
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Generik.GBPWGOK
APEX	Malicious
Kaspersky	Trojan.Win32.Sharik.yuy
BitDefender	Trojan.GenericKD.67404249
Emsisoft	Trojan.GenericKD.67404249 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.38b258c567b37805
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Crypt
GData	Win32.Trojan.Agent.2JINIY
Webroot	W32.Trojan.FL
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan/Win32.Sabsik
Gridinsoft	Ransom.Win32.Sabsik.cl
ZoneAlarm	Trojan.Win32.Sharik.yuy
Microsoft	Trojan:Win32/Casdet!rfn
Google	Detected
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Trojan.Sharik!8.179B (CLOUD)
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.36250.rx2@aSHzUKhi
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_70% (W)

Installer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All