Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 8, 2023, 9:26 a.m.	June 8, 2023, 9:28 a.m.

Size	184.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d24e233cbed550a67e8d56f88632a869`
SHA256	`0dbd0ae8218f4dabc7a7f90eaa7bbe121bd08a284d05ca0ea5966d84eec91b92`
CRC32	`5A134B47`
ssdeep	`3072:XvGyYiSDnt1B5GWp1icKAArDZz4N9GhbkrNEk1NJL6sCN7KkY6S4:Z4np0yN90QELBfH`
PDB Path	wextract.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\main.exe.ps1
3020

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: $(subexpression) starting: console_handle: 0x00000023	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\main.exe.ps1:7 char:105 console_handle: 0x0000002f	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: + …‹ý‰l$hÿ€H‹ØH…À„‚Hò„H‹Èÿ1€H‹ðH…ÀtaHD$`A‰.H‰D$PDE ‰l$HHL$ console_handle: 0x0000003b	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: h‰l$@}‰l$8A¹ ‰l$0²‰l$ <<<< (‰l$ ÿú~…ÀtH‹T$`M‹Æ3ÉH‹ÆÿÃƒH‹L$`ÿ°~H console_handle: 0x00000047	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: ‹Ëÿß‹ÇH‹L$pH3Ìè€iLœ$€I‹[(I‹k0I‹ãA^_^ÃÌÌÌÌÌÌÌÌH‹ÄH‰XH‰pH‰xL‰p UHh¡ console_handle: 0x00000053	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: HìH‹"H3ÄH‰EG‹Y®E3öD‰u?fÇECD‰u'A^;Ã…PHM'è§þÿÿ…À…&ÿ©€ console_handle: 0x0000005f	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: H‹ÈLE/Sÿ ~…À„!H‹M/HE+E3ÉH‰D$ E3À‹Óÿ¾}…À…Öÿˆ~ƒøz…Ç‹U console_handle: 0x0000006b	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: +3Éÿ<€H‹øH…À„°D‹M+HE+H‹M/L‹Ç‹ÓH‰D$ ÿt}…À„ƒHE7A¹ H‰D$PHM?D‰t console_handle: 0x00000077	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: $HA¸ D‰t$@ŠÓD‰t$8D‰t$0D‰t$(D‰t$ ÿu}…Àt@A‹öD97v.»H‹U7‹ÎHÉH‹LÏÿ`}… console_handle: 0x00000083	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: Àuó;7râë ‰*‰]'H‹M7ÿ }H‹Ïÿ(~H‹M/ÿæ}‹E'ë‹ console_handle: 0x0000008f	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: is missing the closing ')'. console_handle: 0x0000009b	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\main.exe.ps1:1604 char:855 console_handle: 0x000000a7	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: + PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPA console_handle: 0x000000b3	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXP console_handle: 0x000000bf	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: ADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXX console_handle: 0x000000cb	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: PADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX console_handle: 0x000000d7	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: XPADDINGPADDINGXXPADDINGPADD h € ˆ 8¦@¦P¦h¦p¦ console_handle: 0x000000e3	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: + CategoryInfo : ParserError: (‰l$ ÿú~…ÀtH...: console_handle: 0x00000137	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: String) [], ParentContainsErrorRecordException console_handle: 0x00000143	1	1
WriteConsoleW June 8, 2023, 9:26 a.m.	buffer: + FullyQualifiedErrorId : IncompleteDollarSubexpressionReference console_handle: 0x0000014f	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey June 8, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c93f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c93f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00362248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00362248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00362248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00362248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 8, 2023, 9:26 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

Allocates read-write-execute memory (usually to unpack itself) (22 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06140000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:26 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05863000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00023a00', u'virtual_address': u'0x0000f000', u'entropy': 7.267758508346889, u'name': u'.rsrc', u'virtual_size': u'0x00024000'}

entropy

7.26775850835

description

A section with a high entropy has been found

entropy

0.77868852459

description

Overall entropy of this PE file is high

main.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All