Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 14, 2023, 9:30 a.m.	June 14, 2023, 9:32 a.m.

Size	540.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3cc8d342301cf9a933f00af6b09619e0`
SHA256	`2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a`
CRC32	`51F02595`
ssdeep	`12288:PictD7Djsjpb9lLAq1WP/HgChzItTtULeq8ycSneAx7:PZ4bRAWWP/zhETeKpycS9l`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

pat1.exe "C:\Users\test22\AppData\Local\Temp\pat1.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 14, 2023, 9:30 a.m.	stacktrace: exception.instruction_r: 00 67 00 75 00 6d 00 65 00 6e 00 74 00 73 00 00 exception.symbol: pat1+0x15425 exception.instruction: add byte ptr [edi], ah exception.module: pat1.exe exception.exception_code: 0xc0000005 exception.offset: 87077 exception.address: 0x415425 registers.esp: 1636480 registers.edi: 1971678522 registers.eax: 2382339840 registers.ebp: 8747124 registers.edx: 2130566132 registers.ebx: 1636560 registers.esi: 50659785 registers.ecx: 2548	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 region_size: 2037979565 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225495
NtAllocateVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 region_size: 2037979565 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225495
NtAllocateVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 region_size: 2037979565 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225495
NtAllocateVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 region_size: 2037979565 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225495
NtAllocateVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 region_size: 2037979565 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225495
NtAllocateVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 region_size: 2037979565 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225495

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 14, 2023, 9:30 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00720000 process_handle: 0xffffffff	1	0	0

Terminates another process (12 events)

Time & API	Arguments	Status
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2624 process_handle: 0x00000168
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2624 process_handle: 0x00000168	1
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2660 process_handle: 0x00000168
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2660 process_handle: 0x00000168	1
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2696 process_handle: 0x00000168
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2696 process_handle: 0x00000168	1
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2732 process_handle: 0x00000168
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2732 process_handle: 0x00000168	1
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2768 process_handle: 0x00000168
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2768 process_handle: 0x00000168	1
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2804 process_handle: 0x00000168
NtTerminateProcess June 14, 2023, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2804 process_handle: 0x00000168	1

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 09a4f3776beec99ccdb6260c5e48a5eab5c8244b

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Cqpib.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Gen:Trojan.Heur3.LPT.Hm3@a041cqpib
Malwarebytes	Malware.AI.3281245526
Sangfor	Suspicious.Win32.Save.vb
Alibaba	Trojan:Win32/Injector.40075313
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Injector.ETAN
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Trojan.Heur3.LPT.Hm3@a041cqpib
MicroWorld-eScan	Gen:Trojan.Heur3.LPT.Hm3@a041cqpib
Avast	Win32:RATX-gen [Trj]
Rising	Trojan.Injector!8.C4 (CLOUD)
Emsisoft	Gen:Trojan.Heur3.LPT.Hm3@a041cqpib (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Inject4.58297
VIPRE	Gen:Trojan.Heur3.LPT.Hm3@a041cqpib
TrendMicro	TROJ_GEN.R014C0RFD23
McAfee-GW-Edition	BehavesLike.Win32.Trojan.hc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.3cc8d342301cf9a9
Sophos	Mal/VB-FD
Ikarus	Trojan.Win32.Injector
GData	Win32.Backdoor.Remcos.HF20RP
Webroot	W32.Trojan.Heur3.LPT.Hm3@a041cq
Avira	TR/Dropper.Gen
Gridinsoft	Trojan.Win32.Remcos.bot
Arcabit	Trojan.Heur3.LPT.E25F53
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Wacatac.B!ml
Google	Detected
Acronis	suspicious
McAfee	Artemis!3CC8D342301C
MAX	malware (ai score=89)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014C0RFD23
Tencent	Win32.Trojan.Dropper.Vwhl
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.DBRX!tr
BitDefenderTheta	AI:Packer.8EC44E0E1F
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.2301cf
DeepInstinct	MALICIOUS

pat1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All