Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 26, 2023, 7:42 a.m.	June 26, 2023, 7:44 a.m.

Size	355.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`072428ed08c736d6f81aea71741389b8`
SHA256	`e8eefab37fec532a017d60a2851ed8aff3f4589028e9ca6794d100ea758bddb1`
CRC32	`1EAED7D6`
ssdeep	`6144:9L1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19N:9LdcfxaeM6fy/KaVUtgKkTZ73coNRJN`
Yara	UPX_Zero - UPX packed file Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE32 - (no description)

BABYLON.exe "C:\Users\test22\AppData\Local\Temp\BABYLON.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
179.43.162.58	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 26, 2023, 7:42 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73332000 process_handle: 0xffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

BABYLON.exe tried to sleep 234 seconds, actually delayed analysis time by 234 seconds

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (28 events)

Time & API	Arguments	Status	Return
Process32FirstW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: [System Process] process_identifier: 0	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: System process_identifier: 4	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: smss.exe process_identifier: 224	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: services.exe process_identifier: 444	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW June 26, 2023, 7:42 a.m.	snapshot_handle: 0x000001c8 process_name: explorer.exe process_identifier: 1452	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00058200', u'virtual_address': u'0x0006f000', u'entropy': 7.922400954257636, u'name': u'UPX1', u'virtual_size': u'0x00059000'}

entropy

7.92240095426

description

A section with a high entropy has been found

entropy

0.994358251058

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 26, 2023, 7:42 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 26, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 26, 2023, 7:42 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

179.43.162.58

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 26, 2023, 7:42 a.m.	thread_identifier: 0 callback_function: 0x00c37464 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	1245585	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

179.43.162.58:20000

BABYLON.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All