Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 6, 2023, 7:23 a.m.	July 6, 2023, 7:27 a.m.

Size	311.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ed7cf64192cd90aac14b69cdd202f30d`
SHA256	`8f5d2c5facf4702e4a6338b5224d9526d4761535901acf27f43992024340ccb0`
CRC32	`36EDB1FC`
ssdeep	`6144:vS5n9peabtzHGx9LkLpSywZ3dMTHaXusO6EXxPapUTOVP66O1/hNiyXnxrSYJ:vsnHeaK9LaT+/+hFqZZIJESUY`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

Project_8.exe "C:\Users\test22\AppData\Local\Temp\Project_8.exe"
2624
- 648b5vt13485v134322685vt.exe "C:\Users\test22\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
  2740

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.23.247.129	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.gehcont
section	lSeoPnV

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 6, 2023, 7:23 a.m.	process_identifier: 2624 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496	0
NtAllocateVirtualMemory July 6, 2023, 7:23 a.m.	process_identifier: 2624 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\648b5vt13485v134322685vt.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\648b5vt13485v134322685vt.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\648b5vt13485v134322685vt.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 6, 2023, 7:23 a.m.	thread_identifier: 2744 thread_handle: 0x00000094 process_identifier: 2740 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\648b5vt13485v134322685vt.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\648b5vt13485v134322685vt.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000090	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00003600', u'virtual_address': u'0x0000a000', u'entropy': 7.301076248862276, u'name': u'.rsrc', u'virtual_size': u'0x000034d5'}

entropy

7.30107624886

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00044400', u'virtual_address': u'0x0000f000', u'entropy': 7.998862468713149, u'name': u'lSeoPnV', u'virtual_size': u'0x00045000'}

entropy

7.99886246871

description

A section with a high entropy has been found

entropy

0.924193548387

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

94.23.247.129

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	94.23.247.129:8005
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49164

Project_8.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All