Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 12, 2023, 5:23 p.m.	July 12, 2023, 5:38 p.m.

Size	448.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`836dfa8ecf57ce861f4cacfe4a85572d`
SHA256	`8af7fadc968927f6d8a4056e3d15808c254bbee4080985d03d377c361e467357`
CRC32	`0F24EDD4`
ssdeep	`6144:qlE8DIpjK28t4sL4wlp3z/pSZ+pDKpf9EkQbKxVK+PXItNOapG8RuzRiRh3Zc:SEpj7sLLv/cgu4VGn6OaM+ucj`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

maintest.exe "C:\Users\test22\AppData\Local\Temp\maintest.exe"
1648
certreq.exe "C:\Windows\system32\certreq.exe"
2232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 12, 2023, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 5:23 p.m.	computer_name: TEST22-PC	1	1

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 12, 2023, 5:23 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895 stacktrace+0x84 memdup-0x1af @ 0x749a0470 hook_in_monitor+0x45 lde-0x133 @ 0x749942ea New_ntdll_RtlAddVectoredExceptionHandler+0x20 New_ntdll_RtlCompressBuffer-0xed @ 0x749b6340 0x1120ee 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77710895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 1111144 registers.rsi: 20 registers.r10: 0 registers.rbx: 1 registers.rsp: 1113168 registers.r11: 1120868 registers.r8: 64 registers.r9: 4292648960 registers.rdx: 1112488 registers.r12: 1123928 registers.rbp: 4292648960 registers.rdi: 4292349968 registers.rax: 1110824 registers.r13: 1115544	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 12, 2023, 5:23 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d60000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2023, 5:23 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4141056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d6d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2023, 5:23 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77900000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

maintest.exe tried to sleep 173 seconds, actually delayed analysis time by 173 seconds

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_Processor

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 12, 2023, 5:23 p.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x006d0000 process_handle: 0xffffffff	1	0	0

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle July 12, 2023, 5:23 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle July 12, 2023, 5:23 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agentb.X!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.68104880
FireEye	Trojan.GenericKD.68104880
McAfee	RDN/Real Protect-LS
ALYac	Gen:Variant.Zusy.471340
Cylance	unsafe
Zillya	Trojan.Agent.Win32.3567766
Sangfor	Trojan.Win32.Kryptik.V2u2
K7AntiVirus	Trojan ( 005a69331 )
Alibaba	Trojan:Win32/Kryptik.7abce7a5
K7GW	Trojan ( 005a69331 )
Cybereason	malicious.733ce5
Arcabit	Trojan.Generic.D40F32B0
Cyren	W32/ABRisk.MJSN-4739
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HTRB
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Agentb
BitDefender	Trojan.GenericKD.68104880
Avast	Win32:CrypterX-gen [Trj]
Tencent	Win32.Trojan.Crypt.Tdkl
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Crypt.Agent.bpfsb
VIPRE	Gen:Variant.Zusy.471340
TrendMicro	Trojan.Win32.AMADEY.YXDGJZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.gm
Trapmine	suspicious.low.ml.score
Emsisoft	Trojan.GenericKD.68104880 (B)
Ikarus	Trojan.Win32.Crypt
Avira	TR/Crypt.Agent.bpfsb
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win32.Kryptik
Gridinsoft	Trojan.Win32.Kryptik.cl
Microsoft	Trojan:Win32/Rhadamanthys!ic
ZoneAlarm	UDS:Trojan.Win32.Agentb
GData	Trojan.GenericKD.68104880
Google	Detected
AhnLab-V3	Trojan/Win.Tnega.C5451687
BitDefenderTheta	Gen:NN.ZexaCO.36302.CqW@a4Ehx0d
VBA32	BScope.Trojan.Packed
Malwarebytes	Trojan.Crypt
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDGJZ
Rising	Trojan.Kryptik!8.8 (TFE:5:QWunk7ykIWE)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HTRB!tr
AVG	Win32:CrypterX-gen [Trj]

maintest.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All