Summary | ZeroBOX

raman.exe

UPX Malicious Library PE File DLL OS Processor Check PE32
Category Machine Started Completed
FILE s1_win7_x6403_us July 27, 2023, 10:24 a.m. July 27, 2023, 10:29 a.m.
Size 1.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f113913b1fed45145f205fb3d808bf68
SHA256 e8fb27aecb4a5063758d283cc5f6295a9cf5b425575d13179f726ad0f4f6659b
CRC32 FCA4BD23
ssdeep 24576:8cbD/e1EBLHWrvapFOxbfgaPsjBEkmUyqpXvntFCFSBLwCRZ5LNNgBD2gC1oM3X:8cbi6qapSfgfjBEkBdP3VBv3gBDM1oMH
PDB Path D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
108.181.20.35 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

pdb_path D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756e1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2076
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
cmdline "C:\Windows\System32\regsvr32.exe" -U -S K1heT.2
cmdline regsvr32.exe -U -S K1heT.2
file C:\Users\test22\AppData\Local\Temp\k1het.2
host 108.181.20.35