Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 6, 2023, 5:19 p.m.	Sept. 6, 2023, 5:22 p.m.

Size	6.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`78eb8723e130e9fa470b87208650fe31`
SHA256	`a03e2e89dce3e17342eb06426afccb493b05ecc4b41b6f702a2104222a7867ca`
CRC32	`27D582D1`
ssdeep	`98304:nS43xahSd6uMY2YDrL+HAiREyJTtJ+BbMdEULa0kGlV35spy45MXFoWMmwTns7ct:nkYBrwEy8BbDGV35spuVRM9nRpc7v+D`
Yara	Malicious_Library_Zero - Malicious_Library Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature VMProtect_Zero - VMProtect packed file IsPE32 - (no description)

55aa5e.exe "C:\Users\test22\AppData\Local\Temp\55aa5e.exe"
2548
- cmd.exe "C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
  2668
  - shutdown.exe shutdown -s -t 0
    2728

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 6, 2023, 5:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 6, 2023, 5:19 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.vmp0
section	.vmp1
section	.vmp2

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	REGISTRY
resource name	TYPELIB

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 6, 2023, 5:19 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

TYPELIB

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00a337b4

size

0x00000e98

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k shutdown -s -t 0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 6, 2023, 5:19 p.m.	show_type: 0 filepath_r: cmd parameters: /k shutdown -s -t 0 filepath: cmd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 6, 2023, 5:19 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00240000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0066b000', u'virtual_address': u'0x003c7000', u'entropy': 7.969763173524311, u'name': u'.vmp2', u'virtual_size': u'0x0066ae50'}

entropy

7.96976317352

description

A section with a high entropy has been found

entropy

0.994702588164

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
cmdline	cmd /k shutdown -s -t 0
cmdline	shutdown -s -t 0

The executable is likely packed with VMProtect (3 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.69079003
FireEye	Generic.mg.78eb8723e130e9fa
ALYac	Trojan.GenericKD.69079003
Malwarebytes	Malware.AI.220062049
Sangfor	Trojan.Win32.Gencbl.Vblk
Arcabit	Trojan.Generic.D41E0FDB
BitDefenderTheta	Gen:NN.ZexaF.36662.@J1@a0x67VhG
Cyren	W32/ABRisk.ZCOY-5688
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenCBL.DHF
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	Trojan-Spy.Win32.Stealer.etqk
BitDefender	Trojan.GenericKD.69079003
Avast	Win32:MalwareX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13ee0525
Emsisoft	Trojan.GenericKD.69079003 (B)
F-Secure	Trojan.TR/Spy.Stealer.srnwd
VIPRE	Trojan.GenericKD.69079003
TrendMicro	Trojan.Win32.AMADEY.YXDIBZ
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
Avira	TR/Spy.Stealer.srnwd
MAX	malware (ai score=82)
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-Spy.Win32.Stealer.etqk
GData	Trojan.GenericKD.69079003
Google	Detected
AhnLab-V3	Trojan/Win.BotX-gen.R602829
McAfee	Artemis!78EB8723E130
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDIBZ
Rising	Trojan.GenCBL!8.12138 (TFE:5:h21d4noU50C)
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:MalwareX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

55aa5e.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All