Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 12, 2023, 7:42 a.m.	Oct. 12, 2023, 7:48 a.m.

Size	2.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1c576ece1cb918832be3d9e5f665388b`
SHA256	`ca9a8dc4c6b60da3ac7b512dc2cc232ee5b09c2035eecf2185277442f884c432`
CRC32	`E22056DA`
ssdeep	`49152:6IGvbWIAw+DUeVbZKTGcuPjIdM4ehYLB52UACew:8bVUxZKTGb0dM4sYLb2UAi`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques themida_packer - themida packer Generic_Malware_Zero - Generic Malware

5ea275.exe "C:\Users\test22\AppData\Local\Temp\5ea275.exe"
2628
- cmd.exe "C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
  2732
  - shutdown.exe shutdown -s -t 0
    2792

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 12, 2023, 7:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 12, 2023, 7:42 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section
section	.themida
section	.boot

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 12, 2023, 7:42 a.m.	stacktrace: 5ea275+0x3058ea @ 0xcf58ea 5ea275+0x32c486 @ 0xd1c486 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4323084 registers.edi: 11276288 registers.eax: 4323084 registers.ebp: 4323164 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1995994155 registers.ecx: 1619263488	1
__exception__ Oct. 12, 2023, 7:42 a.m.	stacktrace: exception.instruction_r: ed e9 ee 19 fe ff c3 e9 b2 29 fc ff 40 b7 63 b0 exception.symbol: 5ea275+0x3898bb exception.instruction: in eax, dx exception.module: 5ea275.exe exception.exception_code: 0xc0000096 exception.offset: 3709115 exception.address: 0xd798bb registers.esp: 4323204 registers.edi: 7482904 registers.eax: 1750617430 registers.ebp: 11276288 registers.edx: 7493718 registers.ebx: 1971716070 registers.esi: 13 registers.ecx: 20	1
__exception__ Oct. 12, 2023, 7:42 a.m.	stacktrace: exception.instruction_r: ed e9 a2 11 00 00 95 0a 32 68 0a 00 00 00 6d ed exception.symbol: 5ea275+0x36b21b exception.instruction: in eax, dx exception.module: 5ea275.exe exception.exception_code: 0xc0000096 exception.offset: 3584539 exception.address: 0xd5b21b registers.esp: 4323204 registers.edi: 7482904 registers.eax: 1447909480 registers.ebp: 11276288 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 12, 2023, 7:42 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2023, 7:42 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2023, 7:42 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2023, 7:42 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a1a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2023, 7:42 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a1a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2023, 7:42 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a1a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2023, 7:42 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a1a000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (2 events)

name

RT_STRING

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000cf368

size

0x000003c2

name

RT_VERSION

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000cf770

size

0x00000314

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /k shutdown -s -t 0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 12, 2023, 7:42 a.m.	show_type: 0 filepath_r: cmd parameters: /k shutdown -s -t 0 filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00012a00', u'virtual_address': u'0x00001000', u'entropy': 7.977143640145685, u'name': u' ', u'virtual_size': u'0x00028b4d'}

entropy

7.97714364015

description