Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 13, 2023, 8:34 a.m.	Oct. 13, 2023, 8:41 a.m.

Size	3.5MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`c9abc0932559d7ecced02a9125acea05`
SHA256	`c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20`
CRC32	`46D24D59`
ssdeep	`98304:TMOl82OGyTIZ+e9KsPdJDrL6R2tcya1luLIlMCABHQ:T9l82skVxEGcya1lVKQ`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 13, 2023, 8:27 a.m.	stacktrace: svchost+0x117e @ 0x13fea117e svchost+0x1006 @ 0x13fea1006 svchost+0x5859 @ 0x13fea5859 svchost+0x26ee4 @ 0x13fec6ee4 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 89 06 c6 85 70 03 00 00 00 44 0f b6 85 50 07 exception.symbol: svchost+0x117e exception.instruction: mov qword ptr [rsi], rax exception.module: svchost.exe exception.exception_code: 0xc0000005 exception.offset: 4478 exception.address: 0x13fea117e registers.r14: 0 registers.r15: 0 registers.rcx: 487 registers.rsi: 0 registers.r10: 3221225496 registers.rbx: 0 registers.rsp: 3209952 registers.r11: 514 registers.r8: 1993539584 registers.r9: 382 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: -4354821960119593032 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 13, 2023, 8:27 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000000000 process_handle: 0xffffffffffffffff		-1073741800	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00343c00', u'virtual_address': u'0x00038000', u'entropy': 7.989106928720338, u'name': u'.rdata', u'virtual_size': u'0x00343aec'}

entropy

7.98910692872

description

A section with a high entropy has been found

entropy

0.934320849637

description

Overall entropy of this PE file is high

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
FireEye	Generic.mg.c9abc0932559d7ec
Skyhigh	BehavesLike.Win64.Generic.wc
Cylance	unsafe
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
APEX	Malicious
Microsoft	Trojan:Win32/Wacatac.B!ml
Malwarebytes	Malware.AI.1094858220
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All