Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 2, 2023, 4:56 p.m.	Nov. 2, 2023, 4:58 p.m.

Size	12.6MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`07f36f03342b3b07ecfb8498d0e078a2`
SHA256	`97c2859888b248ad9fc8fafa81e2fc1582015fc0594f8adbd1cf20133e5ae8d9`
CRC32	`ADF810CB`
ssdeep	`196608:jMtvnp25MeTKHydYBBTAI7KzCnF8zDiiaFZjwAIXSzSoCmGnDh3pWSDAo:A1sWMdYBBTAIezu0GF+1CzS2Gn9gEA`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file ASPack_Zero - ASPack packed file PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

Xiu2Xiu.exe "C:\Users\test22\AppData\Local\Temp\Xiu2Xiu.exe"
2544
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2023, 4:56 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 2, 2023, 4:57 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\python311.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pythoncom311.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\Xiu2Xiu.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pywintypes311.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\vcruntime140_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\python3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00c61000', u'virtual_address': u'0x00041000', u'entropy': 7.995425616529557, u'name': u'.rsrc', u'virtual_size': u'0x00c60e74'}

entropy

7.99542561653

description

A section with a high entropy has been found

entropy

0.985692068429

description

Overall entropy of this PE file is high

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\Xiu2Xiu.exe

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 656 events)

file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Athens
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Etc\GMT
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Asia\Katmandu
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Africa\Ouagadougou
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\US\Pacific
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Canada\Pacific
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\EET
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\US\Arizona
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Luxembourg
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Pacific\Wake
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Africa\Tripoli
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Sarajevo
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Asia\Vladivostok
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\America\Argentina\ComodRivadavia
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Etc\GMT+9
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Atlantic\St_Helena
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Chile\EasterIsland
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Pacific\Honolulu
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\America\Cancun
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Ulyanovsk
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\America\North_Dakota\Center
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Pacific\Tahiti
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Asia\Omsk
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Antarctica\Rothera
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\America\Jamaica
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Canada\Central
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Astrakhan
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\NZ-CHAT
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Indian\Chagos
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Australia\Canberra
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Poland
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Pacific\Gambier
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\America\St_Thomas
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\UCT
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Pacific\Yap
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Chisinau
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Australia\Eucla
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Asia\Qatar
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\America\Thunder_Bay
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Navajo
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Malta
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Europe\Lisbon
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Pacific\Kiritimati
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Asia\Yekaterinburg
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\US\Michigan
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Africa\Brazzaville
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Asia\Harbin
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\_cffi_backend.pyd
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\America\Mexico_City
file	C:\Users\test22\AppData\Local\Temp\onefile_2544_133434213880468750\pytz\zoneinfo\Africa\Bujumbura

Xiu2Xiu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All