Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 6, 2023, 9:30 a.m.	Nov. 6, 2023, 9:33 a.m.

Size	599.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4aec69a71dff9be27f998272b34a445d`
SHA256	`5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c`
CRC32	`FC6E1386`
ssdeep	`12288:9DEoaE1esky+M3jbiodoMyuN4efIMHMcx+7gk+BTyPXlvqjvm:9nJFlpoMysHX+c/B+XYS`
PDB Path	vrNS.pdb
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

millianozx.exe "C:\Users\test22\AppData\Local\Temp\millianozx.exe"
1984

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 6, 2023, 7:50 a.m.			0	0
IsDebuggerPresent Nov. 6, 2023, 7:50 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

vrNS.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 6, 2023, 7:50 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00681000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:50 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00683000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00684000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00686000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00688000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 6, 2023, 7:51 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00095400', u'virtual_address': u'0x00002000', u'entropy': 7.974480909154972, u'name': u'.text', u'virtual_size': u'0x0009537c'}

entropy

7.97448090915

description

A section with a high entropy has been found

entropy

0.996661101836

description

Overall entropy of this PE file is high

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win32.MSILMamut.4!c
Skyhigh	BehavesLike.Win32.Generic.hc
ALYac	IL:Trojan.MSILMamut.12966
Malwarebytes	Trojan.MalPack.PNG.Generic
Sangfor	Trojan.Msil.Kryptik.V44s
K7AntiVirus	Trojan ( 005ad59e1 )
BitDefender	IL:Trojan.MSILMamut.12966
K7GW	Trojan ( 005ad59e1 )
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Scr.Malcode!gdn33
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AJZP
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:MSIL/AgentTesla.3d507aba
ViRobot	Trojan.Win.Z.Kryptik.613888.E
MicroWorld-eScan	IL:Trojan.MSILMamut.12966
Rising	Malware.Obfus/MSIL@AI.94 (RDM.MSIL2:DhTARoWQCl6yShuu52CIBQ)
Emsisoft	IL:Trojan.MSILMamut.12966 (B)
F-Secure	Trojan.TR/Kryptik.ctigp
DrWeb	Trojan.PackedNET.2504
VIPRE	IL:Trojan.MSILMamut.12966
TrendMicro	TrojanSpy.Win32.NOON.USPAXJV23
FireEye	IL:Trojan.MSILMamut.12966
Sophos	Troj/Krypt-ABH
Ikarus	Trojan.MSIL.Inject
GData	IL:Trojan.MSILMamut.12966
Varist	W32/MSIL_Kryptik.KBA.gen!Eldorado
Avira	TR/Kryptik.ctigp
MAX	malware (ai score=86)
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Trojan.Win32.Packed.sa
Arcabit	IL:Trojan.MSILMamut.D32A6
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:MSIL/AgentTesla.ASFH!MTB
Google	Detected
AhnLab-V3	Trojan/Win.TrojanX-gen.C5534835
McAfee	Artemis!4AEC69A71DFF
DeepInstinct	MALICIOUS
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TrojanSpy.Win32.NOON.USPAXJV23
Tencent	Win32.Trojan.Kryptik.Wwhl
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	MSIL/Kryptik.AGUH!tr
AVG	Win32:TrojanX-gen [Trj]
Avast	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

millianozx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All