Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 22, 2023, 1:20 p.m.	Nov. 22, 2023, 1:26 p.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`ec9034a2f644a91e5fcdd3d7b853352e`
SHA256	`964de6faee7c442040d21b879052c0b1b4fb90ded1bb3644252af444a0a4031b`
CRC32	`217B7FF7`
ssdeep	`24576:oRa6JTRA3qfVqfIP56Ntgp7+q/Ve96AdksgKxbLAIVaz9CAFdy8rMghiDSk74914:oRa6Ja3EVcIP567ASesJxq0PmQ7V`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

227.exe "C:\Users\test22\AppData\Local\Temp\227.exe"
880

Name	Response	Post-Analysis Lookup
4.0.41.198.in-addr.arpa	PTR a.root-servers.net
www.lookatlan.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Nov. 22, 2023, 1:20 p.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003 RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x778ce688 RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x778ce65f RegQueryValueExA+0x135 OpenFileMappingA-0x5f kernel32+0x14bbc @ 0x757f4bbc New_advapi32_RegQueryValueExA@24+0x167 New_advapi32_RegQueryValueExW@24-0x98 @ 0x745243e7 WinHttpConnect+0x3409 WinHttpGetIEProxyConfigForCurrentUser-0x1780 winhttp+0x10dfe @ 0x74230dfe WinHttpConnect+0x33bb WinHttpGetIEProxyConfigForCurrentUser-0x17ce winhttp+0x10db0 @ 0x74230db0 WinHttpConnect+0x35ea WinHttpGetIEProxyConfigForCurrentUser-0x159f winhttp+0x10fdf @ 0x74230fdf WinHttpConnect+0x348f WinHttpGetIEProxyConfigForCurrentUser-0x16fa winhttp+0x10e84 @ 0x74230e84 WinHttpConnect+0x3442 WinHttpGetIEProxyConfigForCurrentUser-0x1747 winhttp+0x10e37 @ 0x74230e37 WinHttpConnect+0x31fe WinHttpGetIEProxyConfigForCurrentUser-0x198b winhttp+0x10bf3 @ 0x74230bf3 WinHttpConnect+0x303d WinHttpGetIEProxyConfigForCurrentUser-0x1b4c winhttp+0x10a32 @ 0x74230a32 @@Trayicon@Finalize+0x54f52 ___CPPdebugHook-0x5f74a 227+0x127016 @ 0x527016 @@Trayicon@Finalize+0x56c94 ___CPPdebugHook-0x5da08 227+0x128d58 @ 0x528d58 exception.instruction_r: 89 30 8b 45 e0 8b 55 e4 8d 7e 08 f0 0f c7 0f 3b exception.symbol: RtlInitUnicodeString+0x1f3 RtlMultiByteToUnicodeN-0x14a ntdll+0x2e3fb exception.instruction: mov dword ptr [eax], esi exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189435 exception.address: 0x778ce3fb registers.esp: 1632212 registers.edi: 3538288640 registers.eax: 5436795 registers.ebp: 1632264 registers.edx: 30720 registers.ebx: 3538320571 registers.esi: 8174097 registers.ecx: 2013298687	1
__exception__ Nov. 22, 2023, 1:20 p.m.	stacktrace: @@Trayicon@Finalize+0x768a0 ___CPPdebugHook-0x3ddfc 227+0x148964 @ 0x548964 @@Trayicon@Finalize+0x76ace ___CPPdebugHook-0x3dbce 227+0x148b92 @ 0x548b92 @@Trayicon@Finalize+0x76d1a ___CPPdebugHook-0x3d982 227+0x148dde @ 0x548dde @@Trayicon@Finalize+0x76c59 ___CPPdebugHook-0x3da43 227+0x148d1d @ 0x548d1d @@Trayicon@Finalize+0x7a552 ___CPPdebugHook-0x3a14a 227+0x14c616 @ 0x54c616 @@Trayicon@Finalize+0x36ece ___CPPdebugHook-0x7d7ce 227+0x108f92 @ 0x508f92 @@Trayicon@Finalize+0x77a84 ___CPPdebugHook-0x3cc18 227+0x149b48 @ 0x549b48 @@Trayicon@Finalize+0x75563 ___CPPdebugHook-0x3f139 227+0x147627 @ 0x547627 @@Trayicon@Finalize+0x72b68 ___CPPdebugHook-0x41b34 227+0x144c2c @ 0x544c2c @@Trayicon@Finalize+0x72d12 ___CPPdebugHook-0x4198a 227+0x144dd6 @ 0x544dd6 @@Trayicon@Finalize+0x72da3 ___CPPdebugHook-0x418f9 227+0x144e67 @ 0x544e67 @@Trayicon@Finalize+0x3688a ___CPPdebugHook-0x7de12 227+0x10894e @ 0x50894e __GetExceptDLLinfo+0x124e @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace-0x10915 227+0x22a7 @ 0x4022a7 @@Mainform@Finalize+0xbde7 @@Splashscr@Initialize-0x2db9 227+0x21afb @ 0x421afb @@Trayicon@Finalize+0x3d864 ___CPPdebugHook-0x76e38 227+0x10f928 @ 0x50f928 __GetExceptDLLinfo+0x74b @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace-0x11418 227+0x17a4 @ 0x4017a4 @@Trayicon@Finalize+0x99bb3 ___CPPdebugHook-0x1aae9 227+0x16bc77 @ 0x56bc77 exception.instruction_r: 83 7f 08 00 7f e5 8b 86 28 03 00 00 e8 f0 fe 09 exception.symbol: @Nmuue@initialization$qqrv+0x19fd7 @Ccalendr@Register$qqrv-0x86ed 227+0xbd01f exception.instruction: cmp dword ptr [edi + 8], 0 exception.module: 227.exe exception.exception_code: 0xc0000005 exception.offset: 774175 exception.address: 0x4bd01f registers.esp: 1630372 registers.edi: 0 registers.eax: 0 registers.ebp: 1636892 registers.edx: 0 registers.ebx: 8072320 registers.esi: 34856892 registers.ecx: 0	1
__exception__ Nov. 22, 2023, 1:20 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xcc483ff registers.esp: 1626612 registers.edi: 5 registers.eax: 34501504 registers.ebp: 5409032 registers.edx: 34766856 registers.ebx: 211 registers.esi: 34483652 registers.ecx: 34766849	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 22, 2023, 1:20 p.m.

stacktrace:

RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x778ce688
RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x778ce65f
RegQueryValueExA+0x135 OpenFileMappingA-0x5f kernel32+0x14bbc @ 0x757f4bbc
New_advapi32_RegQueryValueExA@24+0x167 New_advapi32_RegQueryValueExW@24-0x98 @ 0x745243e7
WinHttpConnect+0x3409 WinHttpGetIEProxyConfigForCurrentUser-0x1780 winhttp+0x10dfe @ 0x74230dfe
WinHttpConnect+0x33bb WinHttpGetIEProxyConfigForCurrentUser-0x17ce winhttp+0x10db0 @ 0x74230db0
WinHttpConnect+0x35ea WinHttpGetIEProxyConfigForCurrentUser-0x159f winhttp+0x10fdf @ 0x74230fdf
WinHttpConnect+0x348f WinHttpGetIEProxyConfigForCurrentUser-0x16fa winhttp+0x10e84 @ 0x74230e84
WinHttpConnect+0x3442 WinHttpGetIEProxyConfigForCurrentUser-0x1747 winhttp+0x10e37 @ 0x74230e37
WinHttpConnect+0x31fe WinHttpGetIEProxyConfigForCurrentUser-0x198b winhttp+0x10bf3 @ 0x74230bf3
WinHttpConnect+0x303d WinHttpGetIEProxyConfigForCurrentUser-0x1b4c winhttp+0x10a32 @ 0x74230a32
@@Trayicon@Finalize+0x54f52 ___CPPdebugHook-0x5f74a 227+0x127016 @ 0x527016
@@Trayicon@Finalize+0x56c94 ___CPPdebugHook-0x5da08 227+0x128d58 @ 0x528d58

exception.instruction_r: 89 30 8b 45 e0 8b 55 e4 8d 7e 08 f0 0f c7 0f 3b
exception.symbol: RtlInitUnicodeString+0x1f3 RtlMultiByteToUnicodeN-0x14a ntdll+0x2e3fb
exception.instruction: mov dword ptr [eax], esi
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189435
exception.address: 0x778ce3fb
registers.esp: 1632212
registers.edi: 3538288640
registers.eax: 5436795
registers.ebp: 1632264
registers.edx: 30720
registers.ebx: 3538320571
registers.esi: 8174097
registers.ecx: 2013298687

__exception__

Nov. 22, 2023, 1:20 p.m.

stacktrace:

@@Trayicon@Finalize+0x768a0 ___CPPdebugHook-0x3ddfc 227+0x148964 @ 0x548964
@@Trayicon@Finalize+0x76ace ___CPPdebugHook-0x3dbce 227+0x148b92 @ 0x548b92
@@Trayicon@Finalize+0x76d1a ___CPPdebugHook-0x3d982 227+0x148dde @ 0x548dde
@@Trayicon@Finalize+0x76c59 ___CPPdebugHook-0x3da43 227+0x148d1d @ 0x548d1d
@@Trayicon@Finalize+0x7a552 ___CPPdebugHook-0x3a14a 227+0x14c616 @ 0x54c616
@@Trayicon@Finalize+0x36ece ___CPPdebugHook-0x7d7ce 227+0x108f92 @ 0x508f92
@@Trayicon@Finalize+0x77a84 ___CPPdebugHook-0x3cc18 227+0x149b48 @ 0x549b48
@@Trayicon@Finalize+0x75563 ___CPPdebugHook-0x3f139 227+0x147627 @ 0x547627
@@Trayicon@Finalize+0x72b68 ___CPPdebugHook-0x41b34 227+0x144c2c @ 0x544c2c
@@Trayicon@Finalize+0x72d12 ___CPPdebugHook-0x4198a 227+0x144dd6 @ 0x544dd6
@@Trayicon@Finalize+0x72da3 ___CPPdebugHook-0x418f9 227+0x144e67 @ 0x544e67
@@Trayicon@Finalize+0x3688a ___CPPdebugHook-0x7de12 227+0x10894e @ 0x50894e
__GetExceptDLLinfo+0x124e @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace-0x10915 227+0x22a7 @ 0x4022a7
@@Mainform@Finalize+0xbde7 @@Splashscr@Initialize-0x2db9 227+0x21afb @ 0x421afb
@@Trayicon@Finalize+0x3d864 ___CPPdebugHook-0x76e38 227+0x10f928 @ 0x50f928
__GetExceptDLLinfo+0x74b @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace-0x11418 227+0x17a4 @ 0x4017a4
@@Trayicon@Finalize+0x99bb3 ___CPPdebugHook-0x1aae9 227+0x16bc77 @ 0x56bc77

exception.instruction_r: 83 7f 08 00 7f e5 8b 86 28 03 00 00 e8 f0 fe 09
exception.symbol: @Nmuue@initialization$qqrv+0x19fd7 @Ccalendr@Register$qqrv-0x86ed 227+0xbd01f
exception.instruction: cmp dword ptr [edi + 8], 0
exception.module: 227.exe
exception.exception_code: 0xc0000005
exception.offset: 774175
exception.address: 0x4bd01f
registers.esp: 1630372
registers.edi: 0
registers.eax: 0
registers.ebp: 1636892
registers.edx: 0
registers.ebx: 8072320
registers.esi: 34856892
registers.ecx: 0

__exception__

Nov. 22, 2023, 1:20 p.m.

stacktrace:

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xcc483ff
registers.esp: 1626612
registers.edi: 5
registers.eax: 34501504
registers.ebp: 5409032
registers.edx: 34766856
registers.ebx: 211
registers.esi: 34483652
registers.ecx: 34766849

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 22, 2023, 1:20 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 22, 2023, 1:20 p.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00526000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

227.exe tried to sleep 238 seconds, actually delayed analysis time by 238 seconds

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

MicroWorld-eScan	Trojan.GenericKD.70510732
Skyhigh	Artemis!Trojan
BitDefender	Trojan.GenericKD.70510732
CrowdStrike	win/malicious_confidence_100% (W)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Ad-Aware	Trojan.GenericKD.70510732
TrendMicro	TrojanSpy.Win32.REDLINE.YXDKVZ
FireEye	Trojan.GenericKD.70510732
Emsisoft	Trojan.GenericKD.70510732 (B)
MAX	malware (ai score=84)
Microsoft	Trojan:Win32/Malgent!MSR
Gridinsoft	Trojan.Win32.Gen.bot
GData	Trojan.GenericKD.70510732
McAfee	Artemis!EC9034A2F644
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDKVZ

227.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All