Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 11, 2023, 7:18 p.m.	Dec. 11, 2023, 7:31 p.m.

Size	14.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`716c27c08649ad5319ef1c41950c1c82`
SHA256	`f62640b8047a6105ba98ab690d7908f6c3e8aef22f05d6512e838457a01e0593`
CRC32	`5365079C`
ssdeep	`384:QqZ14rOq8oLxRLNrqNXjLgL8lLhBN2F3T:QiCCcxFkXk2LhBN03T`
PDB Path	C:\Users\janad\Desktop\encrypt c# payload\download and run\WindowsFormsApp3\obj\Debug\WindowsFormsApp3.pdb
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

sleeps.exe "C:\Users\test22\AppData\Local\Temp\sleeps.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 11, 2023, 7:18 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Dec. 11, 2023, 7:18 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2023, 7:18 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:18 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:18 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:18 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\janad\Desktop\encrypt c# payload\download and run\WindowsFormsApp3\obj\Debug\WindowsFormsApp3.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:18 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.GenericKD.70689014
ALYac	Trojan.GenericKD.70689014
Malwarebytes	Spyware.PasswordStealer
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
Alibaba	Trojan:MSIL/Injector.5669fb4a
K7GW	Trojan ( 700000121 )
Cybereason	malicious.cf0cbb
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Injector.FCD
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.70689014
Avast	Win32:InjectorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13f8f9d1
Emsisoft	Trojan.GenericKD.70689014 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.InjectNET.67
VIPRE	Trojan.GenericKD.70689014
TrendMicro	TROJ_GEN.R002C0RL423
FireEye	Generic.mg.716c27c08649ad53
Sophos	Mal/MSIL-AX
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=88)
Webroot	W32.Trojan.GenKD
Google	Detected
Avira	TR/Dropper.Gen
Varist	W32/ABRisk.JDCR-7110
Antiy-AVL	Trojan/MSIL.Injector
Kingsoft	Win32.Trojan.Generic.a
Microsoft	Trojan:Win32/Znyonm
Gridinsoft	Trojan.Win32.AgentTesla.tr
Xcitium	Malware@#1gcair6cfiqjs
Arcabit	Trojan.Generic.D436A0F6
ViRobot	Trojan.Win.Z.Marsilia.14848.B
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKD.70689014
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win32.RL_Generic.C4274416
VBA32	TScope.Trojan.MSIL
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0RL423
Rising	Backdoor.Orcus!8.A4F3 (CLOUD)
Ikarus	Trojan-Spy.LokiBot
MaxSecure	Trojan.Malware.7164915.susgen
Fortinet	W32/FCD!tr

sleeps.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All