Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 6:52 p.m.	Dec. 14, 2023, 7:16 p.m.

Size	415.6KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`10c118856dd7ca8b8bf9cfbeafaa52e2`
SHA256	`8851a3faab94a5c68217fa4de968cc0e82506cba6bd17d779bc5c6f320d4a7a7`
CRC32	`34F682F6`
ssdeep	`6144:HSR19yqCA8AA0oU28N4UbmAvS+BKnkc2Rud2+KVuGiEdHyUivYmogOKl+J5Z:y8qCD0oU28NC9bk/IY5KzLnBsZ`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

ekk1.exe "C:\Users\test22\AppData\Local\Temp\ekk1.exe"
1680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
113.52.134.114	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 14, 2023, 6:52 p.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000003e0000 process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2023, 6:52 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001a000', u'virtual_address': u'0x00004000', u'entropy': 7.988560172471632, u'name': u'.rdata', u'virtual_size': u'0x00019ed0'}

entropy

7.98856017247

description

A section with a high entropy has been found

entropy

0.287690179806

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

113.52.134.114

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

113.52.134.114:443

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Rozena.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	W32/Etap.a.gen
ALYac	Trojan.GenericKD.70754049
Cylance	unsafe
VIPRE	Trojan.GenericKD.70754049
Sangfor	Trojan.Win32.Save.a
BitDefender	Trojan.GenericKD.70754049
Cybereason	malicious.41a96b
Arcabit	Trojan.Generic.D4379F01
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Rozena.UA
APEX	Malicious
McAfee	W32/Etap.a.gen
Avast	Win64:Evo-gen [Trj]
Kaspersky	Backdoor.Win64.Havoc.bmj
Alibaba	Backdoor:Win64/Havoc.66f4715c
MicroWorld-eScan	Trojan.GenericKD.70754049
Rising	Backdoor.Havoc!8.970A (TFE:5:iOsLNUjCOWT)
Emsisoft	Trojan.GenericKD.70754049 (B)
F-Secure	Trojan.TR/Rozena.ennht
FireEye	Generic.mg.10c118856dd7ca8b
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Crypt
Google	Detected
Avira	TR/Rozena.ennht
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Win64.Rozena
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Ransom.Win64.Wacatac.sa
Microsoft	Trojan:Win32/ScarletFlash.A
ZoneAlarm	Backdoor.Win64.Havoc.bmj
GData	Win64.Trojan.Agent.EK8P5W
Varist	W64/ABRisk.FRPG-8641
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.ShellCode
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CLB23
Tencent	Win32.Trojan.FalseSign.Majl
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W64/Rozena.UA!tr
AVG	Win64:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

ekk1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All