Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 19, 2023, 7:32 a.m.	Dec. 19, 2023, 7:37 a.m.

Size	114.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`82182c7f430666ecd80649a3c9d4b06a`
SHA256	`f9a0484222a37b48f410a2a1b6cfc204d0c6a3f722ca69aa0773c2c4f67bea35`
CRC32	`2D9A5036`
ssdeep	`3072:AyIpG2/iDbYyEXcFHUZUMgJUYF+JddZCqNC:lIposRcF0Z9gJh+bd9N`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

lve5.exe "C:\Users\test22\AppData\Local\Temp\lve5.exe"
1572

Name	Response	Post-Analysis Lookup
www.996m2m2.top	A 163.197.245.130	163.197.245.130

IP Address	Status	Action
163.197.245.130	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 163.197.245.130:5956 -> 192.168.56.103:49163	2400015	ET DROP Spamhaus DROP Listed Traffic Inbound group 16	Misc Attack

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 19, 2023, 7:32 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Dec. 19, 2023, 7:32 a.m.	total_number_of_free_bytes: 9935323136 free_bytes_available: 9935323136 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Dec. 19, 2023, 7:32 a.m.	service_start_name: start_type: 2 password: display_name: Iucouo cukmoekq filepath: C:\Program Files (x86)\Microsoft Oeswuy\Vnloubk.exe service_name: Rsqgoo sqoeuise filepath_r: C:\Program Files (x86)\Microsoft Oeswuy\Vnloubk.exe desired_access: 983551 service_handle: 0x0089c078 error_control: 1 service_type: 272 service_manager_handle: 0x0089c118	1	9027704	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x000000c8 process_name: mobsync.exe process_identifier: 1692	1	1
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x000000c8 process_name: cmd.exe process_identifier: 1184	1	1
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x000000c8 process_name: conhost.exe process_identifier: 1708	1	1
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x000000c8 process_name: lve5.exe process_identifier: 1572	1	1
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 2088	1	1
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 6553710		0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 2208	1	1
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 19, 2023, 7:32 a.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001c200', u'virtual_address': u'0x00046000', u'entropy': 7.782640293604593, u'name': u'UPX1', u'virtual_size': u'0x0001d000'}

entropy

7.7826402936

description

A section with a high entropy has been found

entropy

0.995575221239

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 81 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 6553710		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0
Process32NextW Dec. 19, 2023, 7:32 a.m.	snapshot_handle: 0x00000274 process_name: Vnloubk.exe process_identifier: 7274604		0	0

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Installs itself for autorun at Windows startup (1 event)

service_name

Rsqgoo sqoeuise

service_path

C:\Program Files (x86)\Microsoft Oeswuy\Vnloubk.exe

Expresses interest in specific running processes (2 events)

process	lve5.exe
process: potential process injection target	explorer.exe

lve5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All