Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 12, 2024, 7:08 p.m.	May 12, 2024, 7:10 p.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e17b09e3a34f25c08e8869c8b5dac01c`
SHA256	`17bbfcb94482982e9b4282c44da52313a1e3862adc5bb48a997a9123b41ebb0b`
CRC32	`7287DA75`
ssdeep	`49152:ZI9+2qYtQ/Rg2ECNUg2I7wUpEroPeeegawQTCIyVM8OoJNz:Og21t0q2ECNURoPblawXIyXOo3`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

extension.exe "C:\Users\test22\AppData\Local\Temp\extension.exe"
884

Name	Response	Post-Analysis Lookup
zenglobalenerji.com	A 185.106.210.202	185.106.210.202

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.106.210.202	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 185.106.210.202:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49161 -> 185.106.210.202:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49163 -> 185.106.210.202:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49161 -> 185.106.210.202:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49161 -> 185.106.210.202:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.106.210.202:443 -> 192.168.56.103:49163	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 185.106.210.202:443 -> 192.168.56.103:49163	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 185.106.210.202:443 -> 192.168.56.103:49161	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 185.106.210.202:443 -> 192.168.56.103:49161	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2024, 7:08 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 12, 2024, 7:08 p.m.	stacktrace: extension+0x11a1d7 @ 0x51a1d7 extension+0x112257 @ 0x512257 extension+0x113ac9 @ 0x513ac9 extension+0x1192f1 @ 0x5192f1 extension+0x119367 @ 0x519367 extension+0x10d286 @ 0x50d286 extension+0x13e596 @ 0x53e596 extension+0x29efd3 @ 0x69efd3 extension+0x2b62e1 @ 0x6b62e1 extension+0x2b8e32 @ 0x6b8e32 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636468 registers.edi: 0 registers.eax: 1636468 registers.ebp: 1636548 registers.edx: 0 registers.ebx: 2147614729 registers.esi: 0 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 12, 2024, 7:08 p.m.

stacktrace:

extension+0x11a1d7 @ 0x51a1d7
extension+0x112257 @ 0x512257
extension+0x113ac9 @ 0x513ac9
extension+0x1192f1 @ 0x5192f1
extension+0x119367 @ 0x519367
extension+0x10d286 @ 0x50d286
extension+0x13e596 @ 0x53e596
extension+0x29efd3 @ 0x69efd3
extension+0x2b62e1 @ 0x6b62e1
extension+0x2b8e32 @ 0x6b8e32
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1636468
registers.edi: 0
registers.eax: 1636468
registers.ebp: 1636548
registers.edx: 0
registers.ebx: 2147614729
registers.esi: 0
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00025800', u'virtual_address': u'0x002ba000', u'entropy': 7.58181728763662, u'name': u'.data', u'virtual_size': u'0x00025718'}

entropy

7.58181728764

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW May 12, 2024, 7:08 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.Win32.GenericKDS.4!c
ALYac	Trojan.GenericKDS.61029191
VIPRE	Trojan.GenericKDS.61029191
BitDefender	Trojan.GenericKDS.61029191
Arcabit	Trojan.GenericS.D3A33B47
Avast	Win32:Malware-gen
MicroWorld-eScan	Trojan.GenericKDS.61029191
Emsisoft	Trojan.GenericKDS.61029191 (B)
FireEye	Trojan.GenericKDS.61029191
Google	Detected
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Agent
Gridinsoft	Malware.Win32.PrivateLoader.tr
GData	Trojan.GenericKDS.61029191
Varist	W32/ABRisk.OFUS-0423
AhnLab-V3	Trojan/Win.Generic.C5621145
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.PrivateLoader
TrendMicro-HouseCall	TROJ_GEN.R002H09E924
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
alibabacloud	Suspicious

extension.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All