Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 16, 2024, 8:57 a.m.	May 16, 2024, 8:59 a.m.

Size	105.3KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`5c3eb8c100cef5725d79a35664e58646`
SHA256	`54dc7635c51ecd94cfe8e45cbac2e52191867b9ff0465d778ee5a200bb832c22`
CRC32	`55493231`
ssdeep	`1536:MTJxeSgVJ43R2N8gW7YI4z1w+8X5QbdoRPqUw35:M1xeSU4h2NQ7YfF0qn`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

x103.log "C:\Users\test22\AppData\Local\Temp\x103.log"
2540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.143.81.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 103.143.81.180:808	2260003	SURICATA Applayer Protocol detection skipped	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 16, 2024, 8:57 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 8:57 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73252000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

x103.log tried to sleep 199 seconds, actually delayed analysis time by 199 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 16, 2024, 8:57 a.m.	total_number_of_free_bytes: 13322780672 free_bytes_available: 13322780672 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: x103.log process_identifier: 2540	1	1	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (48 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0
Process32NextW May 16, 2024, 8:57 a.m.	snapshot_handle: 0x000002d8 process_name: conhost.exe process_identifier: 2584		0	0

Communicates with host for which no DNS query was performed (1 event)

host

103.143.81.180

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (2 events)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW May 16, 2024, 8:57 a.m.	key_handle: 0x000001a8 regkey_r: d33f351a4aeea5e608853d1a56661059 reg_type: 3 (REG_BINARY) value: {vU_!jWW.dll_bin¿29e63e83392895a08a0855578b853682éUììSVq<WUôDxÀtm\|\|tf\]øÛt[Tt ÑD$ñUèÁ3ÒuðEìÛt:<3öù}üÀtßiö¾ÀðCÀuî]øæÿÿÿ;uôtuðB;ÓrÆ3À_^[å]Ã}uEì·PUèÁëâWQÿUëÛUìQeüèX-½ºEüEüå]ÃUìQQd¡0SVW@ÙPëA·r$3Éz(Ñîö~·øaràÿiÉ·ÀÈNuâáÿÿÿùæÊÒu»3öjºT¸¹ÎèËþÿÿPºx Îè¼þÿÿÿ3ºb4^CÎè«þÿÿÿ3ºsHCÎèþÿÿÿ3º¥ò\pCÎèþÿÿÄCEøÇEøntdlfÇEülPÿSÿ3ðºËyµ Îè_þÿÿÿ3ºÀéCÎèNþÿÿYY_^C[å]ÃréaÿÿÿUììÂMüEôSVÀu3ÀéºMZf9uïWx<ø?PEs¸Lf9GdÀ¿f9GWj@hÿwP3ÛSÿQðö=ÿwTEüÿuôVÿP~<3Àþ]ð}ìf;GsX]ôEøHüÉt+Î8tÿ0@ÃPEüQÿPë8v ÿw8EüQÿPEøMðÀ(EøA·G;ÈMðEø\|¶3Û Àt`9¤tX0ëEBø]ôÑèEøÀ~1·TYÂÇEô0%ðf;EôuâÿÆ+G42C;]ø\|Ñ3ÛEðAEðÂuÀt9twÆëiÆPEüÿPEèÀ"EøÉuHPÎMðÖUô Ét3]üúy·ÁëFÁPÿuèÿÇEðÀEðÉuÚ}ì3ÛEøÀEø@ÀuÀÉt?L13ÒjX+ÁMðÁèÉ]ôEÂEèÀtøSjVÿMðEôÁ@MðEô;Çuæ}ìG(ÆtÿujVÿÐ}EÀGxÀty9_\|tt9\0tnL0T0 ÎMôÖL0$ÎUìMð9\0vMøÿuÆPEüÿPÀt$UìC;\7rãë,Eüh@ÿwPVÿP3À_^[å]ÃEðMô·XMÆ3À@ëàUìì$SVWMÜè%üÿÿèüÿÿeüðÆJº3Û~ FþÀt:jhÿvÆSEøÿUäØÛu3Àë_ÿvSÿv WÿUøÄøÿt ;Fuû3ÛC>EüP×MÜFujPëh@ÿvSÿUèë»PjèüÿÿÄÛth@ÿvWÿUèEü_^[å]Ãu0 regkey: HKEY_CURRENT_USER\Console\0\d33f351a4aeea5e608853d1a56661059	1	0	0
RegSetValueExW May 16, 2024, 8:57 a.m.	key_handle: 0x000001ac regkey_r: IpDates_info reg_type: 3 (REG_BINARY) value: 103.143.81.180808103.143.81.1804433127.0.0.18011TmNTÁ1.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\IpDates_info	1	0	0

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW May 16, 2024, 8:57 a.m.	thread_identifier: 0 callback_function: 0x73c0c951 hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x73c00000	1	2359727	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Shellcode.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.cm
McAfee	Artemis!5C3EB8C100CE
VIPRE	Gen:Variant.Jaik.225374
Sangfor	Trojan.Win32.Winos.swkaa
BitDefender	Gen:Variant.Jaik.225374
Arcabit	Trojan.Jaik.D3705E
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/ShellcodeRunner.JW
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Multi.ShellCode.gen
MicroWorld-eScan	Gen:Variant.Jaik.225374
Rising	Trojan.ShellCode!8.197DC (TFE:5:3Vu5mR7mZjH)
Emsisoft	Gen:Variant.Jaik.225374 (B)
F-Secure	Trojan.TR/Redcap.pprih
FireEye	Generic.mg.5c3eb8c100cef572
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Shellcoderunner
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Redcap.pprih
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win32.ShellcodeRunner
Kingsoft	malware.kb.a.768
Gridinsoft	Trojan.Win32.Shellcode.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Multi.ShellCode.gen
GData	Gen:Variant.Jaik.225374
Varist	W32/ABRisk.ISPI-4873
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Meterpreter
Malwarebytes	Backdoor.Bot
TrendMicro-HouseCall	TROJ_GEN.R002H07EF24
Tencent	Malware.Win32.Gencirc.1409ae50
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Malicious_Behavior.SB
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/ShellcodeRunner.JI

x103.log

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All