Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2024, 9:54 a.m.	June 16, 2024, 9:59 a.m.

Size	702.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`95996d628e7f15ed7290902c879aa81b`
SHA256	`580ef11908322d49d35edef4b0dde97deb75a5ead2f2395c64a5935f982c0cb7`
CRC32	`4E428FDF`
ssdeep	`12288:3SWRXlSxAT8vKxPl70hXuYV0CsDdflRgvpGuEPf9+NPn7NeVc1:BuxAT8vKxZYkRflAC8Nci`
PDB Path	C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

x86_0923_1.exe "C:\Users\test22\AppData\Local\Temp\x86_0923_1.exe"
2620

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
149.129.37.78	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA June 16, 2024, 9:54 a.m.	buffer: ÅX°Ê¥[¸ü¦¨¥\ console_handle: 0x00000007	1	1	0
WriteConsoleA June 16, 2024, 9:54 a.m.	buffer: error open url console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

SYS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 16, 2024, 9:54 a.m.	stacktrace: x86_0923_1+0x183b3 @ 0xdc83b3 x86_0923_1+0x1a7b7 @ 0xdca7b7 x86_0923_1+0x22819 @ 0xdd2819 x86_0923_1+0x2415b @ 0xdd415b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: f3 a5 83 e2 03 ff 24 95 94 df de 00 ff 24 8d a4 exception.symbol: x86_0923_1+0x3df80 exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: x86_0923_1.exe exception.exception_code: 0xc0000005 exception.offset: 253824 exception.address: 0xdedf80 registers.esp: 4024772 registers.edi: 452198464 registers.eax: 452198474 registers.ebp: 4024820 registers.edx: 4409904 registers.ebx: 4409919 registers.esi: 10 registers.ecx: 1102476	1	0	0

Foreign language identified in PE resource (1 event)

name

SYS

language

LANG_CHINESE

filetype

PE32+ executable (native) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x17e190b0

size

0x00028a50

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x0000010c process_name: x86_0923_1.exe process_identifier: 2620	1	1	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x0000010c process_name: conhost.exe process_identifier: 2664	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

149.129.37.78

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\ImagePath

reg_value

\??\C:\Driver2030.sys

Loads a driver (1 event)

Time & API	Arguments	Status	Return	Repeated
NtLoadDriver June 16, 2024, 9:54 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\EvilDriver		3221225473	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 16, 2024, 9:54 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225474	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.bh
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.MalCert!1.F15F (CLASSIC)
McAfeeD	Real Protect-LS!95996D628E7F
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.95996d628e7f15ed
Sophos	Mal/Generic-S
Gridinsoft	Trojan.Win32.Downloader.sa
ZoneAlarm	UDS:DangerousObject.Multi.Generic
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Malware.AI.2420482668
SentinelOne	Static AI - Malicious PE
Fortinet	W32/PossibleThreat
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (W)

Stops Windows services (1 event)

service

EvilDriver (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\Start)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49162
dead_host	149.129.37.78:22556

x86_0923_1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All