Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2024, 9:55 a.m.	June 16, 2024, 10:45 a.m.

Size	705.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`cedd4cef78da5751af380902c89f1352`
SHA256	`8f4d090da477195a6fb34b2330c30c22e440ce3c569a24ba630da0def65a8a35`
CRC32	`890CE25B`
ssdeep	`12288:3LE2GKCAvjieDiXWAraJLzKC0/ctP22yBJ/kA0nc/783GRpw9+NPn7BZi:AveDiXWAra9zKt2cr0n88GN+`
PDB Path	C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

x86_0929_1.exe "C:\Users\test22\AppData\Local\Temp\x86_0929_1.exe"
2612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
149.129.37.78	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA June 16, 2024, 9:55 a.m.	buffer: ÅX°Ê¥[¸ü¦¨¥\ console_handle: 0x00000007	1	1	0
WriteConsoleA June 16, 2024, 9:55 a.m.	buffer: error open url console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

SYS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 16, 2024, 9:55 a.m.	stacktrace: x86_0929_1+0x18713 @ 0xed8713 x86_0929_1+0x1ab17 @ 0xedab17 x86_0929_1+0x22ba9 @ 0xee2ba9 x86_0929_1+0x2453b @ 0xee453b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: f3 a5 83 e2 03 ff 24 95 74 e3 ef 00 ff 24 8d 84 exception.symbol: x86_0929_1+0x3e360 exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: x86_0929_1.exe exception.exception_code: 0xc0000005 exception.offset: 254816 exception.address: 0xefe360 registers.esp: 1534884 registers.edi: 451870784 registers.eax: 451870794 registers.ebp: 1534932 registers.edx: 3623472 registers.ebx: 3623487 registers.esi: 10 registers.ecx: 905868	1	0	0

Foreign language identified in PE resource (1 event)

name

SYS

language

LANG_CHINESE

filetype

PE32+ executable (native) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x17e1a0b0

size

0x00028a50

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x0000010c process_name: sdclt.exe process_identifier: 2388	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 9:55 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0
LookupPrivilegeValueW June 16, 2024, 9:55 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

149.129.37.78

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\ImagePath

reg_value

\??\C:\Driver2030.sys

Loads a driver (1 event)

Time & API	Arguments	Status	Return	Repeated
NtLoadDriver June 16, 2024, 9:55 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\EvilDriver		3221225473	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 16, 2024, 9:55 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225474	0

Stops Windows services (1 event)

service

EvilDriver (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\Start)

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.bh
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Paloalto	generic.ml
BitDefender	Gen:Variant.Jaik.232236
MicroWorld-eScan	Gen:Variant.Jaik.232236
Emsisoft	Gen:Variant.Jaik.232236 (B)
McAfeeD	Real Protect-LS!CEDD4CEF78DA
FireEye	Generic.mg.cedd4cef78da5751
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Google	Detected
MAX	malware (ai score=81)
Kingsoft	Win32.HeurC.KVM003.a
Gridinsoft	Trojan.Win32.Downloader.sa
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Jaik.232236
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Malware.AI.2420482668
SentinelOne	Static AI - Malicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	W32/PossibleThreat
Panda	Trj/Chgt.AD

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49161
dead_host	149.129.37.78:22556

x86_0929_1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All