Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 9:56 a.m.	June 16, 2024, 10:26 a.m.

Size	519.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`5fd66ba54fdd540072eeea86213c351b`
SHA256	`8eea7b6443751748fac6be47352a2bf7cbf13c15a30b0eb98d60bf7e352b3e2b`
CRC32	`B78F92A9`
ssdeep	`12288:UVHdcFw5xizRz3GLsuuKzHSdQ7faQ0CwgTZ+NPn71:UV9cFw5xizRzVYydQqraYN`
PDB Path	C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

x86_0729_1.exe "C:\Users\test22\AppData\Local\Temp\x86_0729_1.exe"
1952

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
149.129.37.78	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 16, 2024, 9:56 a.m.	buffer: ÅX°Ê¥[¸ü¦¨¥\ console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:56 a.m.	buffer: error open url console_handle: 0x00000007	1	1
WriteConsoleA June 16, 2024, 9:56 a.m.	buffer: error open url console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

SYS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 16, 2024, 9:56 a.m.	stacktrace: x86_0729_1+0x67d1 @ 0xbc67d1 x86_0729_1+0x5fbe @ 0xbc5fbe x86_0729_1+0x7462 @ 0xbc7462 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 66 0f 6f 66 40 66 0f 6f 6e 50 66 0f 6f 76 60 66 exception.symbol: x86_0729_1+0x21a16 exception.address: 0xbe1a16 exception.module: x86_0729_1.exe exception.exception_code: 0xc0000005 exception.offset: 137750 registers.esp: 3535080 registers.edi: 54939840 registers.eax: 0 registers.ebp: 3535128 registers.edx: 30710 registers.ebx: 4082623 registers.esi: 4317120 registers.ecx: 48	1	0	0

Foreign language identified in PE resource (1 event)

name

SYS

language

LANG_CHINESE

filetype

PE32+ executable (native) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x000710b0

size

0x00028618

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 16, 2024, 9:56 a.m.	snapshot_handle: 0x0000010c process_name: sdclt.exe process_identifier: 872	1	1	0
Process32NextW June 16, 2024, 9:56 a.m.	snapshot_handle: 0x0000010c process_name: cmd.exe process_identifier: 1440	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 9:56 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0
LookupPrivilegeValueW June 16, 2024, 9:56 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

149.129.37.78

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\ImagePath

reg_value

\??\C:\Driver2030.sys

Loads a driver (1 event)

Time & API	Arguments	Status	Return	Repeated
NtLoadDriver June 16, 2024, 9:56 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\EvilDriver		3221225473	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 16, 2024, 9:56 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225474	0

Stops Windows services (1 event)

service

EvilDriver (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\Start)

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.hh
McAfee	Artemis!5FD66BA54FDD
Cylance	Unsafe
VIPRE	Gen:Trojan.Heur.RP.GuW@b44bHIcj
Sangfor	Trojan.Win32.Save.a
BitDefender	Gen:Trojan.Heur.RP.GuW@b44bHIcj
Cybereason	malicious.54fdd5
Arcabit	Trojan.Heur.RP.E3A58E
Symantec	ML.Attribute.HighConfidence
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/MalwareX.0144f00b
MicroWorld-eScan	Gen:Trojan.Heur.RP.GuW@b44bHIcj
Rising	Trojan.Generic@AI.87 (RDMK:cmRtazoZDhJ39uPQZ/D2osunxCE5)
Emsisoft	Gen:Trojan.Heur.RP.GuW@b44bHIcj (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen7
TrendMicro	TROJ_GEN.R002C0XFE24
McAfeeD	Real Protect-LS!5FD66BA54FDD
FireEye	Generic.mg.5fd66ba54fdd5400
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Jiangmin	TrojanSpy.Stealer.cga
Google	Detected
Avira	TR/Crypt.XPACK.Gen7
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Win32.Sabsik
Kingsoft	malware.kb.a.716
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Trojan.Heur.RP.GuW@b44bHIcj
Varist	W32/ABRisk.HCTI-6432
AhnLab-V3	Trojan/Win.Generic.C5641369
BitDefenderTheta	AI:Packer.944428AF1F
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Malware.AI.2420482668
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0XFE24
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.218110627.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (W)
alibabacloud	Suspicious

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49162
dead_host	149.129.37.78:22556

x86_0729_1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All