Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2024, 9:56 a.m.	June 16, 2024, 10:34 a.m.

Size	704.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`dbe26ec226d4e3830352693e0fbb5f56`
SHA256	`41387f0ae777168eee6861788cc9092dbe2d8e9ab3bc745184ff1648db5c2f30`
CRC32	`6FB60FEC`
ssdeep	`12288:qCXIhxPHYbBU9Yx59E6tJNK2hHo7TIcESXTV9qRSEidhH9+NPn7OI:67vYbBWYx59E6v2+SX73QNT`
PDB Path	C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

x86_0929_2.exe "C:\Users\test22\AppData\Local\Temp\x86_0929_2.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
149.129.37.78	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA June 16, 2024, 9:56 a.m.	buffer: ÅX°Ê¥[¸ü¦¨¥\ console_handle: 0x00000007	1	1	0
WriteConsoleA June 16, 2024, 9:56 a.m.	buffer: error open url console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Clive\source\repos\x86_driver\Release\x86.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

SYS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 16, 2024, 9:56 a.m.	stacktrace: x86_0929_2+0x184d3 @ 0x8f84d3 x86_0929_2+0x1a8d7 @ 0x8fa8d7 x86_0929_2+0x22969 @ 0x902969 x86_0929_2+0x242fb @ 0x9042fb BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: f3 a5 83 e2 03 ff 24 95 34 e1 91 00 ff 24 8d 44 exception.symbol: x86_0929_2+0x3e120 exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: x86_0929_2.exe exception.exception_code: 0xc0000005 exception.offset: 254240 exception.address: 0x91e120 registers.esp: 4024784 registers.edi: 453640256 registers.eax: 453640266 registers.ebp: 4024832 registers.edx: 4672048 registers.ebx: 4672063 registers.esi: 10 registers.ecx: 1168012	1	0	0

Foreign language identified in PE resource (1 event)

name

SYS

language

LANG_CHINESE

filetype

PE32+ executable (native) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x17e190b0

size

0x00028a50

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 9:56 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0
LookupPrivilegeValueW June 16, 2024, 9:56 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

149.129.37.78

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\ImagePath

reg_value

\??\C:\Driver2030.sys

Loads a driver (1 event)

Time & API	Arguments	Status	Return	Repeated
NtLoadDriver June 16, 2024, 9:56 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\EvilDriver		3221225473	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 16, 2024, 9:56 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225474	0

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.bh
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee	Artemis!DBE26EC226D4
Avast	TrojanX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.MalCert!1.F15F (CLASSIC)
McAfeeD	Real Protect-LS!DBE26EC226D4
FireEye	Generic.mg.dbe26ec226d4e383
Sophos	Generic Reputation PUA (PUA)
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Malware.AI.2420482668
Panda	Trj/Chgt.AD
SentinelOne	Static AI - Malicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	W32/PossibleThreat
AVG	TrojanX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

Stops Windows services (1 event)

service

EvilDriver (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EvilDriver\Start)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49161
dead_host	149.129.37.78:22556

x86_0929_2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All