Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 6, 2024, 9:17 a.m.	Aug. 6, 2024, 9:36 a.m.

Size	7.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c94b912d6522020372342c328fab4bc9`
SHA256	`486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055`
CRC32	`A757DA4E`
ssdeep	`196608:u2GfcMp7LWAWBnQ4SgbnHtYc0GdjuB7DMWcMq:alWAWBfSOHz0G4uWL`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature VMProtect_Zero - VMProtect packed file IsPE32 - (no description) UPX_Zero - UPX packed file

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
2552

Name	Response	Post-Analysis Lookup
shs.oppein.top	CNAME all.oppein.top.w.kunlunpi.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 6, 2024, 9:17 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.vmp0
section	.vmp1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

shs.oppein.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c2000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74937000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748a5000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748a5000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 5 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748a5708 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748a5000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 6, 2024, 9:17 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 5 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748a5708 process_handle: 0xffffffff		3221225477

Foreign language identified in PE resource (12 events)

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e364c8

size

0x00009690

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e3fb58

size

0x00000092

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00e3fbec

size

0x000000dc

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\25521341b0\tv.vbe
file	C:\Users\test22\AppData\Local\Temp\25521341b0\t_baibaoyun_win32.dll
file	C:\Users\test22\AppData\Local\Temp\25521341b0\ai.exe
file	C:\Users\test22\AppData\Local\Temp\25521341b0\TApi.dll
file	C:\Users\test22\AppData\Local\Temp\25521341b0\TLib.dll
file	C:\Users\test22\AppData\Local\Temp\25521341b0\sc.vbe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\25521341b0\t_baibaoyun_win32.dll
file	C:\Users\test22\AppData\Local\Temp\25521341b0\ai.exe
file	C:\Users\test22\AppData\Local\Temp\25521341b0\TLib.dll
file	C:\Users\test22\AppData\Local\Temp\25521341b0\TApi.dll

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00769a00', u'virtual_address': u'0x006c6000', u'entropy': 7.9754519203391245, u'name': u'.vmp1', u'virtual_size': u'0x007699a0'}

entropy

7.97545192034

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00010200', u'virtual_address': u'0x00e30000', u'entropy': 7.1077002057988325, u'name': u'.rsrc', u'virtual_size': u'0x0001002a'}

entropy

7.1077002058

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\1.exe

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 6, 2024, 9:17 a.m.	thread_identifier: 0 callback_function: 0x71f9c951 hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x71f90000	1	197049	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Sality.wc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 7000001c1 )
K7GW	Trojan ( 7000001c1 )
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
APEX	Malicious
Avast	FileRepMalware [Misc]
McAfeeD	Real Protect-LS!C94B912D6522
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.c94b912d65220203
Sophos	Mal/VMProtBad-A
SentinelOne	Static AI - Suspicious PE
Google	Detected
Antiy-AVL	Trojan[Packed]/Win32.VMProtect
Kingsoft	malware.kb.b.785
Microsoft	Trojan:Win32/Malgent!MSR
BitDefenderTheta	Gen:NN.ZexaF.36810.@BW@aSK4SKdj
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1391160489
Ikarus	Trojan.Crypt
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware [Misc]
CrowdStrike	win/malicious_confidence_60% (W)

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All