Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 17, 2024, 10:13 p.m.	Aug. 17, 2024, 10:29 p.m.

Size	552.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`06a9fb51c5455ef7c06cdad4f015c96b`
SHA256	`ce3ae4549b58a5304de4c262ac272aa5da715b63edd796de299c861330a4a8d6`
CRC32	`AE76FE59`
ssdeep	`12288:WLV6BtpmkL0GKD8wMSrbwlrVdUnBRO+KcXrWelWyk+kOTo5:EApfL0GKD8wMS/GdUnXocxlPk+kn5`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) IsPE32 - (no description)

Survox.exe "C:\Users\test22\AppData\Local\Temp\Survox.exe"
1492

Name	Response	Post-Analysis Lookup
vowquybcw.org	A 45.89.247.19	45.89.247.19

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.89.247.19	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2400003	ET DROP Spamhaus DROP Listed Traffic Inbound group 4	Misc Attack
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046911	ET MALWARE NanoCore RAT Keepalive Response 3	A Network Trojan was detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046909	ET MALWARE NanoCore RAT Keepalive Response 1	A Network Trojan was detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 45.89.247.19:34587	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 45.89.247.19:34587 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 17, 2024, 10:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:13 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2024, 10:13 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74021000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74022000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00538000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00539000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00743000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:13 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006d600', u'virtual_address': u'0x00022000', u'entropy': 7.999649816164612, u'name': u'.rsrc', u'virtual_size': u'0x0006d538'}

entropy

7.99964981616

description

A section with a high entropy has been found

entropy

0.792572463768

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 17, 2024, 10:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more of the buffers contains an embedded PE file (14 events)

buffer	Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 17, 2024, 10:13 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Survox.exe tried to sleep 5456702 seconds, actually delayed analysis time by 5456702 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Executes one or more WMI queries (3 events)

wmi	SELECT DisplayName FROM AntiSpywareProduct
wmi	SELECT DisplayName FROM FirewallProduct
wmi	SELECT DisplayName FROM AntiVirusProduct

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\Survox.exe:Zone.Identifier

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.AIDetectMalware.CS
Elastic	Windows.Trojan.Nanocore
CAT-QuickHeal	Trojan.Orbus.C3
Skyhigh	BehavesLike.Win32.Generic.hc
ALYac	Backdoor.MSIL.Agent.GD
Cylance	Unsafe
VIPRE	Backdoor.MSIL.Agent.GD
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
BitDefender	Backdoor.MSIL.Agent.GD
K7GW	Trojan ( 700000121 )
Cybereason	malicious.1c5455
Arcabit	Backdoor.MSIL.Agent.GD
VirIT	Trojan.Win32.DownLoader12.BSON
Symantec	Trojan.Nancrat
tehtris	Generic.Malware
ESET-NOD32	MSIL/NanoCore.E
APEX	Malicious
McAfee	GenericRXAA-CZ!06A9FB51C545
Avast	MSIL:NanoCore-B [Trj]
ClamAV	Win.Trojan.NanoCore-9852758-0
Kaspersky	Trojan.MSIL.Agent.fpar
NANO-Antivirus	Trojan.Win32.NanoBot.hmqoyu
MicroWorld-eScan	Backdoor.MSIL.Agent.GD
Rising	Backdoor.NanoCore!1.B6F9 (CLASSIC)
Emsisoft	Trojan.NanoCore (A)
F-Secure	Trojan.TR/Dropper.MSIL.Gen7
DrWeb	Trojan.Nanocore.23
TrendMicro	BKDR_NOANCOOE.SMUPS
McAfeeD	Real Protect-LS!06A9FB51C545
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.06a9fb51c5455ef7
Sophos	Troj/NanoCor-BT
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Generic.zwu
Google	Detected
Avira	TR/Dropper.MSIL.Gen7
MAX	malware (ai score=85)
Antiy-AVL	GrayWare/MSIL.NanoCore.a
Kingsoft	malware.kb.c.1000
Gridinsoft	Backdoor.Win32.Noancooe.cc!ni
Xcitium	Backdoor.MSIL.Noancooe.JDE@5s4u9t
Microsoft	Backdoor:MSIL/Nanocore!atmn
ViRobot	Backdoor.Win32.NanoCore.Gen.A
ZoneAlarm	Trojan.MSIL.Agent.fpar
GData	MSIL.Backdoor.Nancat.A
Varist	W32/NanoCore.C.gen!Eldorado
AhnLab-V3	Win-Trojan/Nanocore.Exp
BitDefenderTheta	Gen:NN.ZemsilF.36812.ImW@a0m9gJe
DeepInstinct	MALICIOUS

Survox.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All