popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

DownVerySync.exe

Emotet Generic Malware Malicious Library UPX Malicious Packer MSOffice File PE64 PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 19, 2024, 11:07 a.m. Aug. 19, 2024, 11:09 a.m.
Size 1.8MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 a54ca6fc8ecfab0cc46f506d29acfd19
SHA256 7cb6dbf0990bcfe8384403e2a172ab5c3b0925c0149462de6f827bc3970a915c
CRC32 0A81EBE3
ssdeep 49152:5yzTf0oeJlypTbTNgGr03w4+l1diaIaKazTSx/P7eBN6Gp/:IfPTbBzTqDsN7p/
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
dl-cn.verysync.com
A 172.67.201.86
A 104.21.52.166
CNAME dl-cn.verysync.com.cdn.cloudflare.net
104.21.52.166
IP Address Status Action
104.21.52.166 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: 7-Zip 20.00 alpha (x86) : Copyright (c) 1999-2020 Igor Pavlov : 2020-02-06
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Scanning the drive for archives:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: 0M Scan D:\
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: D:\verysync-windows-amd64-v2.15.0.zip
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: System ERROR:
console_handle: 0x0000000b
1 1 0
request GET http://dl-cn.verysync.com/releases/v2.15.0/verysync-windows-amd64-v2.15.0.zip
request GET http://dl-cn.verysync.com/releases/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\7z.dll
file C:\Users\test22\AppData\Local\Temp\7z.exe
file C:\Users\test22\AppData\Local\Temp\7z.dll
file C:\Users\test22\AppData\Local\Temp\7z.exe
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x000000000000010c
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: csrss.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: wininit.exe
process_identifier: 352
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: winlogon.exe
process_identifier: 400
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: services.exe
process_identifier: 444
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: lsass.exe
process_identifier: 460
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: lsm.exe
process_identifier: 468
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 724
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 784
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 832
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: audiodg.exe
process_identifier: 900
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 992
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: spoolsv.exe
process_identifier: 324
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 1048
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: srvany.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: KMService.exe
process_identifier: 1436
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: conhost.exe
process_identifier: 1448
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: taskhost.exe
process_identifier: 1600
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: sppsvc.exe
process_identifier: 1820
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: svchost.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: dwm.exe
process_identifier: 1260
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: explorer.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: mobsync.exe
process_identifier: 2292
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: pw.exe
process_identifier: 2336
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: wsqmcons.exe
process_identifier: 2372
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: taskhost.exe
process_identifier: 2388
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: sdclt.exe
process_identifier: 2396
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000010c
process_name: DownVerySync.exe
process_identifier: 2564
1 1 0
section {u'size_of_data': u'0x000d1e00', u'virtual_address': u'0x000fb000', u'entropy': 7.972462078099242, u'name': u'.rsrc', u'virtual_size': u'0x000d1dac'} entropy 7.9724620781 description A section with a high entropy has been found
entropy 0.462152491054 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
Bkav W64.AIDetectMalware
Elastic malicious (high confidence)
Cylance Unsafe
Kaspersky Trojan.Win32.Agentb.mfim
FireEye Generic.mg.a54ca6fc8ecfab0c
Jiangmin Trojan.Autoit.gais
Kingsoft Win32.Trojan.Agentb.a
ZoneAlarm Trojan.Win32.Agentb.mfim
DeepInstinct MALICIOUS
Paloalto generic.ml
CrowdStrike win/malicious_confidence_90% (W)