Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2024, 2:01 p.m.	Aug. 19, 2024, 3:24 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1ce9a063972f6f5266b78f7be6365fd6`
SHA256	`01cc833f1667363611254017eb3a754c08770413bf6884053b48144fc58439d0`
CRC32	`A2D74DBB`
ssdeep	`24576:mJiuBoABwMwBJ7GnWh05DO+giIF77k4xWWCEfFl31JmiPdliznrCWzg4PD:mzoIwtJphkg5fmfrCoPD`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

TMS_C153.exe "C:\Users\test22\AppData\Local\Temp\TMS_C153.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 2:01 p.m.	stacktrace: tms_c153+0x13e784 @ 0x53e784 tms_c153+0x13e6d2 @ 0x53e6d2 tms_c153+0x13e693 @ 0x53e693 tms_c153+0x14ed85 @ 0x54ed85 tms_c153+0x1529c7 @ 0x5529c7 tms_c153+0x152cdd @ 0x552cdd tms_c153+0x152e8e @ 0x552e8e tms_c153+0x151cd0 @ 0x551cd0 tms_c153+0x151f0c @ 0x551f0c tms_c153+0x151fec @ 0x551fec tms_c153+0x154791 @ 0x554791 tms_c153+0x155361 @ 0x555361 tms_c153+0x157117 @ 0x557117 tms_c153+0x157420 @ 0x557420 tms_c153+0x1574ef @ 0x5574ef tms_c153+0x4e503 @ 0x44e503 tms_c153+0x51450 @ 0x451450 tms_c153+0x8ebc9 @ 0x48ebc9 tms_c153+0x50fa4 @ 0x450fa4 tms_c153+0x5100f @ 0x45100f tms_c153+0x51450 @ 0x451450 tms_c153+0x8ebc9 @ 0x48ebc9 tms_c153+0x4d014 @ 0x44d014 tms_c153+0x157b5c @ 0x557b5c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636112 registers.edi: 1636300 registers.eax: 1636112 registers.ebp: 1636192 registers.edx: 0 registers.ebx: 5500636 registers.esi: 10061 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2024, 2:01 p.m.

stacktrace:

tms_c153+0x13e784 @ 0x53e784
tms_c153+0x13e6d2 @ 0x53e6d2
tms_c153+0x13e693 @ 0x53e693
tms_c153+0x14ed85 @ 0x54ed85
tms_c153+0x1529c7 @ 0x5529c7
tms_c153+0x152cdd @ 0x552cdd
tms_c153+0x152e8e @ 0x552e8e
tms_c153+0x151cd0 @ 0x551cd0
tms_c153+0x151f0c @ 0x551f0c
tms_c153+0x151fec @ 0x551fec
tms_c153+0x154791 @ 0x554791
tms_c153+0x155361 @ 0x555361
tms_c153+0x157117 @ 0x557117
tms_c153+0x157420 @ 0x557420
tms_c153+0x1574ef @ 0x5574ef
tms_c153+0x4e503 @ 0x44e503
tms_c153+0x51450 @ 0x451450
tms_c153+0x8ebc9 @ 0x48ebc9
tms_c153+0x50fa4 @ 0x450fa4
tms_c153+0x5100f @ 0x45100f
tms_c153+0x51450 @ 0x451450
tms_c153+0x8ebc9 @ 0x48ebc9
tms_c153+0x4d014 @ 0x44d014
tms_c153+0x157b5c @ 0x557b5c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1636112
registers.edi: 1636300
registers.eax: 1636112
registers.ebp: 1636192
registers.edx: 0
registers.ebx: 5500636
registers.esi: 10061
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 2:01 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 19, 2024, 2:01 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00180420

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001951d8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001951ec

size

0x00000274

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Bkav	W32.AIDetectMalware
APEX	Malicious
MaxSecure	Trojan.Malware.300983.susgen

TMS_C153.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All