Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2024, 2:10 p.m.	Aug. 19, 2024, 3:26 p.m.

Size	2.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`36c9de5666a5ef5b6f7a27f23538f5bb`
SHA256	`f83c587bc0fd405e5bc8264f3bff8cd7a5704b7116c35ea18b83a1866cb171bc`
CRC32	`73A1D5C5`
ssdeep	`49152:5xj6d2mHXpwXX5Eb6vCt5zPDC+HAFjjdjjA/YiY0Y0Y0Y0YI:5xjC2yZspEb6u53C+HAFjjdjjA/YiY0z`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

TMS_C009.exe "C:\Users\test22\AppData\Local\Temp\TMS_C009.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 2:10 p.m.	stacktrace: tms_c009+0x1b9f78 @ 0x5b9f78 tms_c009+0x1b9ec6 @ 0x5b9ec6 tms_c009+0x1b9e87 @ 0x5b9e87 tms_c009+0x1cad75 @ 0x5cad75 tms_c009+0x1ce9bf @ 0x5ce9bf tms_c009+0x1cecd5 @ 0x5cecd5 tms_c009+0x1cee70 @ 0x5cee70 tms_c009+0x1cdce5 @ 0x5cdce5 tms_c009+0x1cdf24 @ 0x5cdf24 tms_c009+0x1ce004 @ 0x5ce004 tms_c009+0x1d0add @ 0x5d0add tms_c009+0x1d0974 @ 0x5d0974 tms_c009+0x1d4fb0 @ 0x5d4fb0 tms_c009+0x6ea27 @ 0x46ea27 tms_c009+0x56ac3 @ 0x456ac3 tms_c009+0x59a10 @ 0x459a10 tms_c009+0x1aa279 @ 0x5aa279 tms_c009+0x59564 @ 0x459564 tms_c009+0x595cf @ 0x4595cf tms_c009+0x59a10 @ 0x459a10 tms_c009+0x1aa279 @ 0x5aa279 tms_c009+0x555bc @ 0x4555bc tms_c009+0x1d8fd9 @ 0x5d8fd9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636200 registers.edi: 1636388 registers.eax: 1636200 registers.ebp: 1636280 registers.edx: 0 registers.ebx: 6007160 registers.esi: 10061 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2024, 2:10 p.m.

stacktrace:

tms_c009+0x1b9f78 @ 0x5b9f78
tms_c009+0x1b9ec6 @ 0x5b9ec6
tms_c009+0x1b9e87 @ 0x5b9e87
tms_c009+0x1cad75 @ 0x5cad75
tms_c009+0x1ce9bf @ 0x5ce9bf
tms_c009+0x1cecd5 @ 0x5cecd5
tms_c009+0x1cee70 @ 0x5cee70
tms_c009+0x1cdce5 @ 0x5cdce5
tms_c009+0x1cdf24 @ 0x5cdf24
tms_c009+0x1ce004 @ 0x5ce004
tms_c009+0x1d0add @ 0x5d0add
tms_c009+0x1d0974 @ 0x5d0974
tms_c009+0x1d4fb0 @ 0x5d4fb0
tms_c009+0x6ea27 @ 0x46ea27
tms_c009+0x56ac3 @ 0x456ac3
tms_c009+0x59a10 @ 0x459a10
tms_c009+0x1aa279 @ 0x5aa279
tms_c009+0x59564 @ 0x459564
tms_c009+0x595cf @ 0x4595cf
tms_c009+0x59a10 @ 0x459a10
tms_c009+0x1aa279 @ 0x5aa279
tms_c009+0x555bc @ 0x4555bc
tms_c009+0x1d8fd9 @ 0x5d8fd9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1636200
registers.edi: 1636388
registers.eax: 1636200
registers.ebp: 1636280
registers.edx: 0
registers.ebx: 6007160
registers.esi: 10061
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 2:10 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 19, 2024, 2:10 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1717962257, next used block 12022528

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0020a468

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002a87ac

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002a87c0

size

0x00000274

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

ALYac	Gen:Variant.Midie.150932
VIPRE	Gen:Variant.Midie.150932
BitDefender	Gen:Variant.Midie.150932
Cybereason	malicious.666a5e
Arcabit	Trojan.Generic.D4614FE2
MicroWorld-eScan	Gen:Variant.Midie.150932
Emsisoft	Gen:Variant.Midie.150932 (B)
FireEye	Gen:Variant.Midie.150932
MAX	malware (ai score=85)
GData	Gen:Variant.Midie.150932

TMS_C009.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All