Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 5, 2024, 3:38 p.m.	Sept. 5, 2024, 3:42 p.m.

Size	291.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1a679e0ccedfb2c3b8ebaf8d9b22f96a`
SHA256	`d16eb8da5c5ce99f1a2e38677eff8d2ae532cb1ad0eddf10a311583004675960`
CRC32	`3851E133`
ssdeep	`6144:VN3DB60MGC1DI9cV2Qb91CWIoZu2pLM8jOiF6yX8CszJ:n3DkEGDINi1E/2G8tAyLYJ`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Meeting.sfx.exe "C:\Users\test22\AppData\Local\Temp\Meeting.sfx.exe"
2680
- Meeting.exe "C:\Users\test22\AppData\Local\Temp\Meeting.exe"
  2844

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
89.197.154.115	Active	Moloch

No Suricata Alerts

No Suricata TLS

pdb_path

D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 5, 2024, 3:38 p.m.		1	1	0

section

.didat

resource name

PNG

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 5, 2024, 3:38 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:38 p.m.	process_identifier: 2680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:38 p.m.	process_identifier: 2844 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\Meeting.exe

file	C:\Users\test22\AppData\Local\Temp\Meeting.exe
file	C:\Users\test22\AppData\Local\Temp\word.png

file	C:\Users\test22\AppData\Local\Temp\Meeting.exe

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 5, 2024, 3:38 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef90000 process_handle: 0xffffffff	1	0	0

host

89.197.154.115

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Swrort.A
Skyhigh	BehavesLike.Win32.Swrort.dh
ALYac	Trojan.CryptZ.Marte.1.Gen
Cylance	Unsafe
VIPRE	Trojan.CryptZ.Marte.1.Gen
K7AntiVirus	Trojan ( 001172b51 )
BitDefender	Trojan.CryptZ.Marte.1.Gen
K7GW	Trojan ( 001172b51 )
Cybereason	malicious.ccedfb
Arcabit	Trojan.CryptZ.Marte.1.Gen
VirIT	Trojan.Win32.Rozena.AA
ESET-NOD32	a variant of Win32/Rozena.AA
McAfee	Swrort.i
Avast	Win32:Meterpreter-C [Trj]
ClamAV	Win.Trojan.Swrort-5710536-0
Kaspersky	UDS:Trojan.Win32.Generic
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
MicroWorld-eScan	Trojan.CryptZ.Marte.1.Gen
Rising	HackTool.Swrort!1.6477 (CLASSIC)
Emsisoft	Trojan.CryptZ.Marte.1.Gen (B)
F-Secure	Trojan.TR/Patched.Gen2
TrendMicro	Backdoor.Win32.COBEACON.SMJMAC
FireEye	Generic.mg.1a679e0ccedfb2c3
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Google	Detected
Avira	TR/Patched.Gen2
MAX	malware (ai score=89)
Antiy-AVL	GrayWare/Win32.Tampering.a
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.Swrort.zv!s2
Xcitium	TrojWare.Win32.Rozena.A@4jwdqr
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Win32.Trojan.PSE.10KKVZ1
Varist	W32/Swrort.A.gen!Eldorado
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36812.eq1@aOQAKqli
DeepInstinct	MALICIOUS
VBA32	TrojanSpy.Cordimik
Malwarebytes	Malware.AI.2033534945
Ikarus	Trojan.Win32.Swrort
TrendMicro-HouseCall	Backdoor.Win32.SWRORT.SMAL01
Tencent	Win32.Trojan.Generic.Rimw
Yandex	Trojan.Rosena.Gen.1
huorong	VirTool/Meterpreter.a
Fortinet	W32/Rozena.ABV!tr
AVG	Win32:Meterpreter-C [Trj]

Meeting.sfx.exe