Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 16, 2024, 5:36 p.m.	Oct. 16, 2024, 5:38 p.m.

Size	100.0KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`c9e30fa664bd602e6e77bf6c4280d3b6`
SHA256	`917b1a12f2c39533f5f132589bf7b0ec87e020fb623c4518e7d21629806d4148`
CRC32	`F537B1B3`
ssdeep	`1536:8R4WpCTbXoJAj+adM9uws/H6BSVX/dYdrdCgZzt68it/wIJ2NIJCQpxN:8RvpCTToJivMs/HZVvdy7id/p2NIYQ`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

resource name

SUSFLAG

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 16, 2024, 5:36 p.m.	process_identifier: 496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077710000 process_handle: 0xffffffffffffffff	1	0	0

section

{u'size_of_data': u'0x00011000', u'virtual_address': u'0x0000f000', u'entropy': 7.992057234988284, u'name': u'.rsrc', u'virtual_size': u'0x00010ec8'}

entropy

7.99205723499

description

A section with a high entropy has been found

entropy

0.686868686869

description

Overall entropy of this PE file is high

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 16, 2024, 5:36 p.m.	process_identifier: 800 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030		-1073741558	0
NtAllocateVirtualMemory Oct. 16, 2024, 5:36 p.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030		-1073741558	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 496 created a remote thread in non-child process 800
CreateRemoteThread Oct. 16, 2024, 5:36 p.m.	thread_identifier: 0 process_identifier: 800 function_address: 0x0000000000000030 flags: 0 stack_size: 0 parameter: 0x0000000000000000 process_handle: 0x0000000000000030		0	0

Time & API	Arguments	Return	Repeated
Process injection	Process 496 manipulating memory of non-child process 800
NtAllocateVirtualMemory Oct. 16, 2024, 5:36 p.m.	process_identifier: 800 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030	-1073741558	0
NtAllocateVirtualMemory Oct. 16, 2024, 5:36 p.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030	-1073741558	0

challenge_2.exe