Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 7, 2024, 1 p.m.	Nov. 7, 2024, 1:08 p.m.

Size	2.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`421700a2d6d8516013d87e04628d2802`
SHA256	`cc00a259ec4ebde015fe0fad59f369ae23def081caa787ad0652f7d6b2fe6de0`
CRC32	`3366C0AE`
ssdeep	`49152:XlnKF46Fm2gROSeQ146cDPM2vCVapdoqwicf1/y36sbwAE1JgZIEST+eLAq8Z7p3:Xld7wwgZRt7mUz`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

Xteam30.exe "C:\Users\test22\AppData\Local\Temp\Xteam30.exe"
2064
- csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2360

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 7, 2024, 1 p.m.			0	0
IsDebuggerPresent Nov. 7, 2024, 1 p.m.			0	0
IsDebuggerPresent Nov. 7, 2024, 1 p.m.			0	0
IsDebuggerPresent Nov. 7, 2024, 1 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2024, 1 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 98304 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00804000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00809000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 region_size: 100003840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02210000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00817000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 212992 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00823000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 180224 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 700416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 196608 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00856000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 167936 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 700416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00707000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Music\GifCamUpdater\GifCamOculus.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x001c6000', u'virtual_address': u'0x0015c000', u'entropy': 7.579626163409081, u'name': u'.bss', u'virtual_size': u'0x001c6000'}

entropy

7.57962616341

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0013f200', u'virtual_address': u'0x00347000', u'entropy': 7.587877339014655, u'name': u'.rsrc', u'virtual_size': u'0x0013f11c'}

entropy

7.58787733901

description

A section with a high entropy has been found

entropy

0.687833629893

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 7fdb2d8a0f833b1e2cea8a9f8006d6f006a51180

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000e8	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor

reg_value

C:\Users\test22\Music\GifCamUpdater\GifCamOculus.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 7, 2024, 1 p.m.	buffer: / base_address: 0xfffde008 process_identifier: 2360 process_handle: 0x000000e8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2064 called NtSetContextThread to modify thread in remote process 2360
NtSetContextThread Nov. 7, 2024, 1 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 3755758 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e4 process_identifier: 2360	1	0	0

Executed a process and injected code into it, probably while unpacking (9 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 7, 2024, 1 p.m.	thread_identifier: 2364 thread_handle: 0x000000e4 process_identifier: 2360 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe stack_pivoted: 0 creation_flags: 2 (DEBUG_ONLY_THIS_PROCESS) inherit_handles: 0 process_handle: 0x000000e8	1	1
NtGetContextThread Nov. 7, 2024, 1 p.m.	thread_handle: 0x000000e4	1	0
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2360 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000e8	1	0
WriteProcessMemory Nov. 7, 2024, 1 p.m.	buffer: base_address: 0x002f0000 process_identifier: 2360 process_handle: 0x000000e8	1	1
WriteProcessMemory Nov. 7, 2024, 1 p.m.	buffer: / base_address: 0xfffde008 process_identifier: 2360 process_handle: 0x000000e8	1	1
NtSetContextThread Nov. 7, 2024, 1 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 3755758 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e4 process_identifier: 2360	1	0
NtResumeThread Nov. 7, 2024, 1 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2360	1	0
NtResumeThread Nov. 7, 2024, 1 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2360	1	0
NtResumeThread Nov. 7, 2024, 1 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2360	1	0

Xteam30.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All