Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 7, 2025, 2:12 p.m.	Feb. 7, 2025, 2:25 p.m.

Size	6.8MB
Type	PE32+ executable (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
MD5	`72ec64d0bc0b31f8842c9b5d488c11e7`
SHA256	`019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a`
CRC32	`8600385B`
ssdeep	`196608:v/urAt9I7l4UXW4AzZS4NQdQtmAbGRHjoec:v7Ea/4AkAQdsmA88ec`
PDB Path	D:\a\wix4\wix4\build\burn\Release\x64\burn.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) CAB_file_format - CAB archive file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet ASPack_Zero - ASPack packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

ram.exe "C:\Users\test22\AppData\Local\Temp\ram.exe"
2540
- ram.exe "C:\Windows\TEMP\{E039CF43-5A4F-4EE7-A7B6-A922B7D60560}\.cr\ram.exe" -burn.clean.room="C:\Users\test22\AppData\Local\Temp\ram.exe" -burn.filehandle.attached=208 -burn.filehandle.self=204
  2652

No Suricata Alerts

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49165 91.108.241.156:6450	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	a4:a1:04:b9:d8:9e:94:ef:c4:9b:59:88:e0:15:d2:85:87:ca:2b:e9
TLS 1.2 192.168.56.101:49166 91.108.241.156:6450	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	a4:a1:04:b9:d8:9e:94:ef:c4:9b:59:88:e0:15:d2:85:87:ca:2b:e9
TLS 1.2 192.168.56.101:49167 91.108.241.156:6450	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	a4:a1:04:b9:d8:9e:94:ef:c4:9b:59:88:e0:15:d2:85:87:ca:2b:e9
TLS 1.2 192.168.56.101:49168 91.108.241.156:443	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.108.241.156: Self-signed certificate	60:1a:8a:4a:00:47:b8:2c:c4:4e:48:f7:cb:e5:ba:5c:fe:5d:b8:52

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 7, 2025, 2:05 p.m.			0	0

pdb_path

D:\a\wix4\wix4\build\burn\Release\x64\burn.pdb

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 7, 2025, 2:05 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 1890624 registers.r15: 0 registers.rcx: 30000 registers.rsi: 1992504976 registers.r10: 0 registers.rbx: 1992359936 registers.rsp: 1890536 registers.r11: 514 registers.r8: 1889816 registers.r9: 1889856 registers.rdx: 8796092887632 registers.r12: 1890768 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 1890656	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 7, 2025, 2:05 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

file	C:\Windows\Temp\{AC844AAF-71D0-4EEA-8CB7-885DD29CB5B7}\.ba\Serum.dll
file	C:\Windows\Temp\{AC844AAF-71D0-4EEA-8CB7-885DD29CB5B7}\.ba\libeay32.dll
file	C:\Windows\Temp\{AC844AAF-71D0-4EEA-8CB7-885DD29CB5B7}\.ba\profile.dll
file	C:\Windows\Temp\{AC844AAF-71D0-4EEA-8CB7-885DD29CB5B7}\.ba\WinX_DVD_Ripper_Platinum.exe
file	C:\Windows\Temp\{E039CF43-5A4F-4EE7-A7B6-A922B7D60560}\.cr\ram.exe

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Feb. 7, 2025, 2:05 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BDDE4DF6-07CC-437E-AF57-A5ECFE00935F} base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BDDE4DF6-07CC-437E-AF57-A5ECFE00935F}		2	0

host

91.108.241.156

file	C:\Windows\Temp\{E039CF43-5A4F-4EE7-A7B6-A922B7D60560}\.cr\ram.exe

Lionic	Trojan.Win32.Nekark.4!c
CAT-QuickHeal	Trojan.Ghanarava.17388875338c11e7
Skyhigh	BehavesLike.Win64.Ransom.vc
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
K7GW	Trojan-Downloader ( 005bfa841 )
K7AntiVirus	Trojan-Downloader ( 005bfa841 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Avast	FileRepMalware [Misc]
Kaspersky	Trojan.Win32.Penguish.drl
F-Secure	Trojan.TR/AD.Nekark.tbmsh
Zillya	Trojan.Penguish.Win32.680
McAfeeD	ti!019E368CDFE9
CTX	exe.trojan.nekark
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/AD.Nekark.tbmsh
Kingsoft	Win32.Trojan.Penguish.drl
Gridinsoft	Malware.Win64.Rhadamanthys.tr
Microsoft	Program:Win32/Wacapew.C!ml
GData	Win64.Trojan.Agent.9551H0
McAfee	Artemis!72EC64D0BC0B
Ikarus	Trojan-Downloader.Win32.Rugmi
huorong	HEUR:Trojan/HiJack.z
Fortinet	W32/NDAoF
AVG	FileRepMalware [Misc]
alibabacloud	Trojan[downloader]:Win/Rugmi.EM

ram.exe