Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 10, 2025, 4:12 p.m.	Feb. 10, 2025, 4:14 p.m.

Size	169.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`eeb081699fcfdc3e9b531990a0826587`
SHA256	`4bb178da0a560d36af39e243dda93fe45446907a00009210abd6ba1a036a600c`
CRC32	`EE43F3A0`
ssdeep	`3072:juOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEYnE/Fxg/lO2El5wJV8KGcqhrCTE:Tzx7ZApszolIo7lf/ipT/FhKGcqhr6`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format

bin2.exe "C:\Users\test22\AppData\Local\Temp\bin2.exe"
2564
- bin2Srv.exe C:\Users\test22\AppData\Local\Temp\bin2Srv.exe
  2616
  - DesktopLayer.exe "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    2672

Name	Response	Post-Analysis Lookup
anastaf4.beget.tech

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 9, 2025, 12:59 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Feb. 9, 2025, 12:59 p.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 9, 2025, 12:59 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	CODE
section	DATA
section	BSS
section	.rmnet

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 9, 2025, 12:59 p.m.	stacktrace: CheckElevationEnabled+0x4a7 BaseGenerateAppCompatData-0x152 kernel32+0x23605 @ 0x755d3605 CheckElevationEnabled+0x2a3 BaseGenerateAppCompatData-0x356 kernel32+0x23401 @ 0x755d3401 CheckElevationEnabled+0x190 BaseGenerateAppCompatData-0x469 kernel32+0x232ee @ 0x755d32ee CreateProcessInternalW+0xc65 BasepFreeAppCompatData-0x4d9 kernel32+0x24858 @ 0x755d4858 New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747 CreateProcessInternalA+0x123 SetConsoleMode-0x1a3 kernel32+0x2a5da @ 0x755da5da CreateProcessA+0x2c Sleep-0x61 kernel32+0x1109e @ 0x755c109e desktoplayer+0x13c0 @ 0x4013c0 desktoplayer+0x2cda @ 0x402cda RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfcf03d52 registers.esp: 1634936 registers.edi: 1635572 registers.eax: 1635008 registers.ebp: 1634968 registers.edx: 83 registers.ebx: 1636324 registers.esi: 1995636228 registers.ecx: 813689539	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Feb. 9, 2025, 12:59 p.m.

stacktrace:

CheckElevationEnabled+0x4a7 BaseGenerateAppCompatData-0x152 kernel32+0x23605 @ 0x755d3605
CheckElevationEnabled+0x2a3 BaseGenerateAppCompatData-0x356 kernel32+0x23401 @ 0x755d3401
CheckElevationEnabled+0x190 BaseGenerateAppCompatData-0x469 kernel32+0x232ee @ 0x755d32ee
CreateProcessInternalW+0xc65 BasepFreeAppCompatData-0x4d9 kernel32+0x24858 @ 0x755d4858
New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x736e7747
CreateProcessInternalA+0x123 SetConsoleMode-0x1a3 kernel32+0x2a5da @ 0x755da5da
CreateProcessA+0x2c Sleep-0x61 kernel32+0x1109e @ 0x755c109e
desktoplayer+0x13c0 @ 0x4013c0
desktoplayer+0x2cda @ 0x402cda
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfcf03d52
registers.esp: 1634936
registers.edi: 1635572
registers.eax: 1635008
registers.ebp: 1634968
registers.edx: 83
registers.ebx: 1636324
registers.esi: 1995636228
registers.ecx: 813689539

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2616 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2616 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 3758096448 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 3221225536 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 3758096448 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 3221225536 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f2f000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Feb. 9, 2025, 12:59 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\bin2Srv.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\bin2Srv.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00020000', u'entropy': 7.970903904846066, u'name': u'.rmnet', u'virtual_size': u'0x0000f000'}

entropy

7.97090390485

description

A section with a high entropy has been found

entropy

0.33630952381

description

Overall entropy of this PE file is high

Ramnit malware indicators found (1 event)

mutex

KyUffThOkYwRRtgPP

File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 events)

Lionic	Trojan.Win32.Lmir.laiL
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	W32.Ramnit.A
Skyhigh	BehavesLike.Win32.Ramnit.cc
ALYac	Trojan.PWS.ZNN
Cylance	Unsafe
VIPRE	Trojan.PWS.ZNN
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.PWS.ZNN
K7GW	Virus ( 002fe95d1 )
K7AntiVirus	Virus ( 002fe95d1 )
Arcabit	Trojan.PWS.ZNN
Baidu	Win32.Virus.Nimnul.a
VirIT	Win32.Pedalac.A
Symantec	W32.Ramnit!inf
Elastic	Windows.Trojan.Azorult
ESET-NOD32	Win32/Ramnit.A
APEX	Malicious
Avast	Win32:RmnDrp [Inf]
ClamAV	Win.Trojan.Ramnit-1847
Kaspersky	Virus.Win32.Nimnul.a
Alibaba	Virus:Win32/Ramnit.gen2
NANO-Antivirus	Virus.Win32.Ramnit.eslalb
MicroWorld-eScan	Trojan.PWS.ZNN
Rising	Stealer.AZORult!1.B7AE (CLASSIC)
Emsisoft	Trojan.PWS.ZNN (B)
F-Secure	Malware.W32/Ramnit.CD
DrWeb	Trojan.PWS.Stealer.26517
Zillya	Virus.Nimnul.Win32.1
TrendMicro	PE_RAMNIT.H
McAfeeD	Real Protect-LS!EEB081699FCF
Trapmine	malicious.high.ml.score
CTX	exe.virus.ramnit
Sophos	W32/Patched-I
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.eeb081699fcfdc3e
Jiangmin	Win32/PatchFile.et
Google	Detected
Avira	W32/Ramnit.CD
Antiy-AVL	Virus/Win32.Nimnul.a
Kingsoft	Win32.Ramnit.la.30720
Gridinsoft	Malware.Win32.Gen.bot!se58843
Xcitium	Virus.Win32.Ramnit.A@1xq65p
Microsoft	PWS:Win32/Delf.R!MTB
ViRobot	Win32.Ramnit.E
GData	Win32.Virus.Ramnit.C
Varist	W32/Ramnit.B!Generic
AhnLab-V3	Win32/Ramnit.B
McAfee	W32/Ramnit.q

bin2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All