Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 19, 2025, 11:20 a.m.	Feb. 19, 2025, 11:24 a.m.

Size	354.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`e3a004b573f3b6a8e32a6cf74e63c9d2`
SHA256	`2b4a222f385c2367518a3c8d5794219af21376850133208b63c0914e89527e59`
CRC32	`9E924B2C`
ssdeep	`6144:NBdk28ScNZKfK66ATbNDUwAz2AZzCBP6J9xdy/6htW70+wTl/YAkKWS:Nn/cxNoU/cPQdX3dTl/YAF`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
20.74.209.192	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Feb. 19, 2025, 11:13 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 19, 2025, 11:13 a.m.	process_identifier: 1664 region_size: 397312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

description

bea.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 19, 2025, 11:13 a.m.	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 344064 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000006b0000 process_handle: 0xffffffffffffffff	1	0	0

section

{u'size_of_data': u'0x00054400', u'virtual_address': u'0x00004000', u'entropy': 7.33348253496306, u'name': u'.data', u'virtual_size': u'0x000542c0'}

entropy

7.33348253496

description

A section with a high entropy has been found

entropy

0.953323903819

description

Overall entropy of this PE file is high

host

20.74.209.192

bea.exe