Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 19, 2025, 11:21 a.m.	Feb. 19, 2025, 11:47 a.m.

Size	6.2MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`b8930ce311970e82b7b52dbfa4d81187`
SHA256	`4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88`
CRC32	`E3CCBE9A`
ssdeep	`49152:+U4K1Qy8nPDdZiBSFfscuj9ADJZlShhV7+pXLRB5TYAUhJSh7DUtiGlMlHDNuc6P:+NbrnrShj9AVYhgB5IJsnUw918Svlj`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.33.6.223	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Potentially malicious URLs were found in the process memory dump (4 events)

url	https://t.me/b4cha00
url	http://localhost
url	https://steamcommunity.com/profiles/76561199825403037
url	https://77.239.117.222:443

Yara rule detected in process memory (19 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

Communicates with host for which no DNS query was performed (1 event)

host

45.33.6.223

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1	0	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xc324048b process_handle: 0x00000118		3221225477	0

Manipulates memory of a non-child process indicative of process injection (9 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 manipulating memory of non-child process 2952
NtAllocateVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1	0	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0x00905a4d process_handle: 0x00000118		3221225477	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xc324048b process_handle: 0x00000118		3221225477	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0x240c8904 process_handle: 0x00000118		3221225477	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 4 (PAGE_READWRITE) base_address: 0x8b082444 process_handle: 0x00000118		3221225477	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0xb0058b00 process_handle: 0x00000118		3221225477	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0x24048900 process_handle: 0x00000118		3221225477	0
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 2 (PAGE_READONLY) base_address: 0xc1590ff2 process_handle: 0x00000118		3221225477	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2952
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4279515 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000108 process_identifier: 2952	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	https://77.239.117.222:443

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2952
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2952	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Feb. 19, 2025, 11:21 a.m.	ordinal: 0 function_address: 0x0018fe29 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.101:49170

Executed a process and injected code into it, probably while unpacking (50 out of 53 events)

Time & API	Arguments	Status	Return
NtGetContextThread Feb. 19, 2025, 11:21 a.m.	thread_handle: 0x000000f0	1	0
NtSetContextThread Feb. 19, 2025, 11:21 a.m.	registers.eip: 4609776 registers.esp: 181934796 registers.edi: 0 registers.eax: 0 registers.ebp: 30720 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f0 process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:21 a.m.	thread_handle: 0x000000f0 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:21 a.m.	thread_handle: 0x00000104	1	0
NtResumeThread Feb. 19, 2025, 11:21 a.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:21 a.m.	thread_handle: 0x00000104	1	0
NtResumeThread Feb. 19, 2025, 11:21 a.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW Feb. 19, 2025, 11:22 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Windows\Boot\PCAT\memtest.exe track: 0 command_line: filepath_r: C:\Windows\Boot\PCAT\memtest.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000		0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000108	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000108	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181935004 registers.edi: 0 registers.eax: 0 registers.ebp: 35113 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000108 process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181935052 registers.edi: 0 registers.eax: 0 registers.ebp: 88064 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181935052 registers.edi: 0 registers.eax: 0 registers.ebp: 188416 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181935052 registers.edi: 0 registers.eax: 0 registers.ebp: 267882 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181935052 registers.edi: 0 registers.eax: 0 registers.ebp: 301056 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181935052 registers.edi: 0 registers.eax: 0 registers.ebp: 313344 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x000000f0	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x000000f0 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x000000f0	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x000000f0 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x000000f0	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181934796 registers.edi: 0 registers.eax: 0 registers.ebp: 0 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f0 process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x000000f0 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000114	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 4609776 registers.esp: 181934844 registers.edi: 0 registers.eax: 0 registers.ebp: 145737 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000114 process_identifier: 2560	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000118	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000118 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW Feb. 19, 2025, 11:22 a.m.	thread_identifier: 2956 thread_handle: 0x00000108 process_identifier: 2952 current_directory: filepath: C:\Windows\Installer\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\ARPPRODUCTICON.exe track: 1 command_line: filepath_r: C:\Windows\Installer\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\ARPPRODUCTICON.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000118	1	1
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000011c	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x00000108	1	0
NtAllocateVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2952 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1	0
NtGetContextThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000011c	1	0
NtResumeThread Feb. 19, 2025, 11:22 a.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2560	1	0
NtSetContextThread Feb. 19, 2025, 11:22 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4279515 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000108 process_identifier: 2952	1	0

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All