Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 5, 2025, 1:32 a.m.	April 5, 2025, 1:35 a.m.

Size	206.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5610bd76aebbe70fdbd92d1908374d79`
SHA256	`236ccfdedb487ebc691dd8f9bd2c5c10f549fc90d323e7cfbda4953bd13649c3`
CRC32	`3650189B`
ssdeep	`3072:qMk+lJCG7Acqej690z4RlkoxU5MiUzyp0bj4Zl+Z9l3/8lF7+nN/tuGGQbWPJ:qu7lq1u474VUzypdrQWFiptmQK`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

Crack.exe "C:\Users\test22\AppData\Local\Temp\Crack.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 5, 2025, 1:32 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 5, 2025, 1:32 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 5, 2025, 1:32 a.m.	stacktrace: LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9 LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08 crack+0x1107 @ 0xfd1107 crack+0x1030 @ 0xfd1030 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 31 38 c4 exception.instruction: mov dword ptr [eax], ecx exception.exception_code: 0xc0000005 exception.symbol: load_patcher-0x13 dup2patcher+0x20f6 exception.address: 0x741a20f6 registers.esp: 3994176 registers.edi: 3994388 registers.eax: 0 registers.ebp: 3994212 registers.edx: 32 registers.ebx: 1 registers.esi: 3994200 registers.ecx: 3994352	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 5, 2025, 1:32 a.m.

stacktrace:

LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08
crack+0x1107 @ 0xfd1107
crack+0x1030 @ 0xfd1030
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 31 38 c4
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: load_patcher-0x13 dup2patcher+0x20f6
exception.address: 0x741a20f6
registers.esp: 3994176
registers.edi: 3994388
registers.eax: 0
registers.ebp: 3994212
registers.edx: 32
registers.ebx: 1
registers.esi: 3994200
registers.ecx: 3994352

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 5, 2025, 1:32 a.m.	process_identifier: 2548 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 5, 2025, 1:32 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Crack.exe tried to sleep 352 seconds, actually delayed analysis time by 352 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\bassmod.dll
file	C:\Users\test22\AppData\Local\Temp\dup2patcher.dll
file	C:\Users\test22\AppData\Local\Temp\7CEB9B2A0E395BD64E74381485A106AF.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\7CEB9B2A0E395BD64E74381485A106AF.dll
file	C:\Users\test22\AppData\Local\Temp\bassmod.dll
file	C:\Users\test22\AppData\Local\Temp\dup2patcher.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00032e00', u'virtual_address': u'0x00004000', u'entropy': 7.8187846825210325, u'name': u'.rsrc', u'virtual_size': u'0x00032d9c'}

entropy

7.81878468252

description

A section with a high entropy has been found

entropy

0.990267639903

description

Overall entropy of this PE file is high

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Lionic	Hacktool.Win32.Agent.tpR4
Cynet	Malicious (score: 100)
CAT-QuickHeal	Riskware.Dupatcher.A4
Skyhigh	BehavesLike.Win32.FilePatcher.dc
ALYac	Application.Generic.3899159
Cylance	Unsafe
VIPRE	Application.Generic.3899159
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/grayware_confidence_100% (W)
BitDefender	Application.Generic.3899159
K7GW	Trojan ( 0040f3a51 )
K7AntiVirus	Trojan ( 0040f3a51 )
Arcabit	Application.Generic.D3B7F17
Baidu	Win32.Trojan.Generic.f
Symantec	SMG.Heur!gen
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/HackTool.Patcher.AD potentially unsafe
Avast	FileRepMalware [Misc]
SUPERAntiSpyware	Hack.Tool/Gen-Crack
MicroWorld-eScan	Application.Generic.3899159
Rising	HackTool.Patcher!1.B3BB (CLASSIC)
Emsisoft	Application.Generic.3899159 (B)
McAfeeD	Real Protect-LS!5610BD76AEBB
Trapmine	malicious.moderate.ml.score
CTX	exe.hacktool.patcher
Sophos	Generic Patcher (PUA)
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.5610bd76aebbe70f
Webroot	W32.Hacktool.Gen
Google	Detected
Antiy-AVL	HackTool/Win32.Patcher.ad
Kingsoft	Win32.HackTool.Keygen.v
Gridinsoft	Hack.Win32.Patcher.sa
Xcitium	Application.Win32.HackTool.Patcher.T@8rlo7s
Microsoft	HackTool:Win32/Keygen
ViRobot	Trojan.Win32.Agent.754688.B
GData	Win32.Riskware.Patcher.E
Varist	W32/Agent.EWQQ-1275
McAfee	FilePatcher
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	possible-Threat.Hacktool.Patcher
Panda	Trj/CI.A
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Riskware/GamePatcher
AVG	FileRepMalware [Misc]
Paloalto	generic.ml
alibabacloud	HackTool:Win/Patcher.AF

Crack.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All