Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2025, 5:45 p.m.	April 21, 2025, 5:47 p.m.

Size	9.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1b34271296e7e6d92412af02442afc25`
SHA256	`ff6b10432009d2e9e201968fd0e79f471c1172ee1abbec8cc39b41ecf6db2a53`
CRC32	`84646A57`
ssdeep	`196608:sfU8hBymkp/BrwhblGCFqSKQXCWBFAUEIxnhZrYWURteeEPg5+zrf:8KZBrmBFqSQWPSIhCRgeE45irf`
PDB Path	C:\agent\_work\8\s\build\ship\x86\burn.pdb
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Malicious_Library_Zero - Malicious_Library CAB_file_format - CAB archive file IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file

hvof1h0.exe "C:\Users\test22\AppData\Local\Temp\hvof1h0.exe"
2560
- hvof1h0.exe "C:\Windows\Temp\{8AAC0582-87E2-4EE0-BDB2-D62C053E3C1E}\.cr\hvof1h0.exe" -burn.clean.room="C:\Users\test22\AppData\Local\Temp\hvof1h0.exe" -burn.filehandle.attached=200 -burn.filehandle.self=208
  2672

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2025, 5:45 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\agent\_work\8\s\build\ship\x86\burn.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2025, 5:45 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.wixburn

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2025, 5:45 p.m.	stacktrace: OnDetectSoftware-0x3ac73 entropy+0x5dbd @ 0x10005dbd OnResolveProps+0x271f3 entropy+0x67fa3 @ 0x10067fa3 OnResolveProps+0x16f5d entropy+0x57d0d @ 0x10057d0d OnResolveProps+0x16ebc entropy+0x57c6c @ 0x10057c6c OnResolveProps+0x170e4 entropy+0x57e94 @ 0x10057e94 OnResolveProps+0x171dd entropy+0x57f8d @ 0x10057f8d RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930 LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9 LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a hvof1h0+0xd6e0 @ 0xa3d6e0 hvof1h0+0x47fe @ 0xa347fe hvof1h0+0x4c1c @ 0xa34c1c hvof1h0+0x548e @ 0xa3548e hvof1h0+0x1129 @ 0xa31129 hvof1h0+0x2e234 @ 0xa5e234 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2940852 registers.edi: 16 registers.eax: 1 registers.ebp: 2943952 registers.edx: 30000 registers.ebx: 60 registers.esi: 269021992 registers.ecx: 269241513	1	0	0
__exception__ April 21, 2025, 5:45 p.m.	stacktrace: LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 hvof1h0+0x34918 @ 0xa64918 hvof1h0+0x348ae @ 0xa648ae hvof1h0+0x34a53 @ 0xa64a53 hvof1h0+0x2e245 @ 0xa5e245 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x1005af33 registers.esp: 2946804 registers.edi: 3257204 registers.eax: 268807987 registers.ebp: 2946828 registers.edx: 3257756 registers.ebx: 2130567168 registers.esi: 7 registers.ecx: 269253588	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 21, 2025, 5:45 p.m.

stacktrace:

OnDetectSoftware-0x3ac73 entropy+0x5dbd @ 0x10005dbd
OnResolveProps+0x271f3 entropy+0x67fa3 @ 0x10067fa3
OnResolveProps+0x16f5d entropy+0x57d0d @ 0x10057d0d
OnResolveProps+0x16ebc entropy+0x57c6c @ 0x10057c6c
OnResolveProps+0x170e4 entropy+0x57e94 @ 0x10057e94
OnResolveProps+0x171dd entropy+0x57f8d @ 0x10057f8d
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x76f4d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x76f4d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
hvof1h0+0xd6e0 @ 0xa3d6e0
hvof1h0+0x47fe @ 0xa347fe
hvof1h0+0x4c1c @ 0xa34c1c
hvof1h0+0x548e @ 0xa3548e
hvof1h0+0x1129 @ 0xa31129
hvof1h0+0x2e234 @ 0xa5e234
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 2940852
registers.edi: 16
registers.eax: 1
registers.ebp: 2943952
registers.edx: 30000
registers.ebx: 60
registers.esi: 269021992
registers.ecx: 269241513

__exception__

April 21, 2025, 5:45 p.m.

stacktrace:

LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
hvof1h0+0x34918 @ 0xa64918
hvof1h0+0x348ae @ 0xa648ae
hvof1h0+0x34a53 @ 0xa64a53
hvof1h0+0x2e245 @ 0xa5e245
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x1005af33
registers.esp: 2946804
registers.edi: 3257204
registers.eax: 268807987
registers.ebp: 2946828
registers.edx: 3257756
registers.ebx: 2130567168
registers.esi: 7
registers.ecx: 269253588

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 21, 2025, 5:45 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (9 events)

file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\wspconfig.dll
file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\Entropy.dll
file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\CC3260MT.dll
file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\StlpMt45.dll
file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\BorlndMm.dll
file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\Install.dll
file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\MindClient.dll
file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\Portal-Ech64.exe
file	C:\Windows\Temp\{8AAC0582-87E2-4EE0-BDB2-D62C053E3C1E}\.cr\hvof1h0.exe

Drops a binary and executes it (1 event)

file	C:\Windows\Temp\{8AAC0582-87E2-4EE0-BDB2-D62C053E3C1E}\.cr\hvof1h0.exe

Queries for potentially installed applications (3 events)

Time & API	Arguments	Return
RegOpenKeyExW April 21, 2025, 5:45 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}	2
RegOpenKeyExW April 21, 2025, 5:45 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}.RebootRequired base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}.RebootRequired	2
RegOpenKeyExW April 21, 2025, 5:45 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}	2

Deletes executed files from disk (1 event)

file	C:\Windows\Temp\{E7FE4EAB-B64F-40DA-AB00-7CDDB0AF7161}\.ba\Portal-Ech64.exe

hvof1h0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All