Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 9, 2021, 1:55 p.m.	March 9, 2021, 1:55 p.m.

Size	847.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a48e04592a55cc70f2d5ac950cca7c3d`
SHA256	`7b834bf941634b8c0247695de58a41914db0ec3b4a6194955a8cd5d8fa3bc096`
CRC32	`B0478E3E`
ssdeep	`24576:/AHnh+eWsN3skA4RV1Hom2KXMmHaGmF5:ih+ZkldoPK8YaGE`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check AutoIt - www.autoitscript.com/site/autoit/ CryptGenKey_Zero - CryptGenKey Zero FindFirstVolume_Zero - FindFirstVolume Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call Process_Snapshot_Kill_Zero - Process Kill Zero PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Device_Check_Zero - Device Check Zero

defender.exe "C:\Users\test22\AppData\Local\Temp\defender.exe"
2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2021, 1:55 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 9, 2021, 1:55 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 9, 2021, 1:55 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25 defender+0x232f4 @ 0x13f32f4 defender+0x23583 @ 0x13f3583 defender+0x235a7 @ 0x13f35a7 defender+0x27f9f @ 0x13f7f9f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x76713ef4 registers.esp: 7207132 registers.edi: 0 registers.eax: 20285840 registers.ebp: 7207160 registers.edx: 1 registers.ebx: 0 registers.esi: 10987864 registers.ecx: 1936930268	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 9, 2021, 1:55 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25
defender+0x232f4 @ 0x13f32f4
defender+0x23583 @ 0x13f3583
defender+0x235a7 @ 0x13f35a7
defender+0x27f9f @ 0x13f7f9f
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x76713ef4
registers.esp: 7207132
registers.edi: 0
registers.eax: 20285840
registers.ebp: 7207160
registers.edx: 1
registers.ebx: 0
registers.esi: 10987864
registers.ecx: 1936930268

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (45 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over Toredo network	rule	network_toredo
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.35178873
FireEye	Generic.mg.a48e04592a55cc70
ALYac	Trojan.GenericKD.35178873
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005735f11 )
Alibaba	Trojan:Win32/CoinMiner.dbcb5381
K7GW	Trojan ( 005735f11 )
Cybereason	malicious.92a55c
Arcabit	Trojan.Generic.D218C979
Cyren	W32/Trojan.DKTD-4856
Symantec	Trojan.Gen.MBT
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.35178873
NANO-Antivirus	Trojan.Win32.CoinMiner.icgwwt
Paloalto	generic.ml
Tencent	Win32.Trojan.Generic.Lmaw
Ad-Aware	Trojan.GenericKD.35178873
Sophos	Mal/Generic-S
Comodo	Malware@#114fhkxc684ga
F-Secure	Trojan.TR/Downloader.lwkjx
DrWeb	Trojan.DownLoader36.2445
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06BC0PKP20
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.ch
Emsisoft	Trojan.CoinMiner (A)
Webroot	W32.Trojan.Gen
Avira	TR/Downloader.lwkjx
eGambit	Unsafe.AI_Score_78%
MAX	malware (ai score=100)
Gridinsoft	Trojan.Win32.CoinMiner.oa
Microsoft	Trojan:Win32/Ymacco.AA7B
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.35178873
Cynet	Malicious (score: 90)
McAfee	RDN/Generic.tfr
VBA32	Trojan.Ymacco
Malwarebytes	Trojan.BitCoinMiner
ESET-NOD32	a variant of Win32/CoinMiner.CFC
TrendMicro-HouseCall	TROJ_GEN.R06BC0PKP20
Ikarus	AIT.Downloader
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/CoinMiner.CFC!tr
AVG	Win32:Trojan-gen
Qihoo-360	Win32/TrojanDownloader.Generic.HgIASOgA

defender.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All